Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

log


  • Please log in to reply

#1
jser

jser

    New Member

  • Member
  • Pip
  • 1 posts
SmitFraudFix v2.162

Scan done at 2:10:25.29, Wed 04/04/2007
Run from C:\Documents and Settings\master\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\AOL\1153537647\ee\aolsoftware.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
c:\program files\common files\aol\1153537647\ee\aim6.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
c:\program files\common files\aol\1153537647\ee\anotify.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\oyopu.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\master


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\master\Application Data

C:\Documents and Settings\master\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareLocked 3.2.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\master\STARTM~1\SpywareLocked 3.2.lnk FOUND !
C:\DOCUME~1\master\STARTM~1\Programs\SpywareLocked FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\master\FAVORI~1

C:\DOCUME~1\master\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}"="homina"

[HKEY_CLASSES_ROOT\CLSID\{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}\InProcServer32]
@="C:\WINDOWS\System32\oyopu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}\InProcServer32]
@="C:\WINDOWS\System32\oyopu.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order:
DNS Server Search Order:

HKLM\SYSTEM\CCS\Services\Tcpip\..\{}: NameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\..\{}: NameServer=
HKLM\SYSTEM\CS2\Services\Tcpip\..\{}: NameServer=


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements


#2
Technical_1

Technical_1

    Visiting Staff

  • Member
  • PipPipPip
  • 735 posts
Hello jser and Welcome to G2G's Malware Forum.

Looks like you've definitely got smitfraud there. Let's get it and then a Hijack This Log to see what all we're dealing with.
  • Run Smitfraud
    • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
    • Select option #2 - Clean by typing 2 and press Enter.
    • Wait for the tool to complete and disk cleanup to finish.
    • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
    • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
    • Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
    • A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please
      do it yourself manually.
    • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  • Let's get a Hijack This log to analyze.
    • Create a new folder on your desktop and name it HJT.
    • Please follow this link to get Hijack This.
    • Save Hijack This to your newly created folder.
  • Let's get an Uninstall List from HijackThis:
    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.
  • Please re-open HiJackThis and scan and save a new log file.
  • Post Logs
    • Uninstall List
    • New Hijack This Log

Edited by Technical_1, 04 April 2007 - 07:01 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP