HJT Failed to run. "Invalid Picture" Error message

ford66 · 06-05-2006, 06:17 PM

OS:

XP Pro SP2

Observations:

Maxed out resource usage, Memory and CPU. Attempts to uninstall software results in the uninstall processes freezing indefinitely. Attemps to install software fail and return strange error messages. Examples:

When installing Java JRE:

Windows INstaller
"The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have

write permission on the Temp folder."

Windows Defender:

Windows INstaller
"The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have

write permission on the Temp folder."

Avast:

Setup Selfextract
"An error 82 (00000052) has occured. Last performed operation was: extracting main exe"

Spybot Search and Destroy:

Error
"setup was unable tocreate the directory "<path>" Error 82: The directory or file cannot be created"

I then tried running the online scanners suggest in the sticky for this forum topic, and they resulted inthe below error messages:

Online Scanners: (Errors occur after installing the ActiveX control)

Pandasoftware:

"An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart

your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges

etc.,... "

Computer Associates:
"Control failed to load. Are you using INternet Explorer 4.0 or above?"

BitDefender:
"Could not load the Online Scanner! Service Pack 2 was detected on this computer. Click on the information bar and

select "Install ActiveX Control.." [this was after clicking on the information bar, and then clicking on Install on

the following Internet Explorer - Security Warning pop up]

Symantec:
"Ton continue with Virus Detection, click the <icon> icon at the top of the page, and then click "Install ActiveX

Control'. If you don't see the icon at the top of the page, click here" [same behavior as the BitDefender online scanner]

I then dropped this machine's HD into a clean box, and ran a Avast preboot scan, as well as a Windows defender scan and Adaware scan. The preboot scan found trojans (don't have names, will find in avast scan logs and post them if requested) and the two spyware scans came up with hundreds of objects. When I put the HD back into its original box, I noticed an improved boot up time, but still could not install/uninstall software or run online scanners. Upon a second reboot, the taxed resource problem was just as bad as before dropping the hd into a clean system, and I surmise that the malware/adware simply reinstalled itself.

At this point I lurked on this forum for advice, and re-followed the steps in this topic's sticky. I am not able to run Hijackthis in either normal or safe mode. It returns this error message upon failure:

When installing HiJackThis:

HijackThis
"Invalid Picture"

I haven't found a solution to this error message. What is the best course of action?

Ried · 06-07-2006, 06:45 PM

Hello ford66 and welcome to RSF,

I'm not sure how much we can accomplish if you are unable to install programs or get HijackThis to run a scan.

This batch file will start HJT from the runonce key, so that is starts before lots of malware, let's see if we can get a scan.

Copy the bolded below into a new notepad document (not wordpad).
Click file> save as...> call it Hijackthis.bat > file types *all files*> and save it to desktop.

@echo off
cd\
echo REGEDIT4>Temp.reg
echo.>>Temp.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx]>>Temp.reg
echo "Flags"=dword:00000008>>Temp.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx\000]>>Temp.reg
echo "runonce"="\"\\!HJT.bat\"">>Temp.reg
echo.@echo off>!HJT.BAT
Echo.echo Hijackthis will open before the windows desktop>>!HJT.BAT
echo.echo Scan and Fix only what your forum adviser suggested>>!HJT.BAT
echo pause>>!HJT.BAT
echo.start hijackthis.exe>>!HJT.BAT
echo.echo ONLY when finished with hijackthis close it and,..>>!HJT.BAT
echo pause>>!HJT.BAT
echo.del Temp.reg>>!HJT.BAT
echo.CLS>>!HJT.BAT
echo.exit>>!HJT.BAT
regedit.exe /s Temp.reg
echo Please restart your PC now
Echo Just before the desktop loads Hijackthis will open,
echo Scan and Fix only what your forum adviser suggested
pause
CLS
exit

Run Hijackthis.bat then restart your PC.
Hijackthis will open before the desktop loads. Run a scan with HijackThis and save the log to post here.

Also, please do provide the results of the Avast log, it may prove useful.

ford66 · 06-07-2006, 07:25 PM

Thank you for the response.

