Nasty Persistent Pop-up Hijack log please help

[LynRis]

smithfraud,findlop,hijack logs



SmitFraudFix v2.58

Scan done at 800.26, 11/06/2006
Run from C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\Administrator\Application Data

11/09/2003 11:36 PM <DIR> .
11/09/2003 11:36 PM <DIR> ..
11/09/2003 11:36 PM <DIR> Microsoft
0 File(s) 0 bytes
3 Dir(s) 41,985,916,928 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\All Users\Application Data

21/04/2006 11:14 AM <DIR> Adobe
16/07/2005 03:28 PM <DIR> Apple Computer
11/09/2003 11:34 PM <DIR> BVRP Software
08/09/2005 08:07 AM <DIR> Creative
23/05/2005 11:09 AM <DIR> Dell
28/05/2006 03:37 PM 6 DragToDiscUserNameE.txt
09/05/2005 09:12 AM <DIR> Hewlett-Packard
11/08/2005 09:26 PM 2,436 hpzinstall.log
08/02/2006 09:02 AM <DIR> InstallShield
29/08/2005 09:01 PM <DIR> Kodak
17/07/2004 02:50 PM <DIR> McAfee.com
30/06/2004 12:11 AM <DIR> PACE Anti-Piracy
18/11/2005 04:22 PM <DIR> PopCap
30/06/2004 12:02 AM <DIR> Propellerhead Software
08/02/2004 05:01 PM <DIR> QuickTime
08/02/2006 09:05 AM <DIR> Roxio
11/09/2003 11:32 PM <DIR> SBSI
08/02/2006 09:01 AM <DIR> Sonic
06/06/2006 04:55 PM <DIR> Spybot - Search & Destroy
23/05/2005 06:59 PM <DIR> Viewpoint
06/06/2006 10:21 AM <DIR> Windows Genuine Advantage
2 File(s) 2,442 bytes
19 Dir(s) 41,985,912,832 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\Linda\Application Data

10/11/2003 05:19 PM <DIR> Adobe
13/02/2005 12:32 PM <DIR> AdobeUM
19/02/2006 05:29 PM <DIR> ArcSoft
20/12/2005 11:23 AM <DIR> Creative
07/01/2004 05:41 PM <DIR> Help
11/09/2003 11:01 PM <DIR> Identities
02/01/2006 05:37 PM <DIR> Macromedia
01/10/2003 06:30 PM <DIR> McAfee.com Personal Firewall
02/03/2006 12:47 PM <DIR> Mozilla
04/07/2005 05:52 PM <DIR> Real
11/02/2006 11:46 AM <DIR> Roxio
22/10/2005 04:47 PM <DIR> Sun
0 File(s) 0 bytes
12 Dir(s) 41,985,912,832 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\Lyndon\Application Data

27/08/2005 09:37 AM <DIR> Adobe
21/04/2006 11:17 AM <DIR> AdobeUM
19/09/2003 10:11 PM <DIR> ArcSoft
26/10/2003 02:28 PM <DIR> CyberLink
06/01/2006 11:31 PM <DIR> Digidesign
15/02/2004 01:02 PM 0 dm.ini
28/05/2006 09:51 AM <DIR> EPSON
31/08/2005 07:09 PM <DIR> Google
19/09/2003 09:56 PM <DIR> Help
11/09/2003 11:01 PM <DIR> Identities
11/06/2005 02:31 PM <DIR> Lavasoft
15/11/2003 05:28 PM <DIR> Leadertech
11/02/2006 12:33 AM <DIR> Macromedia
01/10/2003 06:14 PM <DIR> McAfee.com Personal Firewall
19/09/2003 09:25 PM <DIR> Microsoft Web Folders
11/02/2006 12:59 PM <DIR> Mozilla
29/08/2005 06:32 PM <DIR> OLYMPUS
25/03/2005 01:47 PM <DIR> Real
11/02/2006 12:31 AM <DIR> Roxio
20/05/2005 07:42 PM <DIR> Sun
23/11/2005 07:19 PM <DIR> V-Safe
1 File(s) 0 bytes
20 Dir(s) 41,985,912,832 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\Nathan\Application Data

