Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help, New To Computers. Smitfraud ?


  • Please log in to reply
8 replies to this topic

#1 Laoboybenny

Laoboybenny

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 02 December 2006 - 06:28 PM

I know that my computer is infected with Smitfraud because when I scan my computer with Spybot search and destroy, it always shows up. I've scanned it several times and Smitfraud keeps popping up. I've tried Spyhunt? but it says i need money to continue with the removal of the viruses. Can anyone help? i've read forums and topics with people who have the same problem.. but im still confused!

BC AdBot (Login to Remove)

 


m

#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 03 December 2006 - 09:26 AM

Hey Laoboybenny

Download Hijackthis:

1. Please go here and download Hijackthis.
2. Unzip Hijackthis into its own folder (e.g. C:\HJT\Hijackthis.exe)
3. Open Hijackthis and select:Do a system scan and save a logfile
4. Let Hijackthis run its course
5. Then once notepad pops up with your logfile, copy/paste it back into this thread.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 Laoboybenny

Laoboybenny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 03 December 2006 - 04:49 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:45:48 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{F4F63627-063F-1033-0331-051110050001}\Update.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\PPPATC~1\userinit.exe
C:\Program Files\?icrosoft.NET\??rvices.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\AOL\1159781215\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1159781215\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\AOL\1159781215\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Patrick\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {173FDAD9-4043-30CA-3A00-4B31C3C1FBEB} - C:\WINDOWS\system32\jga.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159781215\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vyhumxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vyhumxm.dll,yjhzmv
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [phsgtdb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\phsgtdb.dll,jopvox
O4 - HKLM\..\Run: [mlwzqde.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\mlwzqde.dll,xhcrrnf
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uqro] C:\Program Files\Common Files\uqro\uqrom.exe
O4 - HKCU\..\Run: [Romd] "C:\WINDOWS\system32\PPPATC~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Vltudf] C:\Program Files\?icrosoft.NET\??rvices.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm078YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157063542750
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#4 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 03 December 2006 - 04:55 PM

Hey Laoboybenny

Firewall:

Please download one of these free firewalls and install it, either ZoneAlarm or OutPost

Antivirus:

Please download one of these free antiviruses and install it, either AVG or Avast

Rename Hijackthis:

1. Locate the program Hijackthis.
2. Select the file, right-click and select Rename.
3. Please change the name to: jamielaw

Vundo Fix:

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

ComboFix:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running! That may cause it to stall.


Uninstall List:

1. Open Hijackthis and select: Open the Misc Tools section.
2. Then choose: Open Uninstall Manager and click Save List.
3. Save the list to your computer.
4. Then copy the contents of the list back to this thread in your next reply.

Please can you include the following logs in your next reply - they may need separate posts to stop them getting cut off:

VundoFix log
ComboFix log
Uninstall List
A new Hijackthis log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#5 Laoboybenny

Laoboybenny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 December 2006 - 01:36 AM

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 12:10:19 AM 12/4/2006

Listing files found while scanning....

C:\WINDOWS\system32\mlwzqde.dll
C:\WINDOWS\system32\nfkcyqe.dll
C:\WINDOWS\system32\phsgtdb.dll
C:\WINDOWS\system32\winbfi32.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlwzqde.dll
C:\WINDOWS\system32\mlwzqde.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nfkcyqe.dll
C:\WINDOWS\system32\nfkcyqe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\phsgtdb.dll
C:\WINDOWS\system32\phsgtdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winbfi32.dll
C:\WINDOWS\system32\winbfi32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

#6 Laoboybenny

Laoboybenny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 December 2006 - 01:53 AM

is combofix suppose to clear my desktop and say 'performing a scan of your machine' ? .. im just worried cause my desktop is clear! and it seems like its doing nothing.. i havent exited it or touched it since, any estimate on how long the scan is suppose to take, sorry for the bother thanks.

#7 Laoboybenny

Laoboybenny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 December 2006 - 02:42 AM

Patrick - 06-12-04 0:38:37.85 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Patrick\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\setup.exe.tmp
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\outlook
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{34F63627-063F-1033-0331-051110050001}
C:\Program Files\Common Files\{F4F63627-063F-1033-0331-051110050001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Patrick\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Patrick\My Documents\ICROSO~1\rundll32.exe
C:\QooBox\Purity\Documents and Settings\Patrick\My Documents\ICROSO~1\?icrosoft
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\ICROSO~1.NET\??rvices.exe
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1\userinit.exe
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1\?ppPatch


((((((((((((((((((((((((((((((( Files Created from 2006-11-04 to 2006-12-04 ))))))))))))))))))))))))))))))))))