I am currently not near the infected box at the moment, so I can't try the batch file you posted, but I can post the Avast pre-boot log. Here it is:

06/01/2006 21:02
Scan of D:\
File D:\WINDOWS\system32\hp708B.tmp\[Upack] is infected by Win32:Zlob-AF [Trj], Deleted
File D:\WINDOWS\Temp\sa875.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\Documents and Settings\STEVE\Local Settings\Temp\sa770.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\Documents and Settings\STEVE\Local Settings\Temp\sa7A6.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\Documents and Settings\STEVE\Local Settings\Temp\sa875.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092684.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092685.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092686.exe is infected by Win32:Adware-gen. [Adw], Deleted
File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092687.exe is infected by Win32:Adware-gen. [Adw], Deleted

Scan of E:\

Number of searched folders: 4854
Number of tested files: 148705
Number of infected files: 9

Ried · 06-07-2006, 08:05 PM

Hi ford66,

That log was most helpful.

I will give you the complete fix. I realize you are having difficulties installing programs so I've revised it a bit to accomodate that current predicament.

There are no guarantees this will fix your system completely as I haven't seen Smitfraud cripple a system to such an extent before. I've a feeling there's a bit more going on in your system, but let's give this a go and see where we're at.

Please copy this page to Notepad and save it to your desktop for reference.

Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

*************************************************

Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files checked' and click OK. **Note** Based on your description of error messages, this may take quite a while to complete. My purpose for emptying this now, is to hopefully clear enough to enable the downloading and installation of Ewido.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Please download the trial version of Ewido anti-malware from here:
http://www.ewido.net/en/download/

Install Ewido anti-malware.
When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
The program will prompt you to update. Click the Ok button.
The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

On the left-hand side of the main screen click the Update Button.
Click on Start.
The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.

**NOTE** If Ewido will not install, please continue with the remainder of the instructions.

--------------------------------------------------

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temp and Temporary Internet files again, following the same instructions I gave you at the beginning of my post.

---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

______________________________

**Note** IF you were able to sucessfully install Ewido:

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Once you reboot......

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

______________________________

Run a new HijackThis scan. Save the log file and post it here.

Then post the following logs in your next reply...

Ewido log
C:\rapport.txt (log from the tool)
Panda log
Hijackthis log

ford66 · 06-07-2006, 11:14 PM

Ewido Log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:40:33 PM, 6/7/2006
+ Report-Checksum: BEB743FD

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1} -> Adware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1}\ProxyStubClsid -> Adware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1}\ProxyStubClsid32 -> Adware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1}\TypeLib -> Adware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj -> Adware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj\CLSID -> Adware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj\CurVer -> Adware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj.1 -> Adware.VX2 : Cleaned with backup
HKU\S-1-5-21-3656001625-1156631218-4251244882-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0103CD4-D1CE-411A-B75B-4FEC072867F4} -> Trojan.Puper.ac : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@oxcash[2].txt -> TrackingCookie.Oxcash : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@programs.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@oxcash[1].txt -> TrackingCookie.Oxcash : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@programs.wegcash[3].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.web-stat[3].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@image.masterstats[3].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@programs.wegcash[4].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@yadro[4].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@northwestairlines.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@e-2dj6wjnyepdjsep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@buildabear.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@tracking.g3x[1].txt -> TrackingCookie.G3x : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@yadro[3].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@gateway.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@hertz.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@sec1.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@ehg-mastercard.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@ehg-findlaw.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@sales.liveperson[4].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[6].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@sec1.liveperson[4].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@ads43.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@nbcuniversal.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@www.res99[1].txt -> TrackingCookie.Res99 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data4.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\STEVE\Cookies\steve@data3.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq963C.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq964B.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq965A.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9668.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9677.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9684.tmp -> TrackingCookie.Atdmt : Cleaned with backup

::Report End

Rapport.txt:

SmitFraudFix v2.55

Scan done at 20:40:16.90, Wed 06/07/2006
Run from C:\Documents and Settings\STEVE\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\STEVE\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Panda Log:

Incident Status Location

Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\install.inf
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:49 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\techbox\techbox.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\1102879008\ee\aolsoftware.exe
c:\program files\common files\aol\1102879008\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\hjt\hjt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Starwood Toolbar - {CAC335E0-9FFB-4a59-A3F5-03B7713E937B} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4CBBC676-507F-11D0-B98B-000000000000} -
http://www.bc777.com/software/special/SiteHlpr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) -
http://mirror.worldwinner.com/games/v61/swapit/swapit.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAC335E0-9FFB-4A59-A3F5-03B7713E937B} (Starwood Toolbar) - http://www.starwood.com/dp/en_US/common/downloads/starpoint/toolbar/install.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0D} (ZaboCheckAndRunControl Class) - http://busobj.emcare.com:85/wijsp/distribution/ZaboIEen.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

And we're on our way.

