Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows has detected spyware infection [RESOLVED]

Started by LittleDot , Aug 23 2008 01:55 AM

  • This topic is locked This topic is locked

#16
LittleDot
Posted 29 August 2008 - 01:03 PM

LittleDot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi

here's the combofix log, sorry for the delay but I had to download the Java from another laptop on a Memory stick for Kaspersky as I kept getting a 'Page cannot be displayed' message:

ComboFix 08-08-28.04 - Julie 2008-08-29 18:10:10.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.237 [GMT 1:00]
Running from: C:\Documents and Settings\Julie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Julie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
4C:\WINDOWS\system32\ujolidedyl.ban
.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 07:51 . 2008-08-29 07:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 07:51 . 2008-08-29 07:51 <DIR> d-------- C:\Documents and Settings\Julie\Application Data\Malwarebytes
2008-08-29 07:51 . 2008-08-29 07:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 07:51 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 07:51 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 22:21 . 2008-08-28 22:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-24 18:11 . 2008-08-29 18:03 11,289 --a------ C:\WINDOWS\system32\nvModes.001
2008-08-24 18:10 . 2008-08-29 18:03 11,289 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-24 09:59 . 2008-08-24 18:10 <DIR> d-------- C:\WINDOWS\nview
2008-08-24 09:59 . 2004-10-26 12:01 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-24 09:59 . 2004-10-26 12:01 13,866 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-23 20:54 . 2008-04-11 19:50 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-23 20:54 . 2008-05-01 15:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-23 20:54 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-23 08:39 . 2008-08-23 08:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 00:58 . 2008-08-23 00:58 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-23 00:42 . 2008-08-23 00:55 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-08-23 00:35 . 2008-08-23 00:35 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-23 00:26 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002470_.tmp
2008-08-23 00:14 . 2008-08-23 00:14 <DIR> d-------- C:\WINDOWS\EHome
2008-08-22 23:47 . 2008-08-22 23:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-22 23:47 . 2008-08-23 00:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 23:47 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-22 23:46 . 2008-08-29 07:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-22 23:45 . 2008-08-22 23:45 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-22 23:45 . 2008-08-22 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-22 23:43 . 2008-08-28 22:21 <DIR> d-------- C:\Program Files\McAfee
2008-08-22 23:43 . 2008-08-22 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-22 23:36 . 2008-08-24 10:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-22 23:36 . 2005-02-25 04:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-22 23:35 . 2008-08-22 23:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-22 23:35 . 2008-08-24 10:01 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-22 23:34 . 2004-08-04 00:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-08-22 23:34 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-08-22 23:34 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-08-22 23:34 . 2004-08-04 00:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-08-22 23:34 . 2004-08-04 00:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-08-22 23:04 . 2008-08-22 23:04 <DIR> d-------- C:\Program Files\CCleaner
2008-08-22 22:58 . 2008-08-22 22:58 <DIR> d-------- C:\!KillBox
2008-08-22 22:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-22 22:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-22 22:18 . 2008-08-21 23:41 87,552 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-22 22:18 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-22 22:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-22 22:18 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-22 22:18 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-22 22:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-22 22:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-22 22:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-22 22:06 . 2008-08-22 22:16 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2008-08-22 18:05 . 2008-08-22 18:05 19,409 --a------ C:\WINDOWS\system32\ujolidedyl.ban
2008-08-22 18:05 . 2008-08-22 18:05 18,522 --a------ C:\WINDOWS\system32\ugohinol.db
2008-08-22 18:05 . 2008-08-22 18:05 17,640 --a------ C:\WINDOWS\ufimyjybez.inf
2008-08-22 18:05 . 2008-08-22 18:05 17,482 --a------ C:\WINDOWS\mopafan.dat
2008-08-22 18:05 . 2008-08-22 18:05 16,475 --a------ C:\WINDOWS\enydefov.lib
2008-08-22 18:05 . 2008-08-22 18:05 15,906 --a------ C:\WINDOWS\ylegapytil.ban

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 21:01 50,176 ----a-w C:\WINDOWS\system32\dcrick.dll
2008-07-20 20:42 50,176 ----a-w C:\WINDOWS\system32\ritz8.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-28_ 7.50.14.54 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"!ewido"="C:\Program Files\ewido anti-spyware 4.0\ewido.exe" [2008-08-22 22:15 6283264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01 4632576]
"nwiz"="nwiz.exe" [2004-10-26 12:01 921600 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
S2 0035301219958581mcinstcleanup;McAfee Application Installer Cleanup (0035301219958581);C:\WINDOWS\TEMP\003530~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
.
Contents of the 'Scheduled Tasks' folder

