Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91600 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Programs not working, always freezing, firefox crashing...


  • This topic is locked This topic is locked
21 replies to this topic

#1 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 20 February 2007 - 08:15 PM

I am new to this and need help with my comp. I have recently removed nod32 because i thought that was the problem, but I am not sure. I have been having problems with firefox encountering problems and crashing, not being able to bookmark anything (unless though bookmark manager), cant access task manager, and really delayed action and a slow startup. not to mention my comp sometimes boots into a pre-boot execution. Not sure what I have to do. I have installed HJT into a permanent directory and will post the log when told to do so. Please any help would be greatly appreciated. Also I have windows XP SP2

    Advertisements

Register to Remove


#2 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 21 February 2007 - 09:11 PM

Logfile of HijackThis v1.99.1 Scan saved at 10:11:23 PM, on 2/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hijack This\HijackThis.exe C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\ O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - Startup: .protected O4 - Global Startup: .protected O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#3 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 25 February 2007 - 08:10 PM

crz1o13o4 :D

Welcome to Tom Coyote . Sorry about the delay in responding but we are as most times just overwhelmed with logs.


Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#4 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 25 February 2007 - 11:14 PM

SmitFraudFix v2.144 Scan done at 0:13:01.96, Mon 02/26/2007 Run from C:\Documents and Settings\JoHn & RiA\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode hosts C:\ C:\WINDOWS C:\WINDOWS\.protected FOUND ! C:\WINDOWS\system C:\WINDOWS\Web C:\WINDOWS\system32 C:\WINDOWS\system32\LogFiles Start Menu C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND ! C:\DOCUME~1\JOHN Desktop C:\Program Files Corrupted keys Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" pe386-msguard-lzx32-huy32 Scanning wininet.dll infection End

#5 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 25 February 2007 - 11:18 PM

Also I have Spybot Search and Destroy and NOD32. But I wanted to know which programs you recommend

#6 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 26 February 2007 - 05:48 AM

crz1o13o4 :D

When we are done cleaning the infection off of you computer I will give you a list of free programs to install, right now we need to get rid of the Smitfraud Infection.


You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


Download and install the 30 day trial of AVG Anti-Spyware 7.5 to your desktop.
  • Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon Update then select the Update now link.
  • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
  • Under Reports
  • Select Automatically generate report after every scan
  • Un-Select Only if threats were found
  • Close AVG Anti-Spyware 7.5 <-- Do not run the scan yet.


Boot your computer into Safemode
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to SAFEMODE
  • Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode



  • Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
  • Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
  • A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt





Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete Offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button.
  • Click Apply then OK.





  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • AVG will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
  • If you have any infections you will prompted, then select Apply all actions
  • Next select the Reports icon at the top.
  • Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
  • make sure to remember where you saved that file, this is important
  • Close AVG Anti-Spyware 7.5
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:


Reboot normally.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.



Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - Startup: .protected
O4 - Global Startup: .protected



Run this system cleaner.

If you don't want the Yahoo Toolbar, be sure to uncheck it during installation
Download and Install CCleaner
* Click on Run Cleaner
* Run the Issues Scan < -- After it scans your system, when you click on the Fix button and it asks you to backup the Registry..Say Yes
Tutorial for CCleaner


This is what I need.
1. Smitfraud Log
2. AVG Log
3. New HJT log

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#7 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 26 February 2007 - 10:09 PM

I am running into a little bit of trouble... I did everything up to here # Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd I did this fine # Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. This was also done without a problem # You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. here is where I am getting stuck, after i press enter to delete infected files, the screen always goes blank, and i am never offered the registry cleaner option

#8 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 27 February 2007 - 05:37 AM

here is where I am getting stuck, after i press enter to delete infected files, the screen always goes blank, and i am never offered the registry cleaner option


Just bypass this for the moment and proceed with the rest of the fix.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#9 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 27 February 2007 - 10:07 PM

A few issues that I ran into were that I was never able to complete the smitfraudfix (option 2 in safe mode) which was previously mentioned. Also I was not able to fix "O4 - Startup: .protected" because i tried numerous times and it said it may be in use. I opened task manager and ended all the processes that I could, but still did not work. The logs that I do have are here though Smitfraud Log SmitFraudFix v2.144 Scan done at 23:02:49.39, Mon 02/26/2007 Run from C:\Documents and Settings\JoHn & RiA\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll Killing process hosts 127.0.0.1 localhost Generic Renos Fix GenericRenosFix by S!Ri Deleting infected files Deleting Temp Files AVG Log --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 10:32:32 PM 2/27/2007 + Scan result: C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP157\A0070548.exe -> Adware.Maxifiles : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070597.dll -> Adware.Maxifiles : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070598.exe -> Adware.Maxifiles : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070599.dll -> Adware.Softomate : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070600.exe -> Adware.Softomate : Cleaned. C:\WINDOWS\Temp\b122.exe -> Adware.Softomate : Cleaned. C:\Documents and Settings\JoHn & RiA\Local Settings\Temp\__uia__.exe -> Adware.Udefender : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0071458.exe -> Downloader.Agent.bca : Cleaned. C:\WINDOWS\Temp\win1329.tmp.exe -> Downloader.Agent.bdr : Cleaned. C:\WINDOWS\Temp\win12E4.tmp.exe -> Downloader.Agent.bgn : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP157\A0070550.exe -> Downloader.PurityScan.dc : Cleaned. C:\WINDOWS\Temp\win12BD.tmp.exe -> Downloader.PurityScan.dc : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP166\A0074910.exe -> Downloader.PurityScan.dt : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070609.exe -> Downloader.Tiny.fk : Cleaned. C:\WINDOWS\Temp\win12CD.tmp.exe -> Downloader.Tiny.fk : Cleaned. C:\WINDOWS\system32\ishost.exe_tobedeleted -> Downloader.Zlob.ape : Cleaned. C:\Documents and Settings\JoHn & RiA\Local Settings\Temp\winB3CB.tmp.exe -> Downloader.Zlob.apf : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070558.exe -> Logger.Agent.or : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070601.exe -> Logger.Agent.or : Cleaned. C:\WINDOWS\Temp\win1320.tmp.exe -> Logger.Agent.or : Cleaned. C:\WINDOWS\system32\urroxtl.dll_tobedeleted -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned. :mozilla.121:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned. :mozilla.71:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.72:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.73:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.74:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.75:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.76:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.30:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.31:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.33:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.34:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.35:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.70:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.37:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned. :mozilla.38:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned. :mozilla.39:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned. :mozilla.100:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.96:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.97:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.98:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.99:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.78:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.67:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.68:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.69:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.15:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned. :mozilla.92:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.93:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.94:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.66:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned. :mozilla.79:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.80:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.81:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.82:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.83:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.84:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.85:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.86:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.87:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned. :mozilla.16:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.48:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.49:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.50:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.51:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.52:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.54:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.55:C:\Documents and Settings\JoHn & RiA\Application Data\Mozilla\Firefox\Profiles\ut875668.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\JoHn & RiA\Local Settings\Temp\mst278C.tmp -> Trojan.Agent.vg : Cleaned. C:\Documents and Settings\JoHn & RiA\Local Settings\Temp\mst278F.tmp -> Trojan.Agent.vg : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0071459.dll -> Trojan.Agent.vg : Cleaned. C:\System Volume Information\_restore{1ADD3870-5481-4F82-8AAC-AF37E8DABA11}\RP158\A0070602.exe -> Trojan.Small : Cleaned. ::Report end New HJT Log Logfile of HijackThis v1.99.1 Scan saved at 10:55:10 PM, on 2/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\ O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - Startup: .protected O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#10 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 28 February 2007 - 05:52 AM

You can open AVG and go to the Quarantine folder and uninstall it all, nothing in there you want to keep on your system.

This is related to the Smitfraud infection. First fix it with HJT.
O4 - Startup: .protected

Then run Smitfraud fix Option 2 in normal windows if it won't run in safemode.


Run this other great cleaner.

Please download ATF Cleaner by Atribune.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Let me see the Smitfraud log and a New HJT log please.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#11 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 28 February 2007 - 08:07 PM

I opened AVG and the quarantine folder is empty. I opened HJT and tried to check O4 - Startup: .protected but it still will not let me (saying the program may be in use) and Smitfraud fix is still not completing... after a certain point, the screen goes blank (besides wallpaper) and never does anything elsae after that. I also used the ATF cleaner which worked fine. SmitFraudFix v2.144 Scan done at 20:56:55.29, Wed 02/28/2007 Run from C:\Documents and Settings\JoHn & RiA\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll Killing process hosts 127.0.0.1 localhost Generic Renos Fix GenericRenosFix by S!Ri Deleting infected files Deleting Temp Files Logfile of HijackThis v1.99.1 Scan saved at 8:56:02 PM, on 2/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\ O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - Startup: .protected O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by crz1o13o4, 28 February 2007 - 08:08 PM.


#12 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 28 February 2007 - 08:25 PM

Try removing that entry in Safemode.

O4 - Startup: .protected



  • Open HJT
  • Then open the Misc Tools section
  • click on Generate a Startup List Log,
  • Don't check the 2 boxes just yet.
  • Post the log into this thread

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#13 crz1o13o4

crz1o13o4

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 28 February 2007 - 08:42 PM

StartupList report, 2/28/2007, 9:36:58 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijack This\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\JoHn & RiA\Start Menu\Programs\Startup]
.protected

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMAXPnP = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
SoundMAX = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
D_V_T = C:\\dvt.exe /S \C:\\d_v_t.reg\
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
HPHUPD05 = C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HPHmon05 = C:\WINDOWS\system32\hphmon05.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
FRU Task #Hewlett-Packard#hp psc 1200 series#1157981268.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 4,336 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#14 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 28 February 2007 - 09:13 PM

O4 - Startup: .protected <-- needs to go. I have removed this on many posts and don't know why yours wont go.

Try disabling AVG anti spyware. Open the program and look for the Background Guard feature and disable it.


Go to where you have the Smitfraud fix icon on your desktop and delete it and do a fresh download.


Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.


After disableing the background guard in AVG, try removing that entry with HJT on both Normal and Safemode, do another scan with Smitfraud in both Normal and Safemode. If and when the screen goes blank, let it be for a while, sometimes it takes awhile for it to complete.

Post the report if you can and a new HJT log.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#15 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,203 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 March 2007 - 05:56 AM

Try this.

Click Start> Run and type msconfig into the run box and press the enter key.
Click the Startup tab and look for and untick anything that says protected.
Click Apply > Ok
You will be prompted to reboot your system.
After your system has rebooted, you will see a window that says you have used msconfig to make changes etc. Tick the little box that says not to run msconfig the next time you start your computer and click ok.


Then if you can proceed with removing that entry and running Option 2 for Smitfraud.

There is a newer version of Smitfraud here if the one I posted still won't work.
http://siri.geekstog...mitfraudFix.php


Ken :D

Edited by ken545, 01 March 2007 - 06:29 AM.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users