Ried · 06-08-2006, 07:38 AM

Hello ford66,

Download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

----------------------------------

Close any open browsers and any other programs that may be open.

----------------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist:

O16 - DPF: {4CBBC676-507F-11D0-B98B-000000000000} -
http://www.bc777.com/software/special/SiteHlpr.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab

Click 'Fix Checked' and close HijackThis.

---------------------------

Using Windows Explorer, navigate to and delete the following File:

c:\windows\downloaded program files\ install.inf

**If the above file resists deletion, boot into Safe Mode and delete.

---------------------------

Reboot your system. We really need to see results from an online scan.

---------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

Also, please provide me with an update on system performance.

ford66 · 06-08-2006, 02:13 PM

Panda Log:

Incident Status Location

Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:15:02 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\techbox\techbox.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\1102879008\ee\aolsoftware.exe
c:\program files\common files\aol\1102879008\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\hjt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Starwood Toolbar - {CAC335E0-9FFB-4a59-A3F5-03B7713E937B} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file

missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v61/swapit/swapit.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAC335E0-9FFB-4A59-A3F5-03B7713E937B} (Starwood Toolbar) -

http://www.starwood.com/dp/en_US/common/downloads/starpoint/toolbar/install.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0D} (ZaboCheckAndRunControl Class) -

http://busobj.emcare.com:85/wijsp/distribution/ZaboIEen.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common

Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal

firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Added Observation:

I didn't note it to begin with as I should have, but after a normal boot, this pop up window error message appears once the desktop loads:

PPWebCap.exe - Unable To Locate Component

This application has failed to start becasue Ppwebcph.dll was not found. Re-installing the application may fix this problem.

Ried · 06-08-2006, 02:52 PM

Hi ford66,

That .dll belongs to the ScanSoft PaperPort program. Do you have an install disc to try reinstalling it?

Have all the other error messages been corrected now? I see nothing of note in either of these last logs.

ford66 · 06-08-2006, 04:31 PM

Yes, the other error messages have been corrected. Software can be installed and uninstalled without failing, and the system resources do not seem unduly taxed. I am now going to install avast, windows defender, and use IE-SPYAD. Though, the panda search did come up with two issues. Are they insignificant?

Ried · 06-09-2006, 12:25 AM

Hi,

The first entry showing in Panda is a reference to an orphaned registry entry. Without a file associated, it will do no harm. and it's better to leave it than to root around in the registry for it and risk irrepairable damage to the system. The second entry is a reference to the Smitfraud tool we used.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.

Reset hidden/system files and folders if necessary
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

ford66 · 06-09-2006, 09:03 AM

Everything is disco now. Thank you for sharing your ninja sk1llz with me. You're a highly merited warfare advisor, and I'll run into any jungle with my rifle under your direction.

06-05-2006, 06:17 PM	#1 (permalink)
ford66 Registered User Join Date: Jun 2006 Posts: 60 OS: xp	HJT Failed to run. "Invalid Picture" Error message OS: XP Pro SP2 Observations: Maxed out resource usage, Memory and CPU. Attempts to uninstall software results in the uninstall processes freezing indefinitely. Attemps to install software fail and return strange error messages. Examples: When installing Java JRE: Windows INstaller "The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder." Windows Defender: Windows INstaller "The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder." Avast: Setup Selfextract "An error 82 (00000052) has occured. Last performed operation was: extracting main exe" Spybot Search and Destroy: Error "setup was unable tocreate the directory "<path>" Error 82: The directory or file cannot be created" I then tried running the online scanners suggest in the sticky for this forum topic, and they resulted inthe below error messages: Online Scanners: (Errors occur after installing the ActiveX control) Pandasoftware: "An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... " Computer Associates: "Control failed to load. Are you using INternet Explorer 4.0 or above?" BitDefender: "Could not load the Online Scanner! Service Pack 2 was detected on this computer. Click on the information bar and select "Install ActiveX Control.." [this was after clicking on the information bar, and then clicking on Install on the following Internet Explorer - Security Warning pop up] Symantec: "Ton continue with Virus Detection, click the <icon> icon at the top of the page, and then click "Install ActiveX Control'. If you don't see the icon at the top of the page, click here" [same behavior as the BitDefender online scanner] I then dropped this machine's HD into a clean box, and ran a Avast preboot scan, as well as a Windows defender scan and Adaware scan. The preboot scan found trojans (don't have names, will find in avast scan logs and post them if requested) and the two spyware scans came up with hundreds of objects. When I put the HD back into its original box, I noticed an improved boot up time, but still could not install/uninstall software or run online scanners. Upon a second reboot, the taxed resource problem was just as bad as before dropping the hd into a clean system, and I surmise that the malware/adware simply reinstalled itself. At this point I lurked on this forum for advice, and re-followed the steps in this topic's sticky. I am not able to run Hijackthis in either normal or safe mode. It returns this error message upon failure: When installing HiJackThis: HijackThis "Invalid Picture" I haven't found a solution to this error message. What is the best course of action?

06-07-2006, 06:45 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Hello ford66 and welcome to RSF, I'm not sure how much we can accomplish if you are unable to install programs or get HijackThis to run a scan. This batch file will start HJT from the runonce key, so that is starts before lots of malware, let's see if we can get a scan. Copy the bolded below into a new notepad document (not wordpad). Click file> save as...> call it Hijackthis.bat > file types *all files> and save it to desktop. @echo off cd\ echo REGEDIT4>Temp.reg echo.>>Temp.reg echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx]>>Temp.reg echo "Flags"=dword:00000008>>Temp.reg echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx\000]>>Temp.reg echo "runonce"="\"\\!HJT.bat\"">>Temp.reg echo.@echo off>!HJT.BAT Echo.echo Hijackthis will open before the windows desktop>>!HJT.BAT echo.echo Scan and Fix only what your forum adviser suggested>>!HJT.BAT echo pause>>!HJT.BAT echo.start hijackthis.exe>>!HJT.BAT echo.echo ONLY when finished with hijackthis close it and,..>>!HJT.BAT echo pause>>!HJT.BAT echo.del Temp.reg>>!HJT.BAT echo.CLS>>!HJT.BAT echo.exit>>!HJT.BAT regedit.exe /s Temp.reg echo Please restart your PC now Echo Just before the desktop loads Hijackthis will open, echo Scan and Fix only what your forum adviser suggested pause CLS exit Run Hijackthis.bat* then restart your PC. Hijackthis will open before the desktop loads. Run a scan with HijackThis and save the log to post here. Also, please do provide the results of the Avast log, it may prove useful. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-07-2006, 07:25 PM	#3 (permalink)
ford66 Registered User Join Date: Jun 2006 Posts: 60 OS: xp	Avast aswboot log Thank you for the response. I am currently not near the infected box at the moment, so I can't try the batch file you posted, but I can post the Avast pre-boot log. Here it is: 06/01/2006 21:02 Scan of D:\ File D:\WINDOWS\system32\hp708B.tmp\[Upack] is infected by Win32:Zlob-AF [Trj], Deleted File D:\WINDOWS\Temp\sa875.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\Documents and Settings\STEVE\Local Settings\Temp\sa770.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\Documents and Settings\STEVE\Local Settings\Temp\sa7A6.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\Documents and Settings\STEVE\Local Settings\Temp\sa875.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092684.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092685.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092686.exe is infected by Win32:Adware-gen. [Adw], Deleted File D:\System Volume Information\_restore{71130F36-CD78-4E64-A96B-A2B4AA0DCE2F}\RP687\A0092687.exe is infected by Win32:Adware-gen. [Adw], Deleted Scan of E:\ Number of searched folders: 4854 Number of tested files: 148705 Number of infected files: 9

