PDA

View Full Version : smitfrau-c toolbar888 plus more


rick_lv
2007-04-28, 19:55
I've been trying to uninstall malware and trojan for a couple of days without success.

I've just finished running vundo.exe and removing the files found infected.
I downloaded smitfraudfix, run it and I'm enclosing the report so maybe someone can help with the next step.

Thanks so much in advance.

Rick

SmitFraudFix v2.171

Scan done at 10:44:22.50, Sat 04/28/2007
Run from C:\Documents and Settings\RICK\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\brsvc01a.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\brss01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ups.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\RICK


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\RICK\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RICK\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{90210579-D4AD-4A5D-98FF-671A234B00A9}: DhcpNameServer=172.28.1.2 172.28.1.4
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DE8CB150-2ED0-4AEE-B01D-93F1C5A10C53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{90210579-D4AD-4A5D-98FF-671A234B00A9}: DhcpNameServer=172.28.1.2 172.28.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DE8CB150-2ED0-4AEE-B01D-93F1C5A10C53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{90210579-D4AD-4A5D-98FF-671A234B00A9}: DhcpNameServer=172.28.1.2 172.28.1.4
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DE8CB150-2ED0-4AEE-B01D-93F1C5A10C53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2007-04-28, 23:15
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

Hi Rick, I appreciate your efforts, but in order to see if I can help, I need the "Before you Post" instructions followed. You can wait on the online antivirus scan, I will let you know if I need it.

Smitfraudfix is showing nothing and you have not posted the Vundofix report for me to view. For starters, if you want me to try to help, post that Vundofix report, it should be in the Vundofix folder, and a HJT log.

Thanks
tashi
2007-05-03, 22:09
This topic has been closed to prevent others with similar issues posting in it.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.