[jser]

SmitFraudFix v2.162

Scan done at 2:10:25.29, Wed 04/04/2007
Run from C:\Documents and Settings\master\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\AOL\1153537647\ee\aolsoftware.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
c:\program files\common files\aol\1153537647\ee\aim6.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
c:\program files\common files\aol\1153537647\ee\anotify.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\oyopu.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\master


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\master\Application Data

C:\Documents and Settings\master\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareLocked 3.2.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\master\STARTM~1\SpywareLocked 3.2.lnk FOUND !
C:\DOCUME~1\master\STARTM~1\Programs\SpywareLocked FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\master\FAVORI~1

C:\DOCUME~1\master\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}"="homina"

[HKEY_CLASSES_ROOT\CLSID\{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}\InProcServer32]
@="C:\WINDOWS\System32\oyopu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}\InProcServer32]
@="C:\WINDOWS\System32\oyopu.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order:
DNS Server Search Order:

HKLM\SYSTEM\CCS\Services\Tcpip\..\{}: NameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\..\{}: NameServer=
HKLM\SYSTEM\CS2\Services\Tcpip\..\{}: NameServer=


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[Advertisements]

Hello jser and Welcome to G2G's Malware Forum.

Looks like you've definitely got smitfraud there. Let's get it and then a Hijack This Log to see what all we're dealing with.

• Run Smitfraud
  • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  • Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
  • A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please
    do it yourself manually.
  • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
• Let's get a Hijack This log to analyze.
  • Create a new folder on your desktop and name it HJT.
  • Please follow this link to get Hijack This.
  • Save Hijack This to your newly created folder.
• Let's get an Uninstall List from HijackThis:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
• Please re-open HiJackThis and scan and save a new log file.
• Post Logs
  • Uninstall List
  • New Hijack This Log

Edited by Technical_1, 04 April 2007 - 07:01 PM.

[Technical_1]

Hello jser and Welcome to G2G's Malware Forum.

Looks like you've definitely got smitfraud there. Let's get it and then a Hijack This Log to see what all we're dealing with.

• Run Smitfraud
  • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  • Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
  • A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please
    do it yourself manually.
  • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
• Let's get a Hijack This log to analyze.
  • Create a new folder on your desktop and name it HJT.
  • Please follow this link to get Hijack This.
  • Save Hijack This to your newly created folder.
• Let's get an Uninstall List from HijackThis:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
• Please re-open HiJackThis and scan and save a new log file.
• Post Logs
  • Uninstall List
  • New Hijack This Log

Edited by Technical_1, 04 April 2007 - 07:01 PM.