06-07-2006, 08:05 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Hi ford66, That log was most helpful. I will give you the complete fix. I realize you are having difficulties installing programs so I've revised it a bit to accomodate that current predicament. There are no guarantees this will fix your system completely as I haven't seen Smitfraud cripple a system to such an extent before. I've a feeling there's a bit more going on in your system, but let's give this a go and see where we're at. Please copy this page to Notepad and save it to your desktop for reference. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. *********************************************** Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files checked' and click OK. Note Based on your description of error messages, this may take quite a while to complete. My purpose for emptying this now, is to hopefully clear enough to enable the downloading and installation of Ewido. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Please download the trial version of Ewido anti-malware from here: http://www.ewido.net/en/download/ Install Ewido anti-malware. When installing, under Additional Options uncheck Install background guard and Install scan via context menu. When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok. The program will prompt you to update. Click the Ok button. The program will now go to the main screen. You will need to update Ewido to the latest definition files. On the left-hand side of the main screen click the Update Button. Click on Start. The update will start and a progress bar will show the updates being installed. Once finished updating, close Ewido. If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates. Make sure to close Ewido before installing the update. NOTE If Ewido will not install, please continue with the remainder of the instructions. -------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ______________________________ Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter*. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes* by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Clean out your Temp and Temporary Internet files again, following the same instructions I gave you at the beginning of my post. --------------------------------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ______________________________ Note IF you were able to sucessfully install Ewido: Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan. Click on Scanner Click on Settings Under How to scan all boxes should be checked Under Unwanted Software all boxes should be checked Under What to scan select Scan every file Click on Ok Click on Complete System Scan to start the scan process. Let the program scan the machine. If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok. Once the scan has completed, there will be a button located on the bottom of the screen named Save Report. Click Save Report button Save the report to your Desktop Close Ewido and Reboot in Normal Mode. ______________________________ Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ______________________________ Once you reboot...... Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report ______________________________ Run a new HijackThis scan. Save the log file and post it here. Then post the following logs in your next reply... Ewido log C:\rapport.txt (log from the tool) Panda log Hijackthis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-07-2006, 11:14 PM	#5 (permalink)
ford66 Registered User Join Date: Jun 2006 Posts: 60 OS: xp	Ewido Log: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 9:40:33 PM, 6/7/2006 + Report-Checksum: BEB743FD + Scan result: HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1} -> Adware.MidAddle : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1}\ProxyStubClsid -> Adware.MidAddle : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1}\ProxyStubClsid32 -> Adware.MidAddle : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{2BD8B6D2-6078-3AFC-AC19-ABE776516DC1}\TypeLib -> Adware.MidAddle : Cleaned with backup HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj -> Adware.VX2 : Cleaned with backup HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj\CLSID -> Adware.VX2 : Cleaned with backup HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj\CurVer -> Adware.VX2 : Cleaned with backup HKLM\SOFTWARE\Classes\SiteHlpr.SiteHlprObj.1 -> Adware.VX2 : Cleaned with backup HKU\S-1-5-21-3656001625-1156631218-4251244882-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0103CD4-D1CE-411A-B75B-4FEC072867F4} -> Trojan.Puper.ac : Cleaned with backup C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Local Settings\Temp\Cookies\steve@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@oxcash[2].txt -> TrackingCookie.Oxcash : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@programs.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@oxcash[1].txt -> TrackingCookie.Oxcash : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@programs.wegcash[3].txt -> TrackingCookie.Wegcash : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.web-stat[3].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@image.masterstats[3].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@programs.wegcash[4].txt -> TrackingCookie.Wegcash : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@yadro[4].txt -> TrackingCookie.Yadro : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@northwestairlines.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@e-2dj6wjnyepdjsep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@buildabear.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@tracking.g3x[1].txt -> TrackingCookie.G3x : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@yadro[3].txt -> TrackingCookie.Yadro : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@gateway.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@hertz.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@sec1.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@ehg-mastercard.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@ehg-findlaw.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@sales.liveperson[4].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@adopt.specificclick[6].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@sec1.liveperson[4].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@ads43.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@nbcuniversal.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@www.res99[1].txt -> TrackingCookie.Res99 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data4.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\STEVE\Cookies\steve@data3.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq963C.tmp -> TrackingCookie.2o7 : Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq964B.tmp -> TrackingCookie.2o7 : Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq965A.tmp -> TrackingCookie.2o7 : Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9668.tmp -> TrackingCookie.2o7 : Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9677.tmp -> TrackingCookie.2o7 : Cleaned with backup C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9684.tmp -> TrackingCookie.Atdmt : Cleaned with backup ::Report End Rapport.txt: SmitFraudFix v2.55 Scan done at 20:40:16.90, Wed 06/07/2006 Run from C:\Documents and Settings\STEVE\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\ts.ico Deleted C:\WINDOWS\system32\1024\ Deleted C:\DOCUME~1\STEVE\FAVORI~1\Antivirus Test Online.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Panda Log: Incident Status Location Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\install.inf Spyware:spyware/searchcentrix Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 10:13:49 PM, on 6/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\system32\RunDll32.exe C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe C:\techbox\techbox.exe C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe C:\Program Files\mcafee.com\personal firewall\MPFService.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\PROGRA~1\YAHOO!\YOP\yop.exe C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe C:\Program Files\mcafee.com\antivirus\mcvsescn.exe C:\Program Files\mcafee.com\personal firewall\MPfTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\YAHOO!\browser\ycommon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Common Files\AOL\1102879008\ee\aolsoftware.exe c:\program files\common files\aol\1102879008\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe C:\hjt\hjt.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: Starwood Toolbar - {CAC335E0-9FFB-4a59-A3F5-03B7713E937B} - (no file) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4CBBC676-507F-11D0-B98B-000000000000} - http://www.bc777.com/software/special/SiteHlpr.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v61/swapit/swapit.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab O16 - DPF: {CAC335E0-9FFB-4A59-A3F5-03B7713E937B} (Starwood Toolbar) - http://www.starwood.com/dp/en_US/common/downloads/starpoint/toolbar/install.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0D} (ZaboCheckAndRunControl Class) - http://busobj.emcare.com:85/wijsp/distribution/ZaboIEen.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE And we're on our way. Last edited by Ried; 06-08-2006 at 07:21 AM. Reason: took out double spacing for easier review

