How do you delete certain windows files that says are being "run". I already tried rebooting into safe mode, but it didn't work. I'm pretty sure theres a program for this?
Hmm...well, Killbox said the file could not be deleted, and I even tried it in safemode too. Any help with this? The file name is wininet.dll in the system32 folder if this helps at all.
Logfile of HijackThis v1.99.1
Scan saved at 5:55:28 PM, on 6/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
The Panda Active scan log that I provided found 4 things, it doesnt seem to be major but I would like them to be gone:
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
2 of the 4 items in that log are already disinfected.
Another one is just in quarantine. You should be able to manage quarantined items through Microsoft Antispyware.
The last item should be able to be resolved by running Spybot.
1. Download the latest version of Spybot from either:
* http://www.safer-networking.org/en/download/index.html
* http://www.spybot.info/en/mirrors/index.html
2. Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
3. Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
4. The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
5. Click on "Search for Updates".
6. If any updates are found, place a check mark next to each and click on "Download Updates".
7. Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
8. Click on "Search & Destroy" => "Check for Problems".
9. If any problems are found, be sure to click on "Fix Selected Problems."
I did a scan with spybot and removed something, but even after that, Panda Active Scan still found the following, the scanner says it dissinfects it, but when I do another scan it finds the same thing:
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files
- Then click on SCAN
When it completes, post back the results (copy and paste) from the 'Virus log information' pane.
Hmm...my monitor has been screwing up lately too, I can't see a screen during startup, but when im at the windows xp welcome screen i can turn my monitor off and on and it will work. Im wondering if this is a problem with my video card or some type of setting. I already tried looking for newer drivers, but couldn't find anything. It also wont work for like computer games, if this helps?
You need to run a good registry cleaner. You can download the trial version for either of these programs. Both are very good. In fact, you could run both of them.
I was trying to find a cd key for a program and got another virus. Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:35:46 PM, on 6/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
**and here is my Panda Activescan results(it seems that sometimes panda says it disinfects the file, but when i run another scan it sitll finds it):
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\System32\ztoolb001.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\System32\ztoolbar.bmp
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Kurt\Desktop\Extra Stuff\hijackthis_199\backups\backup-20050618-193644-378.dll
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0ZEXIZOX\loadppc[1].exe
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolb001.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.bmp
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.xml
I did a trend micro scan because I already provided a panda activescan:
Virus Scan No virus detected
Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
Trojan/Worm Check No worm/Trojan horse detected
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type
Spyware Check 2 spyware programs detected
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type
COOKIE_1523 Cookie
COOKIE_2631 Cookie
Microsoft Vulnerability Check 12 vulnerabilities detected
What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 12 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Critical This vulnerability enables a remote attacker to execute arbitrary code through the use of a malformed Advanced Streaming Format (ASF) file. It is caused by a buffer overflow in Microsoft Windows Media Player 6.4. MS01-056
Critical This vulnerability allows a remote attacker to execute arbitrary code via a NOTIFY directive with a long Location URL when the buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP is triggered.;The Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP could allow a remote attacker to cause a denial of service via a spoofed SSDP advertisement or a spoofed SSDP announcement to broadcast or multicast addresses. The former could cause the client to connect to a service on another machine that generates a large amount of traffic, while the latter could cause all UPnP clients to send traffic to a single target system. MS01-059
Critical This vulnerability allows an attacker to cause a denial of service attack to a target server machine. This is caused by a buffer overflow in SMB protocol in Microsoft Windows NT, Windows 2000, and Windows XP. MS02-045
Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-007
Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014
Critical This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory. MS03-041
Critical This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003. MS03-043
Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013
Critical This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges. MS04-015
Moderate A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation. MS04-018
Critical This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user. MS04-022
Critical An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges. MS04-023
Logfile of HijackThis v1.99.1
Scan saved at 9:49:58 PM, on 6/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
I'm not having really any major problems, it's just the fact the Panda finds virus's when it should be a clean scan when it's done. I realize a couple of the files are supposed to be there but still, there's some that shouldn't be. Again, my monitor is still troubling me but first get the virus thing resolved.
here is a new Panda Active Scan log:
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Kurt\Desktop\Extra Stuff\hijackthis_199\backups\backup-20050618-193644-378.dll
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Downloaded the file to your desktop unzipt the file to C:\WINDOWS\system32\
A window will pupup and ask if you want to re place the wininet.dll with the one you have downloaded answer yes when done. If you get an error when doing this boot into Safe mode and make sure you don't have Internet Explorer running. Then try it again.