2006-12-04 00:25 822,672 ---hs---- C:\WINDOWS\system32\mlkkj.bak1
2006-12-04 00:25 274,484 ---hs---- C:\WINDOWS\system32\jkklm.dll
2006-12-04 00:10 <DIR> d-------- C:\VundoFix Backups
2006-12-03 02:38 71,680 --a------ C:\WINDOWS\system32\xlnehvf.dll
2006-12-03 02:38 40,973 ---hs---- C:\WINDOWS\system32\tuvsrpp.dll
2006-12-02 18:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-02 18:44 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-02 18:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-02 18:44 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-02 18:20 32,768 --a------ C:\WINDOWS\system32\drivers\sisnic.sys
2006-12-02 17:47 71,680 --a------ C:\WINDOWS\system32\xjszyij.dll
2006-12-02 17:46 40,973 ---hs---- C:\WINDOWS\system32\byxyaxx.dll
2006-12-01 18:40 88,340 --a------ C:\WINDOWS\system32\aqgmesdr.exe
2006-12-01 18:40 42,516 --a------ C:\WINDOWS\system32\khsnqjxd.dll
2006-12-01 18:40 126,996 --a------ C:\WINDOWS\system32\oqikjasm.dll
2006-12-01 18:34 71,680 --a------ C:\WINDOWS\system32\kzamotl.dll
2006-12-01 18:34 56,320 --a------ C:\WINDOWS\system32\jga.dll
2006-12-01 18:34 40,973 ---hs---- C:\WINDOWS\system32\awtrqqo.dll
2006-12-01 18:34 2 --a------ C:\WINDOWS\system32\wapitr.exe
2006-11-29 16:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-29 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-19 14:12 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-11-18 20:44 93,184 --a------ C:\WINDOWS\system32\vyhumxm.dll
2006-11-18 20:44 71,168 --a------ C:\WINDOWS\system32\sicddpm.dll
2006-11-04 13:13 16,976 --a------ C:\WINDOWS\system32\WowAPI.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-04 01:03 -------- d-------- C:\Program Files\Common Files
2006-12-02 17:28 -------- d-------- C:\Program Files\AOL
2006-12-01 19:34 -------- d-------- C:\Program Files\World of Warcraft
2006-12-01 02:29 -------- d-------- C:\Program Files\AIM
2006-11-29 17:12 -------- d-------- C:\Program Files\whInstall
2006-11-19 14:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-19 03:53 -------- d-------- C:\Program Files\WildTangent
2006-11-19 03:52 -------- d-------- C:\Program Files\VirtualDJ
2006-11-19 03:38 -------- d-------- C:\Program Files\QuickTime
2006-11-11 06:45 -------- d-------- C:\Documents and Settings\Patrick\Application Data\LimeWire
2006-11-06 11:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-03 21:12 -------- d-------- C:\Program Files\Windows Media Player
2006-10-10 21:24 -------- d---s---- C:\Documents and Settings\Patrick\Application Data\Microsoft
2006-10-10 06:32 26802 --a------ C:\WINDOWS\system32\winlogin.exe
2006-10-05 23:07 -------- d-------- C:\Program Files\iTunes
2006-10-05 23:07 -------- d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"uqro"="C:\\Program Files\\Common Files\\uqro\\uqrom.exe"
"Romd"="\"C:\\WINDOWS\\system32\\PPPATC~1\\userinit.exe\" -vt yazb"
"Vltudf"="C:\\Program Files\\?icrosoft.NET\\??rvices.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1159781215\\ee\\AOLHostManager.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"vyhumxm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\vyhumxm.dll,yjhzmv"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"phsgtdb.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\phsgtdb.dll,jopvox"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1145486934.job

Completion time: 06-12-04 1:04:57.04
C:\ComboFix.txt ... 06-12-04 01:04

#8 Laoboybenny

Laoboybenny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 December 2006 - 05:13 PM

after i click 'save list'? where does the list go.. and where can i paste it back to you?

Edited by Laoboybenny, 04 December 2006 - 05:17 PM.


#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 04 December 2006 - 05:46 PM

Hey Laoboybenny

after i click 'save list'? where does the list go.. and where can i paste it back to you?



You decide where to save it. Then copy/paste the list back into this thread.

Update Java:

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 5.0 Update 10 ). Please install it and then reboot your computer.

Remove the older versions of Java:
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except J2SE Runtime Environment 5.0 Update 10
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\QooBox
    C:\WINDOWS\system32\mlkkj.bak1
    C:\WINDOWS\system32\jkklm.dll
    C:\VundoFix Backups
    C:\WINDOWS\system32\xlnehvf.dll
    C:\WINDOWS\system32\tuvsrpp.dll
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\xjszyij.dll
    C:\WINDOWS\system32\byxyaxx.dll
    C:\WINDOWS\system32\aqgmesdr.exe
    C:\WINDOWS\system32\khsnqjxd.dll
    C:\WINDOWS\system32\oqikjasm.dll
    C:\WINDOWS\system32\kzamotl.dll
    C:\WINDOWS\system32\jga.dll
    C:\WINDOWS\system32\awtrqqo.dll
    C:\WINDOWS\system32\wapitr.exe
    C:\WINDOWS\system32\vyhumxm.dll
    C:\WINDOWS\system32\sicddpm.dll
    C:\WINDOWS\system32\WowAPI.dll
    C:\WINDOWS\system32\winlogin.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

If Limewire or WildTangent are present in Add/Remove Programs (Control panel) then please can you remove them.

Submit Files:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Go this website: http://www.bleepingcomputer.com/submit-malware.php?channel=15
2. Copy/paste this into the 'Link to Topic' box: http://www.bleepingcomputer.com/forums/t/74094/please-help-new-to-computers-smitfraud/
3. Copy/paste this into the 'Browser for File' box: C:\!KillBox
4. Let me know if it was successful or not.

How is your computer running - any problems? Please could you post a Hijackthis log
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users