06-08-2006, 07:38 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Hello ford66, Download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds. ---------------------------------- Close any open browsers and any other programs that may be open. ---------------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist: O16 - DPF: {4CBBC676-507F-11D0-B98B-000000000000} - http://www.bc777.com/software/special/SiteHlpr.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab Click 'Fix Checked' and close HijackThis. --------------------------- Using Windows Explorer, navigate to and delete the following File: c:\windows\downloaded program files\ install.inf If the above file resists deletion, boot into Safe Mode and delete. --------------------------- Reboot your system. We really need to see results from an online scan. --------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log. Also, please provide me with an update on system performance. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-08-2006, 02:13 PM	#7 (permalink)
ford66 Registered User Join Date: Jun 2006 Posts: 60 OS: xp	Panda Log: Incident Status Location Spyware:spyware/searchcentrix Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 1:15:02 PM, on 6/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe C:\Program Files\mcafee.com\personal firewall\MPFService.exe C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\RunDll32.exe C:\techbox\techbox.exe C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\PROGRA~1\YAHOO!\YOP\yop.exe C:\Program Files\mcafee.com\antivirus\mcvsescn.exe C:\Program Files\mcafee.com\personal firewall\MPfTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe C:\PROGRA~1\YAHOO!\browser\ycommon.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Common Files\AOL\1102879008\ee\aolsoftware.exe c:\program files\common files\aol\1102879008\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\hjt\hjt.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: Starwood Toolbar - {CAC335E0-9FFB-4a59-A3F5-03B7713E937B} - (no file) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v61/swapit/swapit.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab O16 - DPF: {CAC335E0-9FFB-4A59-A3F5-03B7713E937B} (Starwood Toolbar) - http://www.starwood.com/dp/en_US/common/downloads/starpoint/toolbar/install.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0D} (ZaboCheckAndRunControl Class) - http://busobj.emcare.com:85/wijsp/distribution/ZaboIEen.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1102879008\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE Added Observation: I didn't note it to begin with as I should have, but after a normal boot, this pop up window error message appears once the desktop loads: PPWebCap.exe - Unable To Locate Component This application has failed to start becasue Ppwebcph.dll was not found. Re-installing the application may fix this problem.

06-08-2006, 02:52 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Hi ford66, That .dll belongs to the ScanSoft PaperPort program. Do you have an install disc to try reinstalling it? Have all the other error messages been corrected now? I see nothing of note in either of these last logs. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-08-2006, 04:31 PM	#9 (permalink)
ford66 Registered User Join Date: Jun 2006 Posts: 60 OS: xp	Yes, the other error messages have been corrected. Software can be installed and uninstalled without failing, and the system resources do not seem unduly taxed. I am now going to install avast, windows defender, and use IE-SPYAD. Though, the panda search did come up with two issues. Are they insignificant? Last edited by ford66; 06-08-2006 at 04:40 PM. Reason: poor basic grammar

06-09-2006, 12:25 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Hi, The first entry showing in Panda is a reference to an orphaned registry entry. Without a file associated, it will do no harm. and it's better to leave it than to root around in the registry for it and risk irrepairable damage to the system. The second entry is a reference to the Smitfraud tool we used. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links. Reset hidden/system files and folders if necessary Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not** be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-09-2006, 09:03 AM	#11 (permalink)
ford66 Registered User Join Date: Jun 2006 Posts: 60 OS: xp	Everything is disco now. Thank you for sharing your ninja sk1llz with me. You're a highly merited warfare advisor, and I'll run into any jungle with my rifle under your direction.