Reboot your system.
=================
Please RIGHT-CLICK here and go to Save As (in Internet Explorer it's "Save Target As") in order to download Metallica’s reg file. Save it to your desktop.
Reboot into safemode
Now run Metallica’s reg file.
Even though these are nothing to worry about you can delete these files/folders:
C:\Documents and Settings\Kurt\Desktop\Extra Stuff\hijackthis_199\backups\backup-20050618-193644-378.dll
C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
How do you delete certain windows files that says are being "run". I already tried rebooting into safe mode, but it didn't work. I'm pretty sure theres a program for this?
Hey, I did have the same problem that you got. I solved it this way:
I restarted my computer with winxp cd in my cdrom, and booted with it. Then i choosed to repair my system, and got the repairing console. Then i simply deleted wininet.dll manually, and booted again normally. The clean .dll file can be found by google.
It is true, that windows in safe mode is not enough to remove the file! Now i got rid of smitfraud virus, yeah.
Comments
http://www.short-media.com/forum/showpost.php?p=172584&postcount=2
Scan saved at 5:55:28 PM, on 6/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Kurt\Desktop\stingmh\d2maphack.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093135813508
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F118DE87-6FA9-467C-B882-26E0D31C87C5}: NameServer = 142.161.130.155 142.161.2.155
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
http://www.liutilities.com/products/wintaskspro/dlllibrary/wininet/
Your log looks clean to me. What problems are you having?
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Another one is just in quarantine. You should be able to manage quarantined items through Microsoft Antispyware.
The last item should be able to be resolved by running Spybot.
1. Download the latest version of Spybot from either:
* http://www.safer-networking.org/en/download/index.html
* http://www.spybot.info/en/mirrors/index.html
2. Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
3. Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
4. The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
5. Click on "Search for Updates".
6. If any updates are found, place a check mark next to each and click on "Download Updates".
7. Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
8. Click on "Search & Destroy" => "Check for Problems".
9. If any problems are found, be sure to click on "Fix Selected Problems."
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Download mwav.exe from MicroWorld, then:
- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files
- Then click on SCAN
When it completes, post back the results (copy and paste) from the 'Virus log information' pane.
File C:\WINDOWS\system32\WININET.dll infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Roxio Shared\DLLShared". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\wininet.dll infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Kurt\LOCALS~1\TEMPOR~1\Content.IE5\30CXUQAP\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Kurt\LOCALS~1\TEMPOR~1\Content.IE5\30CXUQAP\ysb_prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Kurt\LOCALS~1\TEMPOR~1\Content.IE5\M9KRIQFO\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.k" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Kurt\LOCALS~1\TEMPOR~1\Content.IE5\U3EEAYSC\ysb_prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Karl\Application Data\Mozilla\Firefox\Profiles\default.wrj\Cache\8DFAA9B1d01 tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Documents and Settings\Kurt\Local Settings\Temporary Internet Files\Content.IE5\30CXUQAP\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Kurt\Local Settings\Temporary Internet Files\Content.IE5\30CXUQAP\ysb_prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Kurt\Local Settings\Temporary Internet Files\Content.IE5\M9KRIQFO\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.k" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Kurt\Local Settings\Temporary Internet Files\Content.IE5\U3EEAYSC\ysb_prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C tagged as "not-a-virus:AdWare.ToolBar.MaidBar.a". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-796845957-484763869-1343024091-1004\Dc6.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\WINDOWS\system32\wininet.dll infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.
http://cleanup.stevengould.org/
You need to run a good registry cleaner. You can download the trial version for either of these programs. Both are very good. In fact, you could run both of them.
TuneUp Utilities 2004
http://esd.element5.com/product.html?productid=528192&languageid=1&affiliateid=70683
Registry Tuneup
http://www.acelogix.com/regtune.html
Do you have your Windows XP disc? If you do have it then delete this file.
C:\WINDOWS\system32\WININET.dll
Now put in your disc and click Start -> Run -> sfc /scannow
This should restore any system files that are missing or corrupted.
Let me know how it goes.
Open HijackThis, press the Open Misc. Tools section button, and press Delete a file on reboot ... , select the file, press Open and Yes to confirm.
