PDA

View Full Version : please help me with this [Smitfraud] #1



chintana
2006-10-04, 01:09
Hi...I think my computer is infected with spyware.Lots of windows keep popping up telling to download and stuff..will you please help me remove them? I've tried to install and scan for the virus and spyware as tashi said....and here are the logs....there are 2 more logs from hijackthis and smitfrau but i cannot put them all here so i'll post another one.

4/10/2006 3:03:22 Downloaded update info file. (http://www.safer-networking.org/updates/spybotsd.ini)
4/10/2006 3:03:53 downloaded update Advanced detection library
4/10/2006 3:03:53 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/advcheck.zip
4/10/2006 3:03:53 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\advcheck.zip
4/10/2006 3:06:58 downloaded update Detection rules
4/10/2006 3:06:58 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/includes.zip
4/10/2006 3:06:58 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip
4/10/2006 3:07:16 downloaded update Detection support library
4/10/2006 3:07:16 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/tools.zip
4/10/2006 3:07:16 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\tools.zip
4/10/2006 3:07:31 downloaded update English descriptions
4/10/2006 3:07:31 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/desc.english.zip
4/10/2006 3:07:31 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\desc.english.zip
4/10/2006 3:07:47 downloaded update English help
4/10/2006 3:07:47 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/help.english.zip
4/10/2006 3:07:47 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\help.english.zip
4/10/2006 3:07:51 downloaded update English help for TeaTimer
4/10/2006 3:07:52 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/helpres.english.zip
4/10/2006 3:07:52 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\helpres.english.zip
4/10/2006 3:07:54 downloaded update English language
4/10/2006 3:07:54 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/lang.english.zip
4/10/2006 3:07:54 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\lang.english.zip
4/10/2006 3:08:35 downloaded update Immunization database
4/10/2006 3:08:35 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/clsid.zip
4/10/2006 3:08:35 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\clsid.zip
4/10/2006 3:08:36 downloaded update Main skins
4/10/2006 3:08:36 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/skins.main.zip
4/10/2006 3:08:36 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\skins.main.zip
4/10/2006 3:09:10 downloaded update Startup info
4/10/2006 3:09:10 - URL: http://ftp.rz.tu-bs.de/pub/mirror/spybot.info/sbsdupdates/startup.zip
4/10/2006 3:09:10 - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\startup.zip
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:36:56 4/10/2549

+ Scan result:



HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4508E20C-ACAD-11D2-9FC0-00550076E06F} -> Adware.2Search : Ignored.
C:\WINDOWS\aUxMdVNpb04\command.exe -> Adware.CommAd : Ignored.
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Ignored.
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Ignored.
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Ignored.
HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Effective-i -> Adware.EffectiveBrandToolbar : Ignored.
HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Ignored.
HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Ignored.
HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Ignored.
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Ignored.
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Ignored.
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Ignored.
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Ignored.
HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Avenue Media -> Adware.InternetOptimizer : Ignored.
HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Ignored.
HKU\S-1-5-21-1708537768-764733703-839522115-500\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CP63OXAV\Installer[1].exe -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\__delete_on_reboot__m_u_w_e_b_d_v_d_._d_l_l_ -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\aza8019ue.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\dnr8019ue.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\en08l1du1.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\f4l0le3m1h.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\fp0q03d5e.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\fpp4037qe.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\hrls0537e.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\i424lefq1h2e.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\ir6ql5j51.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\irnul5591.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\jtl2073oe.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\jtn6075se.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\jtr0079me.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\k080lalm1dqa.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\k4lq0e35eh.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\kt04l7dq1.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\kt40l7hm1.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\ktlsl7371.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\l02s0af7ed2.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\m2460chsef460.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\mv42l9ho1.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\s2pu0c79ef.dll -> Adware.Look2Me : Ignored.
C:\WINDOWS\system32\wjsdmoe.dll -> Adware.Look2Me : Ignored.
[1640] C:\WINDOWS\system32\muwebdvd.dll -> Adware.Look2Me : Ignored.
[1712] C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Ignored.
[1840] C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\mmxsnet.exe -> Adware.MediaMotor : Ignored.
C:\WINDOWS\amm06.ocx -> Adware.MediaMotor : Ignored.
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Adware.MediaMotor : Ignored.
C:\Documents and Settings\Administrator\Application Data\Starware -> Adware.Starware : Ignored.
C:\Documents and Settings\Administrator\Application Data\Starware\Manager -> Adware.Starware : Ignored.
C:\Documents and Settings\Administrator\Application Data\Starware\Manager\ManagerOptions.xml -> Adware.Starware : Ignored.
C:\Documents and Settings\Administrator\Application Data\Starware\Manager\ManagerOptions.xml.backup -> Adware.Starware : Ignored.
C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator -> Adware.Ucmore : Ignored.
C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk -> Adware.Ucmore : Ignored.
C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore : Ignored.
C:\Documents and Settings\Administrator\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk -> Adware.Ucmore : Ignored.
C:\WINDOWS\system32\byxyyaa.dll -> Adware.Virtumonde : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CP63OXAV\drsmartload45a[1].exe -> Downloader.Adload.fu : Ignored.
C:\Program Files\VoipDiscount.com\VoipDiscount\voipdiscount.exe -> Downloader.Agent.awf : Ignored.
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ey : Ignored.
D:\Program Files\Act Of War - Direct Action\ACTOFWAR.EXE -> Heuristic.Win32.Backdoor.IrcBot : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\pre.exe -> Hijacker.VB.pg : Ignored.
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\SystemDoctor2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Ignored.
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@msnaccountservices.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@msninvite.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@primediabusiness.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt -> TrackingCookie.Admarketplace : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt -> TrackingCookie.Adrevolver : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt -> TrackingCookie.Adserver : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt -> TrackingCookie.Burstnet : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[2].txt -> TrackingCookie.Clickbank : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkiuoc5seq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkounczegq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wflogld5cdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfmyolczwap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkouidpmap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6whkyahazocp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6whl4cgczalo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkyggdzobp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlicgajofq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlicldjofp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjliugcpslq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmiukdjsap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmygjc5clp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt -> TrackingCookie.Fastclick : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@hypertracker[1].txt -> TrackingCookie.Hypertracker : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@max.i12[2].txt -> TrackingCookie.I12 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[1].txt -> TrackingCookie.Ivwbox : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@data2.perf.overture[2].txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@data4.perf.overture[1].txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.planetactive[1].txt -> TrackingCookie.Planetactive : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ads-205.quarterserver[1].txt -> TrackingCookie.Quarterserver : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[2].txt -> TrackingCookie.Ru4 : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt -> TrackingCookie.Serving-sys : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@counter15.sextracker[1].txt -> TrackingCookie.Sextracker : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@counter5.sextracker[1].txt -> TrackingCookie.Sextracker : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[1].txt -> TrackingCookie.Starware : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@starware[2].txt -> TrackingCookie.Starware : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[1].txt -> TrackingCookie.Starware : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@php.sales.tfag[2].txt -> TrackingCookie.Tfag : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@trafic[1].txt -> TrackingCookie.Trafic : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@vdn.valuead[2].txt -> TrackingCookie.Valuead : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@web-stat[2].txt -> TrackingCookie.Web-stat : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@yadro[2].txt -> TrackingCookie.Yadro : Ignored.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\WINDOWS\Temp\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Ignored.


::Report end

chintana
2006-10-04, 01:12
here are 2 more logs
SmitFraudFix v2.104

Scan done at 2:57:07.81, Wed 10/04/2006
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

ปปปปปปปปปปปปปปปปปปปปปปปป C:\


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS

C:\WINDOWS\drsmartload2.dat FOUND !
C:\WINDOWS\keyboard1.dat FOUND !
C:\WINDOWS\newname.dat FOUND !
C:\WINDOWS\teller2.chk FOUND !

ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\Web


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Administrator


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Administrator\Application Data


ปปปปปปปปปปปปปปปปปปปปปปปป Start Menu


ปปปปปปปปปปปปปปปปปปปปปปปป C:\DOCUME~1\ADMINI~1\FAVORI~1


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Program Files


ปปปปปปปปปปปปปปปปปปปปปปปป Corrupted keys


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


ปปปปปปปปปปปปปปปปปปปปปปปป Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ปปปปปปปปปปปปปปปปปปปปปปปป AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


ปปปปปปปปปปปปปปปปปปปปปปปป pe386-msguard-lzx32


ปปปปปปปปปปปปปปปปปปปปปปปป Scanning wininet.dll infection


ปปปปปปปปปปปปปปปปปปปปปปปป End

Logfile of HijackThis v1.99.1
Scan saved at 4:45:53, on 4/10/2549
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENMY/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = iLLUSiON
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinic.exe,userinit.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SpeedOptimizer] C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\startupmon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [VoipDiscount] "C:\Program Files\VoipDiscount.com\VoipDiscount\bak\voipdiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/229?04d06664b46c48548f3c5d3377eb52ce
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/230?04d06664b46c48548f3c5d3377eb52ce
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE (file missing)
O9 - Extra button: การวิจัย - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{318FDEAD-CE26-4763-840F-833C15C72450}: NameServer = 10.1.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\wpspdmod.dll
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\wzpasf.dll
O20 - Winlogon Notify: IME - C:\WINDOWS\system32\wzpasf.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\wzpasf.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\wpspdmod.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\wpspdmod.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\wzpasf.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\wpspdmod.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\wpspdmod.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

teacup61
2006-10-07, 07:44
Hello chintana,

Welcome to Safer Networking Forums :)

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

tashi
2006-10-13, 23:32
This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.