27/09/2005 02:59 PM <DIR> Adobe
20/04/2005 05:20 PM <DIR> AdobeUM
19/04/2005 01:24 PM <DIR> Apple Computer
02/10/2003 08:06 AM <DIR> ArcSoft
13/09/2005 03:03 PM <DIR> Creative
18/09/2003 08:44 PM <DIR> CyberLink
10/09/2005 10:49 PM <DIR> Digidesign
13/10/2003 11:56 AM <DIR> DVD Shrink
20/09/2003 11:16 AM <DIR> EPSON
28/12/2005 02:42 PM <DIR> funkitron
26/11/2003 07:02 PM <DIR> Help
11/09/2003 11:01 PM <DIR> Identities
08/12/2004 08:48 PM <DIR> Lavasoft
15/11/2003 05:09 PM <DIR> Leadertech
23/12/2005 05:27 PM <DIR> Macromedia
01/10/2003 07:03 AM <DIR> McAfee.com Personal Firewall
08/02/2006 08:33 AM <DIR> Mozilla
29/08/2005 03:53 PM <DIR> OLYMPUS
30/06/2004 12:03 AM <DIR> Propellerhead Software
27/10/2004 09:43 AM <DIR> Real
14/05/2006 10:13 PM <DIR> Roxio
27/02/2006 09:48 PM <DIR> Sonic
04/06/2005 01:38 PM <DIR> Sun
07/05/2006 04:01 PM <DIR> VSO_HWE
19/11/2005 11:34 AM <DIR> {27ABEAD9-B7C4-4994-891F-48F5F48861FA}
0 File(s) 0 bytes
25 Dir(s) 41,985,908,736 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\Samantha\Application Data

03/04/2004 04:46 PM <DIR> Adobe
23/04/2005 08:32 AM <DIR> AdobeUM
19/12/2004 02:20 AM <DIR> Apple Computer
27/12/2003 10:22 PM <DIR> ArcSoft
20/05/2005 08:52 PM <DIR> Gtek
11/09/2003 11:01 PM <DIR> Identities
03/04/2004 04:46 PM <DIR> Leadertech
10/10/2003 10:14 PM <DIR> Macromedia
01/10/2003 08:23 PM <DIR> McAfee.com Personal Firewall
15/04/2006 10:29 AM <DIR> Mozilla
28/01/2005 09:37 PM <DIR> Real
19/02/2006 05:55 PM <DIR> Roxio
22/05/2005 09:42 AM <DIR> Sun
0 File(s) 0 bytes
13 Dir(s) 41,985,908,736 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\Default User\Application Data

20/05/2005 07:48 PM <DIR> .
20/05/2005 07:48 PM <DIR> ..
07/09/2004 09:04 PM 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 41,985,908,736 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\LocalService\Application Data

29/06/2005 03:45 PM <DIR> GTek
0 File(s) 0 bytes
1 Dir(s) 41,985,908,736 bytes free
Volume in drive C has no label.
Volume Serial Number is BCC1-CC60

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'MP Scheduled Scan.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Windows Defender\MpCmdRun.exe'
Parameters: 'Scan -RestrictPrivileges'
WorkingDirectory: ''
Comment: 'Scheduled Scan'
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 06/12/2006 1:55:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/11/2006
EndDate: 00/00/0000
StartTime: 01:55
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


Logfile of HijackThis v1.99.1
Scan saved at 8:32:30 AM, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bej...ploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

[greyknight17]

Looks good now.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[LynRis]

It's hard to tell how well I am running on the internet connection, everything else is good. I found while using the other computer that my internet service was letting me down, inconsistent and not working at times. I have a service guy coming to look at the cable system and cable modem on Tuesday, i will know for sure then how well I am running. so keep me open until then. Again, thank-you for your patient help and guidance.