2008-08-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 18:11:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-08-29 18:12:28
ComboFix-quarantined-files.txt 2008-08-29 17:12:24
ComboFix2.txt 2008-08-29 06:48:35
ComboFix3.txt 2008-08-28 21:30:42
ComboFix4.txt 2008-08-28 06:50:37
ComboFix5.txt 2008-08-29 17:09:34

Pre-Run: 25,242,542,080 bytes free
Post-Run: 25,238,323,200 bytes free

137 --- E O F --- 2008-08-26 21:45:18


......and here's the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 29, 2008 17:15:08
Records in database: 1163294
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 25248
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 00:35:25


File name / Threat name / Threats count
C:\Documents and Settings\Julie\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\olwjmfyd\gnufypgh.exe.vir Infected: Trojan-Downloader.Win32.Agent.acnm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lbbd32.dll.vir Infected: Trojan-Downloader.Win32.BHO.me 1
C:\WINDOWS\system32\dcrick.dll Infected: Trojan-Spy.Win32.Banker.pcl 1
C:\WINDOWS\system32\ritz8.dll Infected: Trojan-Spy.Win32.Banker.pcl 1

The selected area was scanned.
  • 0

Advertisements

#17
Stamper19
Posted 29 August 2008 - 04:15 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi LittleDot,

It seems like there may have been some mistake in running the combofix script in the previous step due to an error on my part (sorry!). Lets try it again.


We are going to use ComboFix to delete some things.

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::
C:\WINDOWS\system32\ujolidedyl.ban
C:\WINDOWS\system32\ugohinol.db
C:\WINDOWS\ufimyjybez.inf
C:\WINDOWS\mopafan.dat
C:\WINDOWS\enydefov.lib
C:\WINDOWS\ylegapytil.ban
C:\WINDOWS\system32\ritz8.dll
C:\WINDOWS\system32\dcrick.dll

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
  • 0

#18
LittleDot
Posted 29 August 2008 - 05:46 PM

LittleDot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
OK, no problem.

ComboFix 08-08-28.04 - Julie 2008-08-30 0:40:30.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.237 [GMT 1:00]
Running from: C:\Documents and Settings\Julie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Julie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\enydefov.lib
C:\WINDOWS\mopafan.dat
C:\WINDOWS\system32\dcrick.dll
C:\WINDOWS\system32\ritz8.dll
C:\WINDOWS\system32\ugohinol.db
C:\WINDOWS\system32\ujolidedyl.ban
C:\WINDOWS\ufimyjybez.inf
C:\WINDOWS\ylegapytil.ban
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\enydefov.lib
C:\WINDOWS\mopafan.dat
C:\WINDOWS\system32\dcrick.dll
C:\WINDOWS\system32\ritz8.dll
C:\WINDOWS\system32\ugohinol.db
C:\WINDOWS\system32\ujolidedyl.ban
C:\WINDOWS\ufimyjybez.inf
C:\WINDOWS\ylegapytil.ban

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 19:14 . 2008-08-29 19:14 <DIR> d-------- C:\WINDOWS\Sun
2008-08-29 19:11 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-29 19:10 . 2008-08-29 19:11 <DIR> d-------- C:\Program Files\Java
2008-08-29 19:10 . 2008-08-29 19:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-29 07:51 . 2008-08-29 07:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 07:51 . 2008-08-29 07:51 <DIR> d-------- C:\Documents and Settings\Julie\Application Data\Malwarebytes
2008-08-29 07:51 . 2008-08-29 07:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 07:51 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 07:51 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-24 18:11 . 2008-08-30 00:35 11,289 --a------ C:\WINDOWS\system32\nvModes.001
2008-08-24 18:10 . 2008-08-29 19:02 11,289 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-24 09:59 . 2008-08-24 18:10 <DIR> d-------- C:\WINDOWS\nview
2008-08-24 09:59 . 2004-10-26 12:01 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-24 09:59 . 2004-10-26 12:01 13,866 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-23 20:54 . 2008-04-11 19:50 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-23 20:54 . 2008-05-01 15:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-23 20:54 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-23 08:39 . 2008-08-23 08:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 00:58 . 2008-08-23 00:58 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-23 00:42 . 2008-08-23 00:55 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-08-23 00:35 . 2008-08-23 00:35 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-23 00:26 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002470_.tmp
2008-08-23 00:14 . 2008-08-23 00:14 <DIR> d-------- C:\WINDOWS\EHome
2008-08-22 23:47 . 2008-08-22 23:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-22 23:47 . 2008-08-23 00:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 23:47 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-22 23:46 . 2008-08-29 07:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-22 23:45 . 2008-08-22 23:45 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-22 23:45 . 2008-08-22 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-22 23:43 . 2008-08-28 22:21 <DIR> d-------- C:\Program Files\McAfee
2008-08-22 23:43 . 2008-08-22 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-22 23:36 . 2008-08-24 10:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-22 23:36 . 2005-02-25 04:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-22 23:35 . 2008-08-22 23:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-22 23:35 . 2008-08-24 10:01 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-22 23:34 . 2004-08-04 00:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-08-22 23:34 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-08-22 23:34 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-08-22 23:34 . 2004-08-04 00:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-08-22 23:34 . 2004-08-04 00:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-08-22 23:04 . 2008-08-22 23:04 <DIR> d-------- C:\Program Files\CCleaner
2008-08-22 22:58 . 2008-08-22 22:58 <DIR> d-------- C:\!KillBox
2008-08-22 22:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-22 22:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-22 22:18 . 2008-08-21 23:41 87,552 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-22 22:18 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-22 22:18 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-22 22:18 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-22 22:18 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-22 22:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-22 22:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-22 22:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-22 22:06 . 2008-08-22 22:16 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-28_ 7.50.14.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"!ewido"="C:\Program Files\ewido anti-spyware 4.0\ewido.exe" [2008-08-22 22:15 6283264]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01 4632576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2004-10-26 12:01 921600 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-08-18 10:30]
S2 0035301219958581mcinstcleanup;McAfee Application Installer Cleanup (0035301219958581);C:\WINDOWS\TEMP\003530~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 00:42:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-30 0:44:16
ComboFix-quarantined-files.txt 2008-08-29 23:44:11
ComboFix2.txt 2008-08-29 17:12:29
ComboFix3.txt 2008-08-29 06:48:35
ComboFix4.txt 2008-08-28 21:30:42
ComboFix5.txt 2008-08-29 23:39:50

Pre-Run: 25,020,268,544 bytes free
Post-Run: 25,054,322,688 bytes free

151 --- E O F --- 2008-08-26 21:45:18
  • 0

#19
Stamper19
Posted 29 August 2008 - 06:39 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi LittleDot,

Thats more like it!

Congrats - your logs are all clean :)

There are still a couple of things you should do for the sake of cleaning up.

---------------------------------------------------------------

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
----------------------------------------------------------------

Otherwise, unless you have any questions, you are all set. Included below are some tips for keeping your computer malware free in the future.

Cheers,
Stamper :)

----------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0

#20
LittleDot
Posted 30 August 2008 - 01:51 AM

LittleDot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Stamper 19, Thank you so much for your help.

I am starting to follow your instructions and have deleted combofix and a lot of the other programs we installed and will be movin on to your suggested list for installs.

Two last questions please:

1 The computer still starts with an option for Windows Recovery Console -do I need to remove this and if so how?
2 In the taskbar bottom right there is stil lan icon for 'Windows Security Alerts' which still pops up with a message telling me that my computer is not safe and I should install...... please click on the balloon for more info. Is this a valid icon and program and are the messages valid?


Thanks.
  • 0

#21
Stamper19
Posted 30 August 2008 - 09:15 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts

1 The computer still starts with an option for Windows Recovery Console -do I need to remove this and if so how?

Nope - recovery console is definately something you want on the computer.

2 In the taskbar bottom right there is stil lan icon for 'Windows Security Alerts' which still pops up with a message telling me that my computer is not safe and I should install...... please click on the balloon for more info. Is this a valid icon and program and are the messages valid?

Hmmm...lets do a scan for another infection.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#22
LittleDot
Posted 30 August 2008 - 12:32 PM

LittleDot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks a lot

SmitFraudFix v2.343

Scan done at 19:30:15.50, 30/08/2008
Run from C:\Documents and Settings\Julie\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julie\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 hk.digitaltrends.com
127.0.0.1 microsoft.com.org
127.0.0.1 www.www.microsoft.com.org

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julie


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Julie\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: BT Voyager 1060 Laptop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#23
Stamper19
Posted 30 August 2008 - 01:33 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Download the HostsXpert 4.2 - Hosts File Manager
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

  • 0

#24
LittleDot
Posted 31 August 2008 - 03:04 AM

LittleDot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok I have run that and new Smitraud log file attached. Has that fixed all as the icon has now disappeared, etc.

SmitFraudFix v2.343

Scan done at 10:02:12.13, 31/08/2008
Run from C:\Documents and Settings\Julie\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julie\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julie


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Julie\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: BT Voyager 1060 Laptop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8995A1FD-E09F-492D-81AF-A96397EE6399}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#25
Stamper19
Posted 31 August 2008 - 09:16 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Yes, all should be clear, as there was only one thing to deal with in the Smitfraud log and we have done so. You can go ahead and delete SmitfraudFix. Are there any remaining questions or issues?
  • 0

Advertisements

#26
LittleDot
Posted 31 August 2008 - 11:50 AM

LittleDot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
No that's great. Many thanks for your time and help.
  • 0

#27
Stamper19
Posted 31 August 2008 - 12:08 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP