antivirusscherm/systemerrorfixer/pcprivacytool

[spobster]

Hi there,

hope you can help! I get pop-ups every few minutes including re-routing my browser; the more I do on the pc, the more pop-ups I seem to get. Messages are mainly from these websites: antivirusscherm/systemerrorfixer/pcprivacytool. Pop-ups include these kind of texts:

----------------------------------------------

NOTICE: If your computer has errors in the registry database or file system, it could cause upredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss.

Would you like to install SystemErrorFixer to check your computer for free? (Recommended)

-----------------------------------------------

I performed total pre-post instructions. Down here you will find my hijack log I made exactly after first restart in normal mode and secondly the hijack log after the first pop-up. Thanks for helping!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:06:54, on 4-10-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alertic.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...130/mcfscan.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 7626 bytes

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:16:35, on 4-10-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alertic.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...130/mcfscan.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 7473 bytes

[JeanInMontana]

Hi there spobster, and welcome to Malwarebytes. The second log is the same as the first. A popup won't change that.

You can remove these lines with HJT, just run a scan only and put a check next to each item.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

Do you have Symantec, McAfee and Eset32 all installed? Or did you just download the Symantec and McAfee? If you have three AV programs installed pick one and make sure the other two are not running actively.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature.

AVG AntiSpyware Be sure to "take action"

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a new log from tHiJack This.

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

[spobster]

Was 2 days occupied with other stuff, and not at home. Now I can continue:

I have to admit that I already run a lot of scans and put a lot of effort in this by just googling. So I started without the ability to see properties of "my computer", without a "configuration screen" in my settings menu (start). I removed already some stuff that was infected, but at this stage I will only do exactly as you ask, and nothing more.

So, before registering @ Malwarebytes, I did run the online Symantec and McAfee scans, and I tried to use the McAfee anti-virus program, but I was not able to update my definitions, and after one restart of the pc, I could not run the program anymore (probably due to the malware on my pc, I read some things on the internet about that).

Ok, let's move on tho the scans:

Spybot, I already used before, but again it found stuff and I deleted it.

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 22:05:51 6-10-2007

+ Scan result:

Nothing found.

::Report end

Working on Panda, but that is hard, because the malware is sometimes changing the rerouting my browser to another web-adress. Opening enough internet explorer windows should minimize the chance for this random effect, keeping my fingers crossed will come back with panda scan as soon as I am finished with it. Thanks!

[spobster]

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Spobstertje\Bureaublad\Spyware etc\SmitfraudFix\Process.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Spobstertje\Bureaublad\Spyware etc\SmitfraudFix\Reboot.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Spobstertje\Bureaublad\Spyware etc\SmitfraudFix\restart.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Spobstertje\Bureaublad\Spyware etc\SmitfraudFix.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\SDFix\apps\Process.exe

Potentially unwanted tool:Application/ServUBased.A Not disinfected E:\Robberts documenten\Backup\Bureaublad.rar[serv-U\ServUDaemon.exe]

Potentially unwanted tool:Application/ServUBased.DU Not disinfected E:\Robberts documenten\Backup\Bureaublad.rar[serv-U\ServUTray.exe]

Potentially unwanted tool:Application/Processor Not disinfected E:\Robberts documenten\Nieuwe map\SDFix.exe[sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected E:\Robberts documenten\Nieuwe map\SmitfraudFix\SmitfraudFix\Process.exe

Virus:Trj/Rebooter.J Disinfected E:\Robberts documenten\Nieuwe map\SmitfraudFix\SmitfraudFix\Reboot.exe

Potentially unwanted tool:Application/SuperFast Not disinfected E:\Robberts documenten\Nieuwe map\SmitfraudFix\SmitfraudFix\restart.exe

Potentially unwanted tool:Application/Processor Not disinfected E:\Robberts documenten\Nieuwe map\SmitfraudFix.zip[smitfraudFix/Process.exe]

Virus:Trj/Rebooter.J Disinfected E:\Robberts documenten\Nieuwe map\SmitfraudFix.zip[smitfraudFix/Reboot.exe]

Potentially unwanted tool:Application/SuperFast Not disinfected E:\Robberts documenten\Nieuwe map\SmitfraudFix.zip[smitfraudFix/restart.exe]

===========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:49:08, on 6-10-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alertic.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...130/mcfscan.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 7845 bytes

[spobster]

The virusscanner (ESET32) gave this threat notification during my spybot search. Maybe you needed to know this.

Time Module Object Name Threat Action User Information

6-10-2007 21:08:40 AMON file C:\WINDOWS\svhjdsah.exe Win32/Small.RT trojan deleted SPOBSTER\Spobstertje Event occurred at an attempt to access the file by the application: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe.

