0

Hi,

I'm running Win XP
I was looking through an old thread (now closed) & found the following recommendation (below). At the end of the recommendation it says to post the log... and... that's the reason for starting this thread...

Recommendation from old thread:
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Post the C:\rapport.txt log, and a new HJT log, and we will continue the fix
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes

Member - Alliance of Security Analysis Professionals - Since 2006

My Rapport log #1:
SmitFraudFix v2.423

Scan done at 14:48:00.34, Thu 07/23/2009
Run from C:\Documents and Settings\u295269\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Attachmate\INFOCNEE\ATSSrvc.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\WINDOWS\system32\SvcRunAs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\u295269\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

91.206.201.8 private.microsoft.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\braviax.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\u295269


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\u295269\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\u295269\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\u295269\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller #2 - Packet Scheduler Miniport
DNS Server Search Order: 161.215.130.130
DNS Server Search Order: 161.215.130.131

Description: Broadcom NetXtreme 57xx Gigabit Controller #2 - Packet Scheduler Miniport
DNS Server Search Order: 161.215.54.16
DNS Server Search Order: 161.215.153.3

Description: Check Point Virtual Network Adapter For SSL Network Extender - Packet Scheduler Miniport
DNS Server Search Order: 161.215.153.3
DNS Server Search Order: 161.215.54.16

HKLM\SYSTEM\CCS\Services\Tcpip\..\{00A5761E-8C81-4FB2-A30C-AF558D326356}: DhcpNameServer=161.215.130.130 161.215.130.131
HKLM\SYSTEM\CCS\Services\Tcpip\..\{12E31064-F9BC-434F-A9C6-0863CDB461CA}: DhcpNameServer=161.215.153.3 161.215.54.16
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8E9D47BF-00E1-4450-B108-CE9E98B3429E}: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{00A5761E-8C81-4FB2-A30C-AF558D326356}: DhcpNameServer=161.215.130.130 161.215.130.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{12E31064-F9BC-434F-A9C6-0863CDB461CA}: DhcpNameServer=161.215.153.3 161.215.54.16
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8E9D47BF-00E1-4450-B108-CE9E98B3429E}: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{00A5761E-8C81-4FB2-A30C-AF558D326356}: DhcpNameServer=161.215.130.130 161.215.130.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{12E31064-F9BC-434F-A9C6-0863CDB461CA}: DhcpNameServer=161.215.153.3 161.215.54.16
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8E9D47BF-00E1-4450-B108-CE9E98B3429E}: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=161.215.54.16 161.215.153.3


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


My Rapport log #2:
SmitFraudFix v2.423

Scan done at 15:00:07.15, Thu 07/23/2009
Run from C:\Documents and Settings\u295269\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
::1 localhost
91.206.201.8 avir-guardian.com
91.206.201.8 www.avir-guardian.com

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\braviax.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{00A5761E-8C81-4FB2-A30C-AF558D326356}: DhcpNameServer=161.215.130.130 161.215.130.131
HKLM\SYSTEM\CCS\Services\Tcpip\..\{12E31064-F9BC-434F-A9C6-0863CDB461CA}: DhcpNameServer=161.215.153.3 161.215.54.16
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8E9D47BF-00E1-4450-B108-CE9E98B3429E}: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{00A5761E-8C81-4FB2-A30C-AF558D326356}: DhcpNameServer=161.215.130.130 161.215.130.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{12E31064-F9BC-434F-A9C6-0863CDB461CA}: DhcpNameServer=161.215.153.3 161.215.54.16
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8E9D47BF-00E1-4450-B108-CE9E98B3429E}: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{00A5761E-8C81-4FB2-A30C-AF558D326356}: DhcpNameServer=161.215.130.130 161.215.130.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{12E31064-F9BC-434F-A9C6-0863CDB461CA}: DhcpNameServer=161.215.153.3 161.215.54.16
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8E9D47BF-00E1-4450-B108-CE9E98B3429E}: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=161.215.54.16 161.215.153.3
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=161.215.54.16 161.215.153.3


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

»»»»»»»»»»»»»»»»»»»»»»»» RK.2

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Thank you!!
Jeni

2
Contributors
3
Replies
4
Views
8 Years
Discussion Span
Last Post by crunchie
0

Hi Crunchie,

In the previous instructions is says" Post the C:\rapport.txt log, and a new HJT log, and we will continue the fix

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.