Okay, I have no idea what I have. All of the problems started last night while I was asleep. I'm a relatively light sleeper so when my computer made its critical error sound, I woke up, stumbled over, found out that I had been kicked offline and there was an alert that there had been an illegal operation done by C:\WINDOWS\Temp\win196~3.exe.

From time to time, my computer and router don't like the school's program Cisco Clean Access Agent which we have to use to access the computer's network, so I disconnected the router ran ipconfig/release and /renew cuz that normally fixes it. Didn't work and the error message popped up again.

I figured it was something wrong with my computer, so I reloaded a backup my computer makes nightly, and the problem kept happening.

So... I booted into safe mode and ran Spybot S&D, found a few general things, cleared em, ran Symantec, nothing came up, I figured I was in the clear, but I ran Hijack This anyways cuz it's worked for me in the past. I disabled any malware/start up files I wasn't familiar with and thought I was in the clear.

Restarted in normal mode, hopped on AIM and MSNM, no problems.

Ran to class, came back, everything was gravy. Started up Firefox... and then three errors popped up in a row.

C:\WINDOWS\TEMP\WIN38T~1.EXE window popped up, then an error message popped up,

16 bit MS-DOS Subsystem C:\WINDOWS\TEMP\WIN38T~1.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0db7 IP:0116 OP: 65 63 75 72 69 Choose 'Close' to terminate the application.

Same thing for C:\WINDOWS\TEMP\WIN3AT~1.EXE and C:\WINDOWS\TEMP\WIN43T~1.EXE

Just as those popped up, Symantec ActiveScan popped up to tell me I had Trojan.Busky... so I started typing this out and then Adware.Spysheriff popped up as well... and literally THIS minute, a pretty obviously fake thing popped up that says there's spyware (coming from SpySheriff I'm pretty sure) on my computer... specifically "SpyWorm.Win32"... I know that that's a fake, but a RUNDLL error popped up saying the following

RUNDLL Error

Error loading C:\WINDOWS\system32\fmrmhc.dll

The specified module could not be found.



I have no idea what to do and am afraid to do anything at all... can someone help me out?

Thanks!

Note: I do have access to clean PCs in my uni's computer labs so... yep. Thanks!

Add:

I also just got back from rehearsal and booted up, and then I got a bunch of adware pop ups, got rid of them, and then found two processes that when i googled them they came up as malicious.

ishost.exe
ismini.exe

yep.

:fear:

Welcome to the forum, it appears you overlooked the information tashi has pinned to the top of the page for you.
UPDATED WINDOWS - Your first line of defence, links and tips
http://forums.spybot.info/showthread.php?t=425
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288

From the items you posted today, sounds like you have a Smitfraud infections, that information is also posted for you, you may follow these instructions for starters.
follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.

Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

Thanks...pskelley
Safer Networking Forums

If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/

Agh! My fault, I actually had done those logs, and then I just forgot to post them, I'm so sorry! Also, I do keep windows updated, otherwise Cisco Clean Access Agent won't let me connect to the network if my Windows isn't up to date.

I do have a question though... I clicked on the link you provided to the SmitfraudFix.zip file and this came up...

High security alert!!!

You are not permitted to download the file "SmitfraudFix.zip" because it is infected with the virus "Freeloa.385C4E5F".

URL = http://siri.urz.free.fr/Fix/SmitfraudFix.zip

File quarantined as: .
http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=quickSearchDirectly&virusName=Freeloa.385C4E5F


umm... is it safe? I'm a bit anxious about downloading something after that comes up.


After you guys respond to me about downloading the SmitfraudFix file, I'll grab it, or not, and then run it and then run the AVD, until then, here's a fresh HiJack This log.

Sorry about the confusion!

Logfile of HijackThis v1.99.1
Scan saved at 11:31:24 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eric Dreier\Desktop\HT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csbsju.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvmuj.dll,startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://10.161.0.71/Webinstall/webinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winaqc32 - C:\WINDOWS\SYSTEM32\winaqc32.dll
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Here, download it right from the creators site:
http://siri.geekstogo.com/SmitfraudFix.php

Here is the disclaimer which is probably what is causing the message:

Note:
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

The fix will not work without that .exe. I use this all of the time and often have to turn off the antivirus program to get it installed.

Make sure to follow the instructions as they are posted, do not run the fixes out of order.

Thanks

Okay, I thought maybe it was my computer that was creating that... but it appears the file isn't available anywhere... I hopped on a clean computer in the computer lab and went to the site, and the same thing popped up. Here are some screen shots.


http://students.csbsju.edu/eadreier/1.gif


http://students.csbsju.edu/eadreier/2.gif


http://students.csbsju.edu/eadreier/3.gif

I also tried downloading the file from the French site, but when I got it, the .zip was empty. Does anyone have the file on their computer? Otherwise I don't know what else to do. Everywhere else I've found the file, the same warning comes up.

Download:
Use this URL to download the latest version (the file contains both English and French versions):
http://siri.urz.free.fr/Fix/SmitfraudFix.zip <<< I can download it.

I really do not know what to say. You probably need to turn off whatever program is blocking it. Maybe you can contact your program provider (whatever one is blocking you from downloading it) Give them the information and the link and ask for instructions. Smitfraudfix is being used all over the world to remove that infection. Look at some of the other topics, topic after topic will show that fix being used.

Thanks

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.