[spobster]

And maybe: The previous McAfee online scan (mentioned above) gave this result of viruses:

C:\WINDOWS\system32\printer.exe New Malware.bc

C:\WINDOWS\system32\vtr.dll FakeAlert-D

C:\WINDOWS\system32\winavxx.exe

I tried to download tools or I deleted the files, the files are not present anymore at my pc.

For the control panel loss (also mentioned above) I used SDFix.

[JeanInMontana]

When did you run Smitfraudfix? Do you have your system set to show hidden files and folders? If not please do.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

I understand how frustrating it is for you to have these infections, but you can't continue running tools on your own. It just won't work and can end up doing damage to your system.

[spobster]

I have run Smitfraudfix before I asked for help, one week ago. As I mentioned before, at this moment I only do what you advice me to do, nothing less, nothing more. I understand the seriousness of the infection. Furthermore in my earlier efforts I also used FixVundo, RogueRemover, SpySweeper, AdAware, PeerGuardian, SpyWareBlaster and WindowsWasher.

I already had the system to show hidden files and folders.

[JeanInMontana]

Normally Smitfraudfix would have taken care of your problem. But maybe you had an old version. We will try again.

Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix.

Download:

Use this URL to download the latest version (the file contains both English and French versions):

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

* Double-click SmitfraudFix.exe

* Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Be sure to post this log.

Clean:

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

* Double-click SmitfraudFix.exe

* Select 2 and hit Enter to delete infect files.

* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

* Optional:

o To restore Trusted and Restricted site zone, select 3 and hit Enter.

o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

[spobster]

I ran the Smitfraudfix-tool. Below are the reports before and after. After my restart in normal mode, I almost immediately got a Spybot note:

====

Spybot-S&Ds IE helper has detected an URL that is known as a malicious resource.

URL: java script:void(document.write('<html><head><title>Advertisement</title></head><body%20id="daplf3Child"%20leftmargin="0"%20topmargin="0"><script%20type="text/javascript">var%20inDapIF=true;window.setTimeout("document.close();",30000);</script><script%20language="JavaScript"%20type="text/javascript">\nord=1375947021;\ndocument.write(\'<script%20language="JavaScrip...

Identified as: /DoubleClick

====

I chose "Deny".

Before I made that choice the pop-ups appeared again, so Smitfraud seems not the solution. I added also a new hijack-log below the other logs.

And my home-page for internet has automatically changed to http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome (probably due to the Smitfraud-tool?)

And I keep getting the spybot-message.

SmitFraudFix v2.239

Scan done at 19:08:52,62, ma 08-10-2007

Run from C:\Documents and Settings\Spobstertje\Bureaublad\Spyware etc\Extra Spyware downloads\SmitfraudFix

OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

[JeanInMontana]

Your not following directions. You have a smitfraud infection. Turn off the TeaTimer function in Spybot Search & Destroy.

Move Smitfraud to your desktop and follow the directions for how to run it read carefully, it must be run in safemode. Use two posts if needed to post the entire log.

[spobster]

By my knowledge, I exactly followed directions. I am sorry if I misunderstood something. I have run Smitfraud in safemode for the second and third option. I have moved Smitfraud to my desktop and did another run:

SmitFraudFix v2.239

Scan done at 23:07:58,40, ma 08-10-2007

Run from C:\Documents and Settings\Spobstertje\Bureaublad\SmitfraudFix

OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

Edited October 10, 2007 by JeanInMontana
Remove scroll time...excess host file info

[spobster]

Edited October 10, 2007 by JeanInMontana
remove excess hosts info

[JeanInMontana]

OK, well SmitFraud isn't working. Be sure you have turned off T Timer in SB S&D. This can interfere with the fix.

Let's try this tool. http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe Save it to your desk top and double click to run. Be sure you don't click your mouse during the scan, as it can freeze the program. Post the log here for me to see.

[spobster]

ComboFix 07-10-09.3 - Spobstertje 2007-10-09 23:22:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.651 [GMT 2:00]

Gestart vanuit: C:\Documents and Settings\Spobstertje\Bureaublad\ComboFix.exe

* Nieuw herstelpunt werd aangemaakt

.

(((((((((((((((((((( Bestanden Gemaakt van 2007-09-09 to 2007-10-09 ))))))))))))))))))))))))))))))

.

