[guccijana]

I figured out how to attach log files by simple changing them to .txt files oopsi

[evilfantasy]

Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

[guccijana]

Okay, here is the Rapport.log

[evilfantasy]

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting. You may want print out these instructions as you will not be able to see this page in safe mode.

Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
If you are having trouble starting the computer into Safe Mode: Starting your computer in Safe mode

Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.

WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!

================

After this is done please tell me how things are now.
And as usual a fresh HJT log. ;)

[guccijana]

hello, well i have done all the steps, and it asked me to clean the registry which i did, didn't ask me anything about wininet.dll, .. it deleted my desktop background (which doesn't really matter, because it was ugly anyway :-P ) here is the new rapport.log and a HJT log attachment.

SmitFraudFix v2.234

Scan done at 18:15:38.20, Sun 09/30/2007
Run from C:\Documents and Settings\Tatjana Blazevic\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\div32.dll Deleted
C:\WINDOWS\mssql.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{A6B63875-F4DA-4705-B945-16F8C1FA3FBF}]
C:\WINDOWS\syscore.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{AF05D607-D0B5-4A61-8B71-A13F8997495B}]

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9310CEA6-60C1-454C-B77B-992D9B35CB21}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9310CEA6-60C1-454C-B77B-992D9B35CB21}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9310CEA6-60C1-454C-B77B-992D9B35CB21}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[evilfantasy]

Disable Spybot's TeaTimer.
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.
+ You can re-enable TeaTimer when we are done.
================

Open HijackThis and select "Do a system scan only"
Place a check mark next to these entries
O2 - BHO: (no name) - {0D5227BF-0C5B-4EA8-833C-FE09F1496F39} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Suggestions: These items do not have to be removed by HJT but will are unnecessary to run at startup.
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
(Description: AOL system tray icon. Not necessary. Removing this entry will free up a small amount of system resources.)
Close all windows befroe clicking "Fix checked"

====================

Run CCleaner and then reboot the computer.

Tell me how things are now.

[guccijana]

Hello EF, I did everything you asked, my computer seems to be back to normal (JUPIII) THX TO YOU... i also checked the suggested items.. so far so good!! what do we do now?

[evilfantasy]

Good news.

We will want to remove:
Combofix
SmitfraudFix

Re-enable Spybots TeaTimer

Toggle System restore to remove infected restore points.
System Restore
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

Last Keeping yourself safe on the web.

Safe Surfing.

[guccijana]

Hello EF- (without sounding corny) I don't know what I would have done without your help!!! Thank you very very very very very much...
See you around the Forum
-Tatjana

[evilfantasy]

Quote:

Originally Posted by guccijana

it deleted my desktop background (which doesn't really matter, because it was ugly anyway :-P )

Sorry about the background. Here is a great site with tons of cool free wallpapers to choose from.
Just don't try to download any of the animated wallpapers. They can be a pain and usually come packaged with some sort of hidden toolbar.

http://www.wallpaps.com/eng/category/27/

Safe Surfing!