Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Homepage Hijack - Www.uptodateprotection.com


  • This topic is locked This topic is locked
7 replies to this topic

#1 bewtane

bewtane

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 10 September 2006 - 02:21 PM

My homepage is set to www.google.co.uk in the Internet Explorer options, but everytime I start it gets redirected to www.uptodateprotection.com.

I have the following hijackthis logfile - I have scanned using ewidos and adaware, both of which have found the problem but after reboot it seems to come back again.

Any help in rectifying would be much appreciated :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 20:13:25, on 10/09/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\system32\ZoneLabs\isafe.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\issearch.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE
C:\Browser MOUSE\mouse32a.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Muiltmedia Keyboard 1.3.lnk = C:\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE
O4 - Global Startup: Browser MOUSE.lnk = C:\Browser MOUSE\mouse32a.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16C9903A-CDCD-4F0B-8F36-540333EC2620}: NameServer = 194.72.9.34 194.72.0.114
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O21 - SSODL: hinnible - {59080fb1-a43e-4059-a155-18b1eac7352c} - C:\WINNT\system32\fhmfes.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FLEXlm server for PTC - Unknown owner - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTYAHO~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:39 AM

Posted 11 September 2006 - 10:58 AM

Hi bewtane and welcome to Bleeping Computer :thumbsup:

You got some infections there.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 bewtane

bewtane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 12 September 2006 - 02:13 PM

Thanks for your quick reply Mr_JAk3

I have done as you requested and have the following log :

SmitFraudFix v2.87

Scan done at 20:08:53.90, Tue 12/09/2006
Run from C:\Documents and Settings\Administrator\Desktop\Smitfraudfix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32

C:\WINNT\system32\ismini.exe FOUND !
C:\WINNT\system32\isnotify.exe FOUND !
C:\WINNT\system32\issearch.exe FOUND !
C:\WINNT\system32\ixt?.dll FOUND !
C:\WINNT\system32\ixt??.dll FOUND !
C:\WINNT\system32\ot.ico FOUND !
C:\WINNT\system32\ts.ico FOUND !
C:\WINNT\system32\components\flx?.dll FOUND !
C:\WINNT\system32\components\flx??.dll FOUND !
C:\WINNT\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Administrator\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\ADMINI~1\FAVORI~1

C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hinnible"="{59080fb1-a43e-4059-a155-18b1eac7352c}"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection


End

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:39 AM

Posted 13 September 2006 - 07:57 AM

Hi again, we'll continue :thumbsup:

You seem to have the old Ewido installed. We'll update it to the latest version. Plese remove the old Ewido through Control Panel -> Add/Remove programs.
We'll install the latest version later.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download and install ewido anti-spyware 4.0
  • Open ewido anti-spyware
  • Click on the Update icon at the top of the window
    • Click on the Start update button
    • Wait for the update to download and install
  • Click Guard
  • Click under "resident shield is"
  • Change it from active to inactive
  • Quit the program, well use this later.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll
O21 - SSODL: hinnible - {59080fb1-a43e-4059-a155-18b1eac7352c} - C:\WINNT\system32\fhmfes.dll (file missing)

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Restart your computer to the safe mode again.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE The following will clear all of your cookies, forms and history from FireFox. Feel free to skip this step.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: The following will clear all of your cookies, forms and history from Opera. Feel free to skip this step.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now scan your computer with Ewido.
  • Open Ewido
  • Click on the Scanner icon at the top of the window
  • Click on the Settings tab then select Recommended Options and choose Quarantine
  • Click on the Scan tab
  • Select Complete System Scan. Ewido will now begin to scan your system
[*]When the scan has completed, if infections were found, press Apply all actions .
[*]Then click on the Save Scan Report button and save the scan to your Desktop where it can be easily found
[*]Copy and paste the scan results into your next post.
[/list]When you're ready, post the following logs to here:
- Ewido's report
- a fresh HijackThis log
- contents of C:\Rapport.txt
UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 bewtane

bewtane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 13 September 2006 - 02:38 PM

Ewido Report :

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:06:25 13/09/2006

+ Scan result:



Nothing found.



::Report end



Hijack This Log :

Logfile of HijackThis v1.99.1
Scan saved at 20:07:20, on 13/09/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\system32\ZoneLabs\isafe.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE
C:\Browser MOUSE\mouse32a.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Muiltmedia Keyboard 1.3.lnk = C:\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE
O4 - Global Startup: Browser MOUSE.lnk = C:\Browser MOUSE\mouse32a.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXlm server for PTC - Unknown owner - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTYAHO~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe


Rapport text Log

SmitFraudFix v2.87

Scan done at 19:14:53.37, Wed 13/09/2006
Run from C:\Documents and Settings\Administrator\Desktop\Smitfraudfix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hinnible"="{59080fb1-a43e-4059-a155-18b1eac7352c}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINNT\system32\ismini.exe Deleted
C:\WINNT\system32\isnotify.exe Deleted
C:\WINNT\system32\issearch.exe Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\ts.ico Deleted
C:\WINNT\system32\components\flx?.dll Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



thanks ever so much for your help so far - much appreciated :thumbsup:

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:39 AM

Posted 13 September 2006 - 10:50 PM

Hi again you're looking clean now :thumbsup:
How is the computer running ?

There are a few leftovers to clean...

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing)

You don't seem to an antivirus running, you souhld immediately install one. Otherwise you'll get infected again.

These are good (free) antiviruses:
- Antivir
- Avast
- AVG

Now you can enable Ewido guard if you want.
  • Open Ewido
  • Click Guard
  • Click under "resident shield is"
  • Change it to active
  • Close Ewido
Then the first priority is to visit Windows Update and get your system updated
-> At first, install Win 2000 Service Pack 4 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

Now you can remove SmitfraudFix, we don't need it anymore.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use CCleaner
    Download and install CCleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use Ewido
    Download and install Ewido. Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?

UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 bewtane

bewtane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 15 September 2006 - 08:05 AM

hiya Mr_JAk3 again,

Just cleaned up those last few items, updated service pack and updates, and put on AVG. Also enabled the Ewido guard.

Computer is running fantastically!!! I can't thank you enough!!!!

Many many thanks for all your time and help over this last week - It is very much appreciated!!

Bewtane.

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:39 AM

Posted 15 September 2006 - 09:19 AM

You're very welcome, It is always nice to help :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users