Regards
Lyndon

[greyknight17]

No problem Lyndon. Thread will be open till you return.

[LynRis]

After my internet service is tuned up; should I dump most of these tools we used or hang on to them? I assume I should keep Ewido up and running.
Also you had also mentioned proper removal of Noble Poker.

Thanks
Talk to you Tuesday

[tetonbob]

Hi Lyndon -

Before we fix that up and send you off, I'd like a bit more information please.

Please search your machine for this file:

C:\Program Files\USERWA~1\TonsWeb.dll

This is in a subfolder of Program Files, which begins with USERWA

You may find it easiest to use Windows' search function, from the Start button, to find TonsWeb.dll

If you find this, please also let me know what other files are in that folder, if any.

If you find this file, please Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan, and post the results here.

Additionally, please do this:

Create a uninstall list:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notebook onto your post

[LynRis]

New cable modem and all is well. My follow-ups should be much quicker now.

TonsWeb.dll did not show up as a file anywhere. I used the search funtion and looked myself. As a curiousity I did an extra search of file contents to see if TonsWeb.dll was referenced anywhere. It was in the WinPFind log, Dr Watson log and in the Registery Backup. I have included a screen shot attachment of that search.

Here is the uninstall list from Hijack

Ad-Aware SE Personal
Adobe Reader 7.0.7
Advanced MP3 Converter 2.18
ArcSoft PhotoImpression
BCM V.92 56K Modem
BitLord 1.1
CleanUp!
cmVodbx32-V4
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
Device drivers for HP Simple Backup
Digidesign Pro Tools® LE 6.1.1
Digidesign Shared Plug-Ins
DivX Codec
DreamStation DXi
DVD X Rescue
DVD-CLONER V3.05 Build 886
DVDFab Platinum 2.9.6.9
DVDSentry
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoQuicker3.2
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
EPSON User's Guide
ewido anti-malware
FIFA 99
Google Earth
HijackThis 1.99.1
HP Image Zone 4.0
HP Photosmart Cameras 4.0
HP Software Update
HyperLoad
IE Host
IK Digidesign Bundle
Ink Monitor
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
InterActual Player
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.8.1
Live Digidesign Edition 2.1
Logitech MouseWare 9.77
Macromedia Flash Player 8
Macromedia Shockwave Player
Matroska Pack (remove only)
MaxSpeed
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office 2000 Premium
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (1.5)
MSN Messenger 7.5
MyDVD
Netscape Communicator 4.79
Nic's XviD Decoder
Noble Poker
NVIDIA Windows 2000/XP Display Drivers
PACE System Files
Paint Shop Pro 7
Panda ActiveScan
PHStat2
PowerDVD
PowerISO
PrintMaster Platinum 4.00
QuickTax 2003 Standard
QuickTax 2004
QuickTax 2005
QuickTime
Reason Adapted for Digidesign 2.5
Roxio Easy Media Creator 8 Suite
Sateira CD&DVD Burner 2.43
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Shockwave
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
VeloMaster Lite CW
Virtual Sound Canvas DXi
Winamp (remove only)
Window Searching
Window Active
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
XviD MPEG-4 Codec

[tetonbob]

The following registry entry is referenced in the WinPFind log in association with the TonsWeb.dll, which appears to have been a LOP infection related entry, now inactive. We can easily remove it.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{E5AE512C-3349-6CA5-B338-0D1559A6E27B}"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4

Leave J2SE Runtime Environment 5.0 Update 6 alone.

---------------------------------------------------------------------------------------------

If this folder is present, delete it:

C:\Program Files\USERWA~1\


Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[LynRis]

All done. Thank again for your thorough, patient guidance in getting my machine clean. I gotta tell you that have my cable modem go wonky at the same time made this problem look real scary from this end until I realized what was happening.

Regards
Lyndon