Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32: Alureon BH (rtk)Moved


  • Please log in to reply
32 replies to this topic

#1 story94

story94

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 23 June 2009 - 05:57 PM

I am not sure where I should be asking this question or where to start but here is where I'm at with my problem;

I have had a couple problems with various viruses the past couple weeks including WindowProtector 2009 and another similar malware problem, both of which, I think, I got rid of using Malwarebytes Anti-Maleware. Although, when I had WindowProtector 2009 it had turned off my firewall and I had loads of other worms and viruses that I got rid of with Malwarebytes also including Koob.Face.

Today I started having problems with search engines redirecting me to other Web sites than the one I requested so I ran Malwarebytes and found nothing then downloaded Avast! and ran a boot scan, deleted everything it found that thought was bad. I'm not sure how to tell if it's really gone. Since the last three times I thought I fixed my computer it kept finding more things and getting tons of bad stuff. I do keep my Window's firewall on and use AVG. I was originally going to post a Hijackthis log in the other forum but was unable to make one when the black screen, the first screen in the directions on the posted forum of this subject, said at the bottom of the directions about "scan will take three minutes and remove after use once" it added "FindSTR: cannot read strings from whitedir"

Like I said I'm not sure if I'm asking this in the correct area or where to start with this but any help would be appreciated. Thank you for taking the time to read of this.

Edited by garmanma, 23 June 2009 - 06:43 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 23 June 2009 - 07:27 PM

Hello, I am going to ask for a couple logs.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 07:48 AM

I've got one scan done here are the results I will work on the others now...



Malwarebytes' Anti-Malware 1.38
Database version: 2327
Windows 5.1.2600 Service Pack 3

6/24/2009 8:47:49 AM
mbam-log-2009-06-24 (08-47-49).txt

Scan type: Quick Scan
Objects scanned: 113513
Time elapsed: 28 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XP Deluxe Protector (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 01:31 PM

Here is the other scan log. The computer appears to be running very well right now, although that's also what I thought the last two times. thanks for helping me. Is there anything else I should do to make sure the computer is clean?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2009 at 02:09 PM

Application Version : 4.26.1006

Core Rules Database Version : 3953
Trace Rules Database Version: 1895

Scan type : Complete Scan
Total Scan Time : 04:54:21

Memory items scanned : 238
Memory threats detected : 0
Registry items scanned : 5634
Registry threats detected : 0
File items scanned : 79163
File threats detected : 34

Adware.Tracking Cookie
.kontera.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificmedia.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
cdn4.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
cdn4.specificclick.net [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.at.atwola.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]
.at.atwola.com [ C:\Documents and Settings\People\Application Data\Mozilla\Firefox\Profiles\7kna14vd.default\cookies.txt ]

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 24 June 2009 - 01:49 PM

Ok this looks good. I would like to do Part 1 of S!Ri's SmitfraudFix though.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 01:59 PM

SmitFraudFix v2.422

Scan done at 14:54:19.76, Wed 06/24/2009
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

94.232.248.66 browser-security.microsoft.com

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Victoria


C:\DOCUME~1\Victoria\LOCALS~1\Temp


C:\Documents and Settings\Victoria\Application Data


Start Menu


C:\DOCUME~1\Victoria\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://img03.xuqa.com/IMG//H_PROFILE/p447/PROF_PIC_1026271901129926447.JPG"
"SubscribedURL"="http://img03.xuqa.com/IMG//H_PROFILE/p447/PROF_PIC_1026271901129926447.JPG"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A272B0D-ADEB-4C3A-A752-26C95E637E89}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A272B0D-ADEB-4C3A-A752-26C95E637E89}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9A272B0D-ADEB-4C3A-A752-26C95E637E89}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 24 June 2009 - 02:22 PM

Ok here See that you are running 2 Antivirus programs,AVG and Avast. You cannot have 2 active. If that's the case remove one.

Viewpoint player is considered Foistware .
Foistware

Foistware is a term used to describe software downloaded to a computer without the owner's knowledge, which puts hidden components on a system, and attempts to bait the unsuspecting into purchasing another software remedy.
We recommend you uninstall it.

Now run part 2 ...
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Next Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 02:29 PM

Two questions;
1. should I uninstall Avast! or is there a way to just turn it off?
2. how do I uninstall Viewpoint player?

Thanks!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 24 June 2009 - 02:42 PM

For viewpoint Quietman7 has wriiten removal instructions in post 2 here.

http://www.bleepingcomputer.com/forums/t/120989/viewpointserviceexe/

Avast..
Right-click the avast icon in your taskbar, click Stop On-Access Protection.

When you need it back on, right-click the icon again, then click start...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 05:25 PM

SmitFraudFix v2.422

Scan done at 16:01:14.62, Wed 06/24/2009
Run from C:\Documents and Settings\Victoria\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
::1 localhost
94.232.248.66 antivaresys.com
94.232.248.66 www.antivaresys.com

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{9A272B0D-ADEB-4C3A-A752-26C95E637E89}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



and the Malwarebytes results

Malwarebytes' Anti-Malware 1.38
Database version: 2330
Windows 5.1.2600 Service Pack 3

6/24/2009 6:22:27 PM
mbam-log-2009-06-24 (18-22-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184860
Time elapsed: 1 hour(s), 44 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 24 June 2009 - 07:47 PM

Hello Malware is still hijacking your hosts file

*********************************************
Restore your default hosts file

Download the HostsXpert,

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 07:57 PM

I do not see the make hosts writable button. when I open the program on the left I have the following options:
1. make readonly?
2 backup/restore
3. import options...
4. restore ms hosts file
5. file handling
6. editing
7. download
8. tools
9 help

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 24 June 2009 - 08:44 PM

Let's see if this is easier. Use Siri's R HOsts
Download and click run.
http://translate.google.com/translate?hl=e...l%3Den%26sa%3DG
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 story94

story94
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 June 2009 - 08:49 PM

I don't know if I'm doing that one right either. It's difficult to tell because it's not in English. but I got to the screen that is shown in the picture on the link you sent me and clicked the button then it gives me a confirmation window that says "Confirm la restauration du fichier hosts" and gives the options of "ok" and "abandon" i clicked OK and nothing happened...

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 AM

Posted 24 June 2009 - 08:55 PM

I know, SIRI the author is french.. But that means "Confirm the restoration of the hosts file" by clicking OK you did.

Now run Part 1 Again.
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users