[Arkeytec]

Hello,

I was reading the post "Help-this malware won't go away" posted on Feb 28, 2008 because I have the same problem. I followed the first step of downloading and running Smitfaud.ext in safe mode. I don't know what to do next!?!? Thanks for your help.

Here is the report that came up in notepad after I ran it:

SmitFraudFix v2.300

Scan done at 21:16:28.35, Tue 03/04/2008
Run from C:\Documents and Settings\Frank\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\764.exe Deleted
C:\WINDOWS\7search.dll Deleted
C:\WINDOWS\absolute key logger.lnk Deleted
C:\WINDOWS\aconti.exe Deleted
C:\WINDOWS\aconti.ini Deleted
C:\WINDOWS\aconti.log Deleted
C:\WINDOWS\aconti.sdb Deleted
C:\WINDOWS\acontidialer.txt Deleted
C:\WINDOWS\adbar.dll Deleted
C:\WINDOWS\cbinst$.exe Deleted
C:\WINDOWS\daxtime.dll Deleted
C:\WINDOWS\default.htm Deleted
C:\WINDOWS\dp0.dll Deleted
C:\WINDOWS\eventlowg.dll Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe Deleted
C:\WINDOWS\fhfmm.exe Deleted
C:\WINDOWS\flt.dll Deleted
C:\WINDOWS\hcwprn.exe Deleted
C:\WINDOWS\hotporn.exe Deleted
C:\WINDOWS\iexplorr23.dll Deleted
C:\WINDOWS\ie_32.exe Deleted
C:\WINDOWS\jd2002.dll Deleted
C:\WINDOWS\kkcomp$.exe Deleted
C:\WINDOWS\kkcomp.dll Deleted
C:\WINDOWS\kkcomp.exe Deleted
C:\WINDOWS\kvnab$.exe Deleted
C:\WINDOWS\kvnab.dll Deleted
C:\WINDOWS\kvnab.exe Deleted
C:\WINDOWS\liqad$.exe Deleted
C:\WINDOWS\liqad.dll Deleted
C:\WINDOWS\liqad.exe Deleted
C:\WINDOWS\liqui-Uninstaller.exe Deleted
C:\WINDOWS\liqui.dll Deleted
C:\WINDOWS\liqui.exe Deleted
C:\WINDOWS\ngd.dll Deleted
C:\WINDOWS\pbar.dll Deleted
C:\WINDOWS\pbsysie.dll Deleted
C:\WINDOWS\settn.dll Deleted
C:\WINDOWS\spredirect.dll Deleted
C:\WINDOWS\vxddsk.exe Deleted
C:\WINDOWS\wbeCheck.exe Deleted
C:\WINDOWS\wbeInst$.exe Deleted
C:\WINDOWS\wml.exe Deleted
C:\WINDOWS\xadbrk.dll Deleted
C:\WINDOWS\xadbrk.exe Deleted
C:\WINDOWS\xadbrk_.exe Deleted
C:\WINDOWS\xxxvideo.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\ESHOPEE.exe Deleted
C:\WINDOWS\system32\mgmrwmrv.exe Deleted
C:\WINDOWS\system32\msole32.exe Deleted
C:\WINDOWS\system32\vxddsk.exe Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted
C:\WINDOWS\system32\wml.exe Deleted
C:\WINDOWS\system32\acespy\ Deleted
C:\Program Files\3721\ Deleted
C:\Program Files\Accoona\ Deleted
C:\Program Files\akl\ Deleted
C:\Program Files\amsys\ Deleted
C:\Program Files\e-zshopper\ Deleted
C:\Program Files\p2pnetworks\ Deleted
C:\Program Files\Video ActiveX Object\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{27A050DC-5D20-482B-9286-5BDC594275B4}: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27A050DC-5D20-482B-9286-5BDC594275B4}: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS3\Services\Tcpip\..\{27A050DC-5D20-482B-9286-5BDC594275B4}: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.130 167.206.245.129


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End