Delete this file:
C:\WINDOWS\system32\WININET.dll
Logfile of HijackThis v1.99.1
Scan saved at 10:35:46 PM, on 6/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\stchost.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb001.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb001.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093135813508
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F118DE87-6FA9-467C-B882-26E0D31C87C5}: NameServer = 142.161.130.155 142.161.2.155
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stchost.exe (moto) - Unknown owner - C:\WINDOWS\stchost.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
**and here is my Panda Activescan results(it seems that sometimes panda says it disinfects the file, but when i run another scan it sitll finds it):
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\System32\ztoolb001.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\System32\ztoolbar.bmp
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Kurt\Desktop\Extra Stuff\hijackthis_199\backups\backup-20050618-193644-378.dll
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0ZEXIZOX\loadppc[1].exe
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolb001.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.bmp
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.xml
Make sure they are set to clean automatically
Panda Virus Scan
Bit Defender
TrendMicro Housecall
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scans.
Virus Scan No virus detected
Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
Trojan/Worm Check No worm/Trojan horse detected
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type
Spyware Check 2 spyware programs detected
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type
COOKIE_1523 Cookie
COOKIE_2631 Cookie
Microsoft Vulnerability Check 12 vulnerabilities detected
What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 12 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Critical This vulnerability enables a remote attacker to execute arbitrary code through the use of a malformed Advanced Streaming Format (ASF) file. It is caused by a buffer overflow in Microsoft Windows Media Player 6.4. MS01-056
Critical This vulnerability allows a remote attacker to execute arbitrary code via a NOTIFY directive with a long Location URL when the buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP is triggered.;The Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP could allow a remote attacker to cause a denial of service via a spoofed SSDP advertisement or a spoofed SSDP announcement to broadcast or multicast addresses. The former could cause the client to connect to a service on another machine that generates a large amount of traffic, while the latter could cause all UPnP clients to send traffic to a single target system. MS01-059
Critical This vulnerability allows an attacker to cause a denial of service attack to a target server machine. This is caused by a buffer overflow in SMB protocol in Microsoft Windows NT, Windows 2000, and Windows XP. MS02-045
Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-007
Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014
Critical This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory. MS03-041
Critical This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003. MS03-043
Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013
Critical This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges. MS04-015
Moderate A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation. MS04-018
Critical This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user. MS04-022
Critical An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges. MS04-023
Scan saved at 9:49:58 PM, on 6/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093135813508
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F118DE87-6FA9-467C-B882-26E0D31C87C5}: NameServer = 142.161.130.155 142.161.2.155
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stchost.exe (moto) - Unknown owner - C:\WINDOWS\stchost.exe (file missing)
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: stchost.exe (moto) - Unknown owner - C:\WINDOWS\stchost.exe (file missing)
Reboot and post a new hijackthis log. What problems are you still having?
here is a new Panda Active Scan log:
Incident Status Location
Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Kurt\Desktop\Extra Stuff\hijackthis_199\backups\backup-20050618-193644-378.dll
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Please download the wininet.dll
http://www.dll-files.com/dllindex/dll-files.shtml?wininet
Downloaded the file to your desktop unzipt the file to C:\WINDOWS\system32\
A window will pupup and ask if you want to re place the wininet.dll with the one you have downloaded answer yes when done. If you get an error when doing this boot into Safe mode and make sure you don't have Internet Explorer running. Then try it again.
Reboot your system.
=================
Please RIGHT-CLICK here and go to Save As (in Internet Explorer it's "Save Target As") in order to download Metallica’s reg file. Save it to your desktop.
Reboot into safemode
Now run Metallica’s reg file.
Even though these are nothing to worry about you can delete these files/folders:
C:\Documents and Settings\Kurt\Desktop\Extra Stuff\hijackthis_199\backups\backup-20050618-193644-378.dll
C:\Program Files\Microsoft AntiSpyware\Quarantine\76EB197F-298E-4CAD-8F3D-714B8B\36176DDD-2773-4960-97B0-61026C
======================
Run a new Panda scan and post the results.
Hey, I did have the same problem that you got. I solved it this way:
I restarted my computer with winxp cd in my cdrom, and booted with it. Then i choosed to repair my system, and got the repairing console. Then i simply deleted wininet.dll manually, and booted again normally. The clean .dll file can be found by google.
It is true, that windows in safe mode is not enough to remove the file! Now i got rid of smitfraud virus, yeah.