Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • This topic is locked This topic is locked
7 replies to this topic

#1 thefisherman

thefisherman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 05 August 2007 - 12:22 PM

have run spybot sd, ad-aware, panda and virgin virus and spyware, deleted everything it found.

problems ive got are...

cant start in safe mode , still showing original message.
system alert pop-up telling me i have spyware, then taking me to the virusprotectpro web page.
cant restore to previous date.

can you help please.

here is my HJT log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:40, on 05/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dixons.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: MSVPS System - {85E659D3-E110-4CE7-9D99-416FD61A1720} - C:\WINDOWS\soundplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c7ddccbfae56401a9d0f494de83c4ecf
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c7ddccbfae56401a9d0f494de83c4ecf
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CCS\Services\Tcpip\..\{B01EB416-F091-40A9-9565-9C0F1A175ED4}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O17 - HKLM\System\CS1\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O17 - HKLM\System\CS2\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O17 - HKLM\System\CS3\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: convalescently - {cea2e5cd-e849-427b-80f0-59298caef1c4} - C:\WINDOWS\System32\cqsfk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 7110 bytes

BC AdBot (Login to Remove)

 


#2 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 05 August 2007 - 12:50 PM

I'm sure a Mod will move this to the correct forum.

1 - FixWareout
Please download to your Desktop FixWareout from either >here< or >here<

Double-click Fixwareout.exe to run the program - click Next then Install
Make sure Run fixit is checked and click Finish.
The fix will begin - follow the prompts.
Reboot your computer when asked.
Your system may take longer than usual to load - this is normal.

At the end of the fix, you may need to restart your computer again.

Can you please post the contents of the logfile C:\fixwareout\report.txt with your next reply.

2 - Run HJT Scan
Run HijackThis and click Do a system scan only
Tick the following entries, if present:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CCS\Services\Tcpip\..\{B01EB416-F091-40A9-9565-9C0F1A175ED4}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O17 - HKLM\System\CS1\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O17 - HKLM\System\CS2\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O17 - HKLM\System\CS3\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: NameServer = 85.255.114.110,85.255.112.170
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.110 85.255.112.170
O22 - SharedTaskScheduler: convalescently - {cea2e5cd-e849-427b-80f0-59298caef1c4} - C:\WINDOWS\System32\cqsfk.dll


Close all windows except HijackThis
Select Fix Checked in HijackThis.

3 - Network Settings
Now click on Start > Run and type cmd and click on OK
Type ipconfig /flushdns (note the space after ipconfig and before the /)
Press Enter, type exit at the command prompt, then press Enter
The command window will close.

(2000/XP) Only
In the windows control panel (Start > Control Panel), if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Right-click on your default connection, usually local area connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot your PC if asked.

4 - SmitfraudFix
Delete any version of SmitfraudFix you may already have - this is important as SmitfraudFix is updated very frequently
Download SmitfraudFix (by S!Ri) to your Desktop from >here<
Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

5 - Uninstall List
Run HijackThis then click on Open the Misc Tools section
If HijackThis is still open, click on Config > Misc Tools
Click on Open Uninstall Manager...
Click on Save list...
Leave the default filename as uninstall_list.txt and save the file, noting where it has been saved
Close HijackThis.

6 - Check on status
After you have completed the above, please reboot and post:
  • the C:\fixWareout\report.txt
  • the SmitFraud output file rapport.txt
  • the uninstall_list.txt
Thanks
Vino

#3 thefisherman

thefisherman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 05 August 2007 - 02:56 PM

hi, done all you asked, here are the logs.

Username "Dad" - 05/08/2007 20:47:27 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdxfo.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}
"nameserver"="85.255.114.110,85.255.112.170" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B01EB416-F091-40A9-9565-9C0F1A175ED4}
"nameserver"="85.255.114.110,85.255.112.170" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{964385DF-0B48-40C6-BABB-23A1052896A7}
"DhcpNameServer"="85.255.114.110,85.255.112.170" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B01EB416-F091-40A9-9565-9C0F1A175ED4}
"DhcpNameServer"="85.255.114.110,85.255.112.170" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Other
C:\WINDOWS\Temp\kdxfo.ren 65045 29/08/2002

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SoundMan"="SOUNDMAN.EXE"
"SO5 Integrator Pass Two"="C:\\WINDOWS\\SOINTGR.EXE"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Broadbandadvisor.exe"="\"C:\\Program Files\\Virgin Broadband\\advisor\\Broadbandadvisor.exe\" /AUTORUN"
"PCguard"="\"C:\\Program Files\\Virgin Broadband\\PCguard\\Rps.exe\""
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

SmitFraudFix v2.208

Scan done at 21:39:12.10, 05/08/2007
Run from C:\Documents and Settings\Dad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\sounddrv.dll FOUND !
C:\WINDOWS\soundplugin.dll FOUND !
C:\WINDOWS\xvideo.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\cqsfk.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dad


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dad\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Dad\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 62.31.176.39
DNS Server Search Order: 194.117.134.19
DNS Server Search Order: 195.188.53.175

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\..\{964385DF-0B48-40C6-BABB-23A1052896A7}: DhcpNameServer=85.255.114.110,85.255.112.170
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B01EB416-F091-40A9-9565-9C0F1A175ED4}: DhcpNameServer=85.255.114.110,85.255.112.170
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B01EB416-F091-40A9-9565-9C0F1A175ED4}: NameServer=85.255.114.110,85.255.112.170
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3AF7BCD0-6468-49BA-83C9-9EA952730C0D}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

µTorrent
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities ZoomBrowser EX
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVDFab Platinum 3.1.1.6 Ghosthunter release
EarthBrowser
EPSON CardMonitor
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR300 Reference Guide
ESPR300 Software Guide
ESPR300 Standalone Guide
Express Burn
Express Rip
HijackThis 2.0.2
Medi@Show
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office XP Media Content
Microsoft Publisher 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
MUSICMATCH Jukebox
Nero
Nero 7 Ultra Edition
Panda Antivirus 2007
Picasa 2
Power Cinema
PowerDirector Pro
PowerDVD
PowerVCR II
Privacy Guardian 4.1
QuickTime
Realtek AC'97 Audio
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
SiS 650_651_M650_740
SiS 900 PCI Fast Ethernet Adapter Driver
Smart Menus (Windows Live Toolbar)
Spybot - Search & Destroy 1.4
StarOffice 5.2
SUPERAntiSpyware Free Edition
Tabbed Browsing (Windows Live Toolbar)
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Virgin Broadband advisor 1.5.10
Virgin Broadband PCguard
WavePad Uninstall
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR archiver

#4 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 05 August 2007 - 03:05 PM

1 - Download SmitfraudFix
Please print out these instructions as we will need to close every window that is open later in the fix.

Important: If you have an old version, please delete this and download a fresh copy of SmitfraudFix.exe by S!Ri from >here< and save it to your Desktop.
The fix is frequently updated and it is advisable to ensure that you have the latest version.

2 - Boot Into Safe Mode
Physically disconnect your computer from your modem/router and boot your PC into Safe Mode by restarting your computer - keep tapping F8 until the menu appears.
Use your up and down arrow keys to select Safe Mode.
We will continue your fix in Safe Mode.

3 - Run SmitfraudFix
Double-click on SmitfraudFix.exe
Press "2" and then <ENTER> to start the cleaning process.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then <ENTER>.
  • The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then <ENTER>.
When this last routine has finished, you will be presented with a red screen stating Computer will reboot now. Close all applications.
You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. If this does not happen automatically, you will need to do so manually.

4 - Check on status
After you have completed the above, please provide:
  • the file contents of C:\rapport.txt created by SmitfraudFix
  • a new HijackThis log
  • and a description of how your PC is behaving - what problems are you now experiencing?
Thanks
Vino

#5 thefisherman

thefisherman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 05 August 2007 - 03:27 PM

hi.

tried to start in safe mode but still get the same message


VGA MODE NOT SUPPORT
H:35.4KHZ V:86.8HZ

have not run smitfraudfix , will await your reply.

the System Alert pop-up seems to be gone though.

Edited by thefisherman, 05 August 2007 - 03:36 PM.


#6 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 05 August 2007 - 03:36 PM

Please follow the instructions in my previous post.

[Edit] Ah, sorry... safe made problem still... will get back to you [/Edit]

Edited by Vino Rosso, 05 August 2007 - 04:22 PM.


#7 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 05 August 2007 - 04:49 PM

Make sure that you can see hidden files and folders.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Uncheck Hide protected operating system files a pop up will appear, answer Yes
  • Click OK.
  • Click Start > Run type Notepad then click OK - this will open a blank Notepad document.
  • Click File > Open and navigate to C:\Boot.ini (you'll need to set Files of type to All Files to see it).
  • Double click on Boot.ini to open it in Notepad.
  • Save as Boot.ini Copy.txt to your Desktop.
  • Copy paste the contents of that file to your next post please.


#8 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 15 August 2007 - 06:56 AM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users