Hi all,

Can someone help me with this? This is a bad one......


Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 1:04:17 PM, on 8/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Documents and Settings\Tricia Davies\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk278DFCA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,911,0
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: satau320 - satau320.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: zkwnfGH - {24131DEB-8EB9-B741-489C-60C65B9F91C7} - C:\WINDOWS\System32\wbpx.dll
O21 - SSODL: SKOEfobjU - {48F34538-E259-EF92-44E9-37F06E0FA56E} - C:\WINDOWS\System32\wbpx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:24:59 AM 8/25/2006

+ Scan result:



C:\Documents And Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1122653960jtun_ensc1101.x03.full.zip/LUREGWMI.EXE -> Adware.Dm : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000020.exe -> Adware.Trymedia : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000011.dll -> Backdoor.Agent.adr : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000012.dll -> Backdoor.Agent.adr : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000013.dll -> Backdoor.Dumador.dg : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000014.exe -> Backdoor.Dumador.dg : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000015.dll -> Downloader.Banload.avj : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000017.exe -> Downloader.Small.cyb : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000016.exe -> Downloader.Tibs.fu : No action taken.
C:\WINDOWS\system32\satau325.sys -> Logger.Haxspy.ap : No action taken.
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\2.dlb -> Not-A-Virus.Hoax.Win32.Renos.dz : No action taken.
C:\WINDOWS\xpupdate.exe -> Not-A-Virus.Hoax.Win32.Renos.dz : No action taken.
C:\WINDOWS\system32\wbpx.dll -> Proxy.Agent.df : No action taken.
[1060] C:\WINDOWS\System32\wbpx.dll -> Proxy.Agent.df : No action taken.
[620] C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll -> Trojan.Agent.oh : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000019.exe -> Trojan.Starter.e : No action taken.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000018.exe -> Worm.Chiem.a : No action taken.


::Report end

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 25, 2006 12:56:55 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/08/2006
Kaspersky Anti-Virus database records: 218327
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 34992
Number of viruses found: 11
Number of infected objects: 28 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:57:59

Infected Object Name / Virus Name / Last Action
C:\Documents And Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip/winldra.exe Suspicious: Password-protected-EXE skipped
C:\Documents And Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip ZIP: suspicious - 1 skipped
C:\Documents And Settings\All Users\Application Data\Symantec\LiveUpdate\2006-08-25_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents And Settings\All Users\Documents\Settings\artm_new.dll Object is locked skipped
C:\Documents And Settings\All Users\Documents\Settings\polymorph.dll Object is locked skipped
C:\Documents And Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents And Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents And Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents And Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents And Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents And Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents And Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents And Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents And Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents And Settings\LogMeInRemoteUser\NTUSER.DAT Object is locked skipped
C:\Documents And Settings\LogMeInRemoteUser\ntuser.dat.LOG Object is locked skipped
C:\Documents And Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents And Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents And Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents And Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents And Settings\Tricia Davies\Cookies\index.dat Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Application Data\2bb1d0de.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Application Data\b3b265fa.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\15.tmp Infected: Trojan-Proxy.Win32.Xorpix.z skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\16.tmp Infected: Trojan-Proxy.Win32.Xorpix.z skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\1722\2236.exe Infected: Backdoor.Win32.Agent.adr skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\2.dlb Infected: not-virus:Hoax.Win32.Renos.dz skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\30561\2236.exe Infected: Backdoor.Win32.Agent.adr skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\h91746.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\Perflib_Perfdata_67c.dat Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\~DF2946.tmp Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temp\~DF77D.tmp Object is locked skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temporary Internet Files\Content.IE5\C1UFCXIB\scane[1].exe Infected: Packed.Win32.Tibs skipped
C:\Documents And Settings\Tricia Davies\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents And Settings\Tricia Davies\NTUSER.DAT Object is locked skipped
C:\Documents And Settings\Tricia Davies\ntuser.dat.LOG Object is locked skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000008.msi/data.cab/LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000008.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000008.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000008.msi Embedded: infected - 3 skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000009.msi/data.cab/LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000009.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000009.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP2\A0000009.msi Embedded: infected - 3 skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP5\A0000749.sys Infected: Trojan-Spy.Win32.Haxspy.ap skipped
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\file3.exe Infected: Trojan-PSW.Win32.Sinowal.ae skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\2bb1d0de.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\system32\b3b265fa.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060824-230500.backup Infected: Trojan.Win32.Qhost.hl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\taskdir.exe_tobedeleted Infected: Packed.Win32.Tibs skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\xpupdate.exe Infected: not-virus:Hoax.Win32.Renos.dz skipped
C:\WINDOWS\__delete_on_reboot__c_o_m_d_l_j_3_2_._d_l_l_ Infected: Trojan-Proxy.Win32.Agent.ji skipped

Scan process completed.

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Hi Illukka,

Thanks a lot for the reply. I have runned the program and am pasting the report bellow.