2007-10-09 23:21 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-06 22:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-10-06 21:34 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-10-01 22:32 <DIR> d-------- C:\mwav

2007-10-01 22:32 <DIR> d-------- C:\Downloads

2007-10-01 22:32 <DIR> d-------- C:\Bases

2007-10-01 21:41 <DIR> d-------- C:\Program Files\RogueRemover PRO

2007-10-01 19:51 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2007-10-01 19:51 298,104 --a------ C:\WINDOWS\system32\imon.dll

2007-10-01 19:51 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2007-10-01 18:23 <DIR> d-------- C:\Program Files\NoAdware5.0

2007-10-01 01:35 <DIR> d-------- C:\WINDOWS\ERUNT

2007-09-30 23:44 2,940 --a------ C:\WINDOWS\system32\tmp.reg

2007-09-30 22:37 335 --a------ C:\WINDOWS\nsreg.dat

2007-09-30 21:39 106,496 --a------ C:\WINDOWS\rtpmsi32.dll

2007-09-30 21:01 <DIR> d-------- C:\Program Files\McAfee

2007-09-30 20:59 <DIR> d-------- C:\Program Files\McAfee VirusScan Professional Edition 7.00 Retail

2007-09-30 19:06 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen

2007-09-30 19:06 <DIR> d--h----- C:\Documents and Settings\Administrator\Onlangs geopend

2007-09-30 19:06 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving

2007-09-30 19:06 <DIR> d-------- C:\Documents and Settings\Administrator\Mijn documenten

2007-09-30 19:06 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start

2007-09-30 19:06 <DIR> d-------- C:\Documents and Settings\Administrator\Favorieten

2007-09-30 19:06 <DIR> d-------- C:\Documents and Settings\Administrator\Bureaublad

2007-09-30 18:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-09-30 18:38 <DIR> d-------- C:\Documents and Settings\Spobstertje\Application Data\SUPERAntiSpyware.com

2007-09-30 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-09-30 18:34 <DIR> d-------- C:\Program Files\RogueRemover FREE

2007-09-30 18:09 <DIR> d-------- C:\WINDOWS\McAfee.com

2007-09-30 17:25 81,984 --a------ C:\WINDOWS\system32\bdod.bin

2007-09-30 17:13 <DIR> d-------- C:\Documents and Settings\Spobstertje\Application Data\WholeSecurity

2007-09-30 16:49 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-09-30 16:37 <DIR> d-------- C:\Documents and Settings\Spobstertje\.housecall6.6

2007-09-30 16:10 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-30 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx

2007-09-30 14:52 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

2007-09-30 14:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-09-30 14:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-09-30 14:14 <DIR> d-------- C:\Program Files\Washer

2007-09-30 14:14 44,032 --a------ C:\WINDOWS\unwash.exe

2007-09-30 14:12 <DIR> d-------- C:\Program Files\Webroot

2007-09-30 14:12 55,808 --a------ C:\WINDOWS\unSpySweeper.exe

2007-09-30 14:09 <DIR> d-------- C:\Program Files\SpywareBlaster

2007-09-30 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-09-30 13:23 <DIR> d-------- C:\Program Files\Lavasoft

2007-09-30 13:08 77,824 --------- C:\WINDOWS\system32\alertic.exe

2007-09-26 23:22 <DIR> d-------- C:\Documents and Settings\Spobstertje\Application Data\Sibelius Software

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-06 20:25 --------- d-----w C:\Program Files\iTunes

2007-10-06 08:20 36,904 -c--a-w C:\Documents and Settings\Spobstertje\Application Data\GDIPFONTCACHEV1.DAT

2007-10-05 17:13 --------- d-----w C:\Program Files\MSN Messenger

2007-10-01 19:41 2,014 ---h--r C:\WINDOWS\system32\drivers\hosts

2007-10-01 15:18 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-09-30 16:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSTEXT.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSS___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSROMC.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSP___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSM___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSJAPC.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFBE_.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFB__.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUSC___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\OPUS____.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\INKPEN2_.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\INK2TEXT.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\INK2SPEC.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\INK2SCRI.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\INK2METR.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\INK2CHOR.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT

2007-09-26 21:22 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT

2007-09-16 10:48 --------- d-----w C:\Program Files\Common Files\Ahead

2007-09-01 14:43 1,787 ----a-w C:\Documents and Settings\Spobstertje\tp.dat

2007-09-01 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Visual Reality

2007-08-31 18:44 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT

2007-08-26 19:40 --------- d-----w C:\Program Files\IsoBuster

2007-08-21 12:54 --------- d-----w C:\Documents and Settings\Spobstertje\Application Data\Google

2007-08-21 12:53 --------- d-----w C:\Program Files\Google

2007-08-10 02:21 8,043,520 ----a-w C:\Documents and Settings\Spobstertje\ttp.exe

2007-08-10 02:17 692,648 ----a-w C:\Documents and Settings\Spobstertje\tpsys.dat

2007-07-30 08:20 507,392 ----a-w C:\Documents and Settings\Spobstertje\XTPConn.dll

