Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spywareisolator/smitfraud/zlobdownloader


  • Please log in to reply
20 replies to this topic

#1 Blithespirit

Blithespirit

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 15 March 2008 - 10:56 AM

Yesterday I noticed multiple pop ups telling me my computer was infected and alternately taking me to websites for spyware isolater, defender something or other etc.. and I panicked! Immediately downloaded spybot search and destroy and ran it - several found and deleted them but am unable to delete smitfraud and zlobdownloader completely. The programs locked taskmanager which I did manage to unlock but I can't decipher which process is the malicious programs. I know these are both really difficult so I have also gone out and bought mcafee security suite and spy sweeper but have no idea how to perform a hijack log etc.

I do know that it has gone deep but don't feel confident about playing with the registry without help...

Can you please help me?

I really appreciate all offers of help

Blithe

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 15 March 2008 - 11:31 AM

Welcome to Bleeping Computer.

Before we can run anything, I need to know your operating system and which service pack you have installed. This will assure that the programs used are compatible with your computer.

Any further information would be helpful. Please refer to this page.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 15 March 2008 - 11:33 AM

Hi Welcome to the forum
Following these instructions should remove it.

NOTE: all blue wording are links to instructions
First you will need to follow the instructions in our Tutorial
How to remove the Smitfraud / Generic Zlob

Now Download Attribune's ATF Cleanerand then SUPERAntiSpyware, Free Home Version. Save both to desktop .. DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to start Windows in Safe Mode
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 15 March 2008 - 12:02 PM

Welcome to Bleeping Computer.

Before we can run anything, I need to know your operating system and which service pack you have installed. This will assure that the programs used are compatible with your computer.

Any further information would be helpful. Please refer to this page.



Windows xp
service pack 2

Thanks for the prompt reply!

#5 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 15 March 2008 - 01:42 PM

smitfraud.exe is not a valid WIN32 application error.

I can't run it and the icon doesn't download.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 15 March 2008 - 01:44 PM

Ok run the SAS scan ,post that log for now..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 15 March 2008 - 05:45 PM

Managed to get hold of the complete zipfile of smitfraud remover..
Ran it in safe mode, followed by cleaner and SAS..
Here follows the log file..

Noticed when rebooted back into 'normal' windows that I am getting constant popups in both SAS and spybot asking to change the registry for 'search bar' and to change my IE home page to about:blank..

They won't stop either!

Thank you again, for all your help,

Blithe.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2008 at 10:25 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 02:29:18

Memory items scanned : 215
Memory threats detected : 0
Registry items scanned : 7978
Registry threats detected : 4
File items scanned : 21552
File threats detected : 69

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {f247d378-e403-4cf4-bc08-94f4c814b1d4} ]

Rogue.SpywareIsolator
HKU\S-1-5-21-2681539823-766670996-14466258-1006\Software\spinstall
HKU\S-1-5-21-2681539823-766670996-14466258-1006\Software\spywareisolator
C:\Program Files\SpywareIsolator\spywareisolator.exe
C:\Program Files\SpywareIsolator
c:\winxplogon.sys
D:\SYSTEM VOLUME INFORMATION\_RESTORE{B1C538C0-CBA3-4434-A006-53A338B37653}\RP524\A0078362.LNK
D:\SYSTEM VOLUME INFORMATION\_RESTORE{B1C538C0-CBA3-4434-A006-53A338B37653}\RP524\A0078363.LNK
D:\SYSTEM VOLUME INFORMATION\_RESTORE{B1C538C0-CBA3-4434-A006-53A338B37653}\RP524\A0078366.LNK

Trojan.Net-BOK/NMC
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#bokpkov [ {62AAAE51-E581-4B84-A89E-28076DF72380} ]

Rogue.SpywareIsolator-Installer
C:\DOWNLOADS\INSTALLER_ABR.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{B1C538C0-CBA3-4434-A006-53A338B37653}\RP527\A0079822.EXE

Rogue.SystemDefender-Installer
C:\DOWNLOADS\SYSTEMDEFENDER_INSTALLER.EXE

Adware.Tracking Cookie
D:\Documents and Settings\MFR\My Documents\docs old\Documents and Settings\Olivia\Cookies\olivia@ads.monster[2].txt
D:\Documents and Settings\MFR\My Documents\docs old\Documents and Settings\Olivia\Cookies\olivia@h.starware[1].txt
D:\Documents and Settings\MFR\My Documents\docs old\Documents and Settings\Olivia\Cookies\olivia@ehg-dig.hitbox[2].txt
D:\Documents and Settings\MFR\My Documents\docs old\Documents and Settings\Olivia\Cookies\olivia@try.starware[1].txt
D:\Documents and Settings\MFR\My Documents\docs old\Documents and Settings\Olivia\Cookies\olivia@ad.yieldmanager[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@data2.perf.overture[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@try.starware[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@smileycentral[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@h.starware[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@ad.yieldmanager[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@www.dgm2[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Charlotte\Cookies\charlotte@www.screensavers[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@adopt.euroclick[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@www.screensavers[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@ad.yieldmanager[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@data2.perf.overture[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@directtrack[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@i.screensavers[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@login.tracking101[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@m1.webstats4u[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@screensavers.us.intellitxt[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@rapidresponse.directtrack[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Emma\Cookies\emma@tacoda[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@ads.monster[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@popularscreensavers[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@dist.belnk[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@mywebsearch[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@ad.yieldmanager[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@i.screensavers[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@marksandspencer.122.2o7[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@winfixer[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@smileycentral[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@screensavers.us.intellitxt[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@stats.adbrite[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@belnk[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@www.winfixer[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@msnportal.112.2o7[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@xiti[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@www.screensavers[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@tacoda[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@ientry[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@data2.perf.overture[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@cneteurope.122.2o7[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@data3.perf.overture[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@counter[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@revsci[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@www.fasttrackteaching.gov[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@offeroptimizer[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@kanoodle[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@www.dgm2[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@burstnet[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@stats1.reliablestats[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@indextools[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@azjmp[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Marina\Cookies\marina@www.findaproperty[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Olivia\Cookies\olivia@ads.monster[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Olivia\Cookies\olivia@h.starware[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Olivia\Cookies\olivia@ehg-dig.hitbox[2].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Olivia\Cookies\olivia@try.starware[1].txt
D:\Documents and Settings\MFR\My Documents\Documents and Settings\Olivia\Cookies\olivia@ad.yieldmanager[1].txt

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 15 March 2008 - 06:44 PM

Didn't know about Spybot or we would have disabled it temporarily. It's clashing with the other tools. You can ininstall SAS for now from the Control panel,Add/Remove,,to make things easier.

You should Disable Spybot's Teatimer for for now:
You can disable TeaTimer 2 ways

To disable TeaTimer and remove its startup entry:
Go into Spybot > Mode > Advanced Mode > Tools > Resident
Uncheck (if checked) the following:
Resident "TeaTimer" (Protection of over-all system settings) Active.


To temporarally close TeaTimer and restart it later:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Reboot is NOT necessary for the change to take effect.

http://forums.spybot.info/showthread.php?t=2827


The Smitfraud needs to be run in 2 parts. Option 1 in Normal mode then post that log.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 16 March 2008 - 04:33 AM

SmitFraudFix v2.304

Scan done at 9:29:48.76, 16/03/2008
Run from D:\Documents and Settings\MFR\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
D:\program files\Flashget\FlashGet.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\APPS\SMP\SmpSys.exe
D:\program files\Activesync\wcescomm.exe
D:\PROGRA~1\ACTIVE~1\rapimgr.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\cmd.exe

hosts


D:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


D:\Documents and Settings\MFR


D:\Documents and Settings\MFR\Application Data


Start Menu


D:\DOCUME~1\MFR\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3B1A01AA-FFEA-4005-AED7-6B72E6EB459C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3B1A01AA-FFEA-4005-AED7-6B72E6EB459C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3B1A01AA-FFEA-4005-AED7-6B72E6EB459C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 16 March 2008 - 12:10 PM

I'm having a bit of trouble reading that log: has anything been deleted? Doesn't seem to say so.

I do see in your running processes three rundll.exe's.

Now multiple instances of other programs could be a problem. Multiple instances of RUNDLL32.exe indicates a DLL or Device driver problem that is not responding to system messages, hence the RUNDLL32.exe task that is spawn off by some program to perform a DLL function call can not complete and exit.


Edited by PropagandaPanda, 16 March 2008 - 12:11 PM.


#11 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 16 March 2008 - 12:47 PM

To be honest, I don't know..
I just ran the 1 command and copied what it gave me out here..

I had already run the fix and the SAS etc in safe mode...

Is it possible that that has fixed the lot?

As for the multiple .dll problem. is there something or somewhere that I can go on how to fix it?

Thanks so much for the help.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 16 March 2008 - 04:27 PM

You have already run option 2 (the fix) in smitfraud? The scanlog report can be found at the root of the system drive, usually at C:\rapport.txt . Can you post that back. Is the PC running normally again now? Popps gone,as you have removed somethings and perhaps the smitfraud has removed others.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 16 March 2008 - 04:39 PM

Hi Boopme,

Just checked the c:rapport text and it is the same as the report here...
The computer appears to be fixed (!) - no more nasty popups thank goodness so thank you so much for that!

Still a slow runner, and a couple of recurrent errors on it, but the main fire is out, for which I do thank you, and everyone who responded to me so quickly..

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 16 March 2008 - 04:45 PM

Hi Blithe, Let's just kick a liitle more crap off the system and see if it speeds up a bit. Let me know !

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Blithespirit

Blithespirit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 16 March 2008 - 04:56 PM

Hey Boopme,
I LIKE your style!!

I did ATF cleaner earlier in Safe mode when I attacked my poor humble hard drive with SAS and ATF and antismit etc..
I will run it again...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users