I must apologize, but I did not understand the "process.exe" issue. It's a command line program that replace the task manager if needed right? But is there any reason I should download it and install on this PC?

Once again thanks for the help.




SmitFraudFix v2.82

Scan done at 15:15:32.58, Wed 08/30/2006
Run from C:\Documents and Settings\Tricia Davies\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\xpupdate.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tricia Davies\Application Data

C:\Documents and Settings\Tricia Davies\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TRICIA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

hi

the removal tool utilises process.exe, driven from the command line to stop malware processes during the fix, thats why its important ;)

anyway, lets fix it, as infection was found:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download Ewido Anti-Malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install Ewido Anti-Malware
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Close Ewido for now.
==============

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Close the program for now.
==================

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
1) Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser : Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


2) Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it does force a restart, please reboot into Safe Mode again, in order to complete the following step. If it does not reboot, please remain in Safe Mode until further notice.

3) Launch Ewido from your Desktop :
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido Anti-Malware.

4) Reboot your computer normally.

If SmitfraudFix did not force a reboot, then you should now see a text file appear onscreen with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Note : running option #2 on a non infected computer will remove your Desktop background.

5) Post the content of rapport.txt, the Ewido report and a new HijackThis! log in your next reply.


good luck :)

Done!!! Here are the logs


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:09:28 PM 8/30/2006

+ Scan result:



C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP5\A0000749.sys -> Logger.Haxspy.ap : Cleaned.
C:\WINDOWS\system32\wbpx.dll -> Proxy.Agent.df : Cleaned.
[1628] C:\WINDOWS\System32\wbpx.dll -> Proxy.Agent.df : Cleaned.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP10\A0000803.dll -> Proxy.Agent.ji : Cleaned.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP10\A0000840.dll -> Proxy.Agent.ji : Cleaned.
C:\System Volume Information\_restore{3C1FB116-BB05-4FEB-AB70-82E205BBFE3A}\RP6\A0000770.exe -> Proxy.Agent.ji : Cleaned.
C:\WINDOWS\Temp\art8C3F.tmp -> Proxy.Agent.ji : Cleaned.
C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Cleaned.
C:\WINDOWS\system32\spoolsvv.exe -> Proxy.Agent.ji : Cleaned.
C:\WINDOWS\system32\taskdir.exe_tobedeleted -> Trojan.Small : Cleaned.


::Report end




SmitFraudFix v2.82

Scan done at 17:38:03.30, Wed 08/30/2006
Run from C:\Documents and Settings\Tricia Davies\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\xpupdate.exe Deleted
C:\Documents and Settings\Tricia Davies\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"



»»»»»»»»»»»»»»»»»»»»»»»» End





Logfile of HijackThis v1.99.1
Scan saved at 7:12:38 PM, on 8/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tricia Davies\Desktop\New Folder\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk278DFCA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,911,0
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: satau320 - satau320.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: zkwnfGH - {24131DEB-8EB9-B741-489C-60C65B9F91C7} - C:\WINDOWS\System32\wbpx.dll
O21 - SSODL: SKOEfobjU - {48F34538-E259-EF92-44E9-37F06E0FA56E} - C:\WINDOWS\System32\wbpx.dll

hi

good work :bigthumb:

by chance did you scan for the hjt log while in safe mode?
if so could you do a new scan in normal mode, then post its results

a hjt log scanned i safe mode will now show everything and it looks like some items are mssing from it

thanks

Hi Illukka,


Sorry for the delay in answering you back. Rogers, my ISP in Canada, has blocked my internet connection due to continuous MX Server access request. They state that one of the PCs at my house has a virus.

Did you see anything on the logs that could relate to a worm that could be doing this? This computer is from a friend of mine who asked me to help him. Most of the other PCs on my network are failry protected, but you never know. My PC has ZoneAlarm Pro, Spyware Guard, Avast, cookie protection, spyware blaster, ewido.... The others have similar protection, a little less thou.

Anyways, thanks for all the help so far. I will try to get this resolved so I can get my net back and post the last log you asked me.


Vic.

hi

there may be a hidden virus of course, i trust all computers have an up-to-date antivirus installed ?
if not download a trial version of kaspersky antivirus from www.kaspersky.com
install, and do scans in safe mode, tell me if anything is detected ?

How is it going victorbrca

Hi Tashi & Illukka,


Sorry for the delay. I checked all computers at home and could not find anything... Got my internet running again.

The only problem is that now, the local area network connection on my friends computer is gone and I'm not able to install it again. For some reason when I uninstalled a program (nothing specific) on his computer, it disabled a whole bunch of services and I can't get it back. I've had to change the settings on many services because they were disabled, check if TCP/IP was running, between others, and I can't get it back. I have decided to format the whole drive and re-install everything again.

Once again I'd like to thanks for all the help you guys have given me, for the second time. It's still a little bit obscure how you guys can help so many ppl for nothing in exchange. I hope one day when I finish all my courses I can do the same to other ppl.

Great Job guys!!!!! You can close my topic.

Regards,

Victor.

Since the issue is resolved, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.