2007-07-30 08:20 494,080 ----a-w C:\Documents and Settings\Spobstertje\XTPC2S.dll

2003-07-09 14:13 388,096 ----a-w C:\Documents and Settings\Spobstertje\VRUpdate.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22]

"nwiz"="nwiz.exe" [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32]

"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12]

"EPSON Stylus DX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.exe" [2005-02-08 06:00]

"NWEReboot"="" []

"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 05:44 C:\WINDOWS\RTHDCPL.EXE]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-01 20:01]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:03]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-07-03 21:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce]

"washindex"=C:\Program Files\Washer\washidx.exe

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-01-23 23:41:24]

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-25 01:01:32]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]

NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-05-21 16:37:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys

R2 Winalert;Windows Alert Service;C:\WINDOWS\System32\alertic.exe -srv

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-09 23:23:30

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

Voltooingstijd: 2007-10-09 23:23:56

.

--- E O F ---

[spobster]

Before Smitfraud I indeed turned off TeaTimer as follows: "Tools" > "Resident" > "Resident protection status" > tick off both options (Resident "SDHelper" (Internet Explorer bad download blocker) active. / Resident "TeaTimer" (Protection of over-all system settings) active.)

I hope this was the right way to turn off TeaTimer.

And I did run the ComboFix tool in Normal Mode.

Pop-ups are still appearing, did not perform restart.

[JeanInMontana]

Hi again. You can leave the IE download protection, it's just Tea Timer that may stop changes to the system that we need to happen. I also took out all the host file stuff from the CF log. I didn't understand what you meant when you said it was too long... hehe it will make it easier to follow the thread.

Now I am not sure if there is a language choice in CF I think part of your log is in German. I'm not sure, but I don't speak/read the language that is in parts of the log. I can see things we still need to fix.

Please, uninstall NoAdware if it is present. I would also uninstall SpySweeper, it has started adding adware to the program.

Please download this file Author: Option^Explicit

License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe

Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

C:\WINDOWS\System32\alertic.exe <==== get that file and post a new HJT log please. Let me know if symptoms are better, worse etc.

I'm leaving town in the morning and will have internet access but not til evening. Just so you don't think your abandoned.

[spobster]

I am from the Netherlands, and I have the dutch Windows system installed. I thought that the notes in the ComboFix log were not important enough to translate (that you would understand without knowing the translation).

I think the NoAdware program was not installed anymore, I deleted the folder called NoAdware (with one file). I uninstalled SpySweeper.

Just for your information: in SafeMode there were never popups, that's maybe standard, but I was surprised

The good news: the alertic file is gone, and I don't have any popups anymore until now!!! I hope my computer is (almost) clean now. Thanks a lot already!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 0:31:05, on 11-10-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...130/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)

--

End of file - 7531 bytes

[JeanInMontana]

I was fairly sure of the CF logs from the location of items, but these operations can also cause damage and I stay away from guessing. LOL Malware does strange things also I had to check.

I think we have made good progress. This is a new and not well detected version you managed to get. Please run HJT again and put a check next to these items:

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing) <====clean up

Is the Adobe distiller program updated? It is version 7 and Adobe is at 8.

If your feeling everything is cleaned up there is a final step.

We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here .

It would also be a good idea to run the disk error checker and then do a defragmentation. These infections make a mess of the entire system.

[spobster]

Hi Jean, thanks for all your help. I am really greatful. I have extra protected my pc and gave my girlfriend better instructions I didn't updat Adobe programs, because they are working fine for my goals. Could you please tell me, you think that I got a variant of the SmitFraud? I would like to know to report @ Malware Complaints.

Can I also delete the folders from Killbox, e-Scan and ComboFix in the C-root?

After fixing the three Hijack items, the next Hijack log still contains the

O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)

Do I have to take another action?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:03:45, on 11-10-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...130/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)

--

End of file - 6892 bytes

[JeanInMontana]

I'm glad to help. You did/do have Smitfraud, it is a new version, because as we know, the normal removal procedures did not work. You are not alone in this I have just finished with another victim with the same thing.

Yes you should delete the programs you mention.

You need to update Acrobat because it is a risk. It has nothing to do with how the program works for you, it is a means of getting infected again. It is in a tool bar for IE and that means your at risk. Which brings me to IE and this:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory is this where you have IE? If so I suggest you move it to program files.

Let's get this program and go after that stubborn file.

Author: Option^Explicit Download Location

License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe

Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

C:\WINDOWS\System32\alertic.exe That is the file name and path you should put in the program. After the reboot run HJT again and if it is gone move on to this last step blow.

We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here

Edited October 12, 2007 by JeanInMontana
To correct infecgtion name. Been a long day for me.

[JeanInMontana]

Since this topic has been resolved it will now be closed..

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic.