[gladrock]

it wont let me do the panda scan, because i havent got the activex part it needs, i tried to download it from download.com, but it still isn't working

[evilfantasy]

Are you trying to run it in Internet Explorer or Firefox? It has to be run in IE.
If you can not get that to run then try this one.

Run this online scan Kaspersky
When the scan is finished Save the results from the scan!
1: Read and Accept the Agreement
2: You will be promted to install an ActiveX component from Kaspersky, Click Yes.
3: If you see a Windows dialog asking if you want to install this software, click the Install button.
4: The program will launch and then begin downloading the latest definition files,
5: When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
6: Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
7: Under "Please select a target to scan:", click My Computer to start the scan.
8: When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
9: Add the log in your next post.

If you can't run the online scans let me know and we will try another rout.

[gladrock]

i tried to do the panda scan but i had to download an acivex part which i cant do from the panda site, i then tried to download it from another site, but it still doesn't let me run the panda scan.

[gladrock]

here is the log.

[evilfantasy]

Lets try this.

Install and run this SUPERAntispyware Free Edition
When you have SAS open click the preferences.
General and Startup tab Only have checked
Show splash screen on startup
Use XP style menus
Check for program updates when the application starts
Do not scan when SuperAntiSpyware starts
Realtime protection tab
Uncheck everything there
Then scan your computer
Have it fix what it finds.
If anything other then cookies are found then please save the log.
From SUPERAntispyware start page click Preferences>Statistics/Logs Tab>Highlight The Log>View Log
Save the log to desktop.
In the next post click Go Advanced.
Scroll down and click Manage Attachments and add the log as an attachment.

Also there was a new edition of Spybot Search & Destroy released yesterday please download it Here. Do a scan with it also. Tell me if it finds anything it can not fix.

Run a fresh HijackThis scan last and attach a fresh HJT log.

Next post:
SuperAntiSpyware Log
HijackThis Log
Tell me if SpyBot could not remove anything and the name of it.
You can add multiple attachments. Just click browse again and they will both be added.

[gladrock]

there was only cookies forund with the first scan. here is the HJT LOG.

[evilfantasy]

Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

[gladrock]

SmitFraudFix v2.219
Scan done at 19:51:13.54, 04/09/2007
Run from C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\LFFJLTWE\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Privacy Mantra 2.02\privacymantra.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\james

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\james\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\james\FAVORI~1
C:\DOCUME~1\james\FAVORI~1\Online Security Test.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{46f5a8b0-0b73-48c5-9e40-3c443a43c161}"="aht"
[HKEY_CLASSES_ROOT\CLSID\{46f5a8b0-0b73-48c5-9e40-3c443a43c161}\InProcServer32]
@="C:\WINDOWS\system32\muvdjo.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{46f5a8b 0-0b73-48c5-9e40-3c443a43c161}\InProcServer32]
@="C:\WINDOWS\system32\muvdjo.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\__c0022315. dat"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1A25A218-6EB7-4BA0-A455-E281D9D38A5F}: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

[gladrock]

you mentioned the windows mesanger to be removed and i think i did, but it is still in my prgrams list on the start menu, is this right?

[evilfantasy]

The Windows Messenger if not used can be removed by this tool. Shoot The Messenger
There is also information on that page that tells why it is not wanted.



PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Ask any questions that you may have before starting. You may want print out these instructions as you will not be able to see this page in safe mode.

Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
If you are having trouble starting the computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.