0

this is my friends computer i am trying to fix it and it has 2 admin accounts ... and below is the log ...........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:23 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Felicia\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.midgetlink.com/t1.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C9602DB5-678A-45CC-8869-52D6E9D7EDB1} - (no file)
O2 - BHO: (no name) - {f314f5fd-3e78-4390-ad73-dc84d5e8ffbc} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
O20 - Winlogon Notify: qomljhe - qomljhe.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O24 - Desktop Component 1: Warning homepage - C:\WINDOWS\warnhp.html

--
End of file - 9825 bytes

2
Contributors
5
Replies
6
Views
9 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to Daniweb forums :).

Scan with HijackThis and then place a check next to all the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - (no file)
O2 - BHO: (no name) - {C9602DB5-678A-45CC-8869-52D6E9D7EDB1} - (no file)
O2 - BHO: (no name) - {f314f5fd-3e78-4390-ad73-dc84d5e8ffbc} - (no file)

O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
O20 - Winlogon Notify: qomljhe - qomljhe.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

==

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

==

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

0

i run vundofix but it did not find anything .i restart the computer but the scan did not start for the vundofix so i run smitfraudfix and here is the lof for that ...

SmitFraudFix v2.281

Scan done at 6:48:16.25, Tue 02/05/2008
Run from C:\Documents and Settings\Felicia\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Felicia


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Felicia\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Felicia\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

HKLM\SOFTWARE\WinHound.com FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Warning homepage"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: googletoolbar1.dll
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7}
TypeLib Not Found.
+--------------------------------------------------+
[!] Suspicious: swg.dll
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
TypeLib: {C7CB459A-7261-4AE6-A87A-17041EE98A40}
Interface: {1F7328B7-E25A-4527-B24B-D9173401BB89}
Interface: {2212951C-1623-4095-906B-AC50B8F91016}
Interface: {2351B346-00E8-4EAC-9B75-B138B465D659}
Interface: {91959FBB-853A-4AC7-A082-2DDF787F4CA9}
Interface: {91F39C2A-95E7-497A-A539-0AC715DC66D2}
Interface: {9891812B-5820-4A77-827E-772B200239E1}
Interface: {A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}
Interface: {AF606610-3627-4DF2-A6D5-32C6A355ACD1}
Interface: {DA69D3CC-7676-4A65-889F-C052977F1AA9}

[!] Suspicious: googletoolbar1.dll
Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F}
TypeLib Not Found.

[!] Suspicious: WPDShServiceObj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3F4CED3-78EA-4428-9E4D-D41E9C386B1C}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B3F4CED3-78EA-4428-9E4D-D41E9C386B1C}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3F4CED3-78EA-4428-9E4D-D41E9C386B1C}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3F4CED3-78EA-4428-9E4D-D41E9C386B1C}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:18 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\Felicia\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O24 - Desktop Component 1: Warning homepage - C:\WINDOWS\warnhp.html

--
End of file - 9167 bytes

0

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

0

well i am in safe mode and my keyboard and mouse is not working in safe mode ....

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.