Smitfraud-C

Unknown

I've been trying to get rid of this for the last 24 hours. I've tried SpyBot, Ad-aware, SmitRem, Ewido, Spyware Shooter, KillBox, Spyware Doctor, and also downloaded HiJackThis. Maybe I'm not using things in the right order, but am now totally confused. Can anyone help? I've got a deadline to meet.

Many thanks

This is my log from HiJackThis if it helps:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:31 PM, on 5/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\dcomcfg.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\PRESTO~1\PRESTO~1.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Cloudmark\SafetyBar\OE\snoe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\WINNT\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\XoftSpySE\xoftspy.exe
C:\Documents and Settings\user\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} -

C:\WINNT\system32\hp90D1.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program

Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]

C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [8518iaf7] C:\WINNT\System32\8518iaf7.exe
O4 - HKLM\..\Run: [Hqslp] C:\Program Files\Xoirw\Nedlzls.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32

C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search &

Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [PrestoNotes] C:\PROGRA~1\PRESTO~1\PRESTO~1.exe
O4 - HKCU\..\Run: [Elprime Clock Pro] F:\Program Files\ElprimeClockPro\EClock.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin]

C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SafetyBar for Microsoft Outlook Express.lnk = C:\Program

Files\Cloudmark\SafetyBar\OE\snoe.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay

Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search -

http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Girafa - {78A7D3B4-23E3-11D4-A682-0050DA502650} - F:\Program

Files\Girafa\GirafaBar.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) -

http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?11405524

33312
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -

http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) -

https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O20 - Winlogon Notify: iexplore - fm3fs.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winzwr32 - C:\WINNT\SYSTEM32\winzwr32.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp.

- C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program

Files\Spyware Doctor\sdhelp.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner -

C:\WINNT\system32\servudaemon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINNT\system32\ZoneLabs\vsmon.exe

Nuppi

Hi LauraWarren,

Smithrem was good, but it haven't updated to this variant. Use that below.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

LauraWarren

Thanks for writing.

I tried several methods yesterday, and think I at least partly fixed the problem. But I ran SmitfraudFix and here are the contents of the text file:

SmitFraudFix v2.39

Scan done at 11:49:20.31, Fri 05/05/2006
Run from C:\Documents and Settings\user\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\dcomcfg.exe FOUND !
C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\simpole.tlb FOUND !
C:\WINNT\system32\stdole3.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.sin-wagon.com/images/version4/bg.jpg"
"SubscribedURL"="http://www.sin-wagon.com/images/version4/bg.jpg"
"FriendlyName"=""


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedT

askScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcS

erver32]
@="C:\WINNT\System32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15

C1BC5E}\InProcServer32]
@="C:\WINNT\System32\twain32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Again, thanks so much for responding.

Nuppi wrote:

Hi LauraWarren,

Smithrem was good, but it haven't updated to this variant. Use that below.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Nuppi

smitfraudfix is updated, so download it again, delete old smitfraudfix folder from desktop and extract smitfraudfix folder from new zip it to desktop

Boot your computer in safe mode.

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd

Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

LauraWarren

Thanks Nuppi. I ran it again. Here is the text file:

SmitFraudFix v2.40

Scan done at 19:49:56.53, Fri 05/05/2006
Run from C:\Documents and Settings\user\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted
C:\WINNT\system32\dcomcfg.exe Deleted
C:\WINNT\system32\hp????.tmp Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\simpole.tlb Deleted
C:\WINNT\system32\stdole3.tlb Deleted
C:\WINNT\system32\1024\ Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



It's a lot shorter than the last one. Is it okay now?

Again, I appreciate your help.

Nuppi wrote:

smitfraudfix is updated, so download it again, delete old smitfraudfix folder from desktop and extract smitfraudfix folder from new zip it to desktop

Boot your computer in safe mode.

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd

Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Nuppi

No, please send a fresh hijack this log.

LauraWarren

Okay, here it is...

Logfile of HijackThis v1.99.1
Scan saved at 11:52:02 AM, on 5/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\servudaemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PRESTO~1\PRESTO~1.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Cloudmark\SafetyBar\OE\snoe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\TEMP\winA44.tmp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\user\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [8518iaf7] C:\WINNT\System32\8518iaf7.exe
O4 - HKLM\..\Run: [Hqslp] C:\Program Files\Xoirw\Nedlzls.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PrestoNotes] C:\PROGRA~1\PRESTO~1\PRESTO~1.exe
O4 - HKCU\..\Run: [Elprime Clock Pro] F:\Program Files\ElprimeClockPro\EClock.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SafetyBar for Microsoft Outlook Express.lnk = C:\Program Files\Cloudmark\SafetyBar\OE\snoe.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Girafa - {78A7D3B4-23E3-11D4-A682-0050DA502650} - F:\Program Files\Girafa\GirafaBar.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140552433312
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O20 - Winlogon Notify: iexplore - fm3fs.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winzwr32 - C:\WINNT\SYSTEM32\winzwr32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\servudaemon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Nuppi

Hi LauraWarren, let is clean rests.



First move hijackthis TO own folder, for example C:\HJT\HijackThis.exe

Remove via control panel's ADD/remove application

MyWebSearch Email Plugin, every program starts MyWebsearch.....

UPDATE Ewido

Run hijack from NEW logation.

Checks those lines below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [8518iaf7] C:\WINNT\System32\8518iaf7.exe
O4 - HKLM\..\Run: [Hqslp] C:\Program Files\Xoirw\Nedlzls.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/appl...orLauncher.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O20 - Winlogon Notify: iexplore - fm3fs.dll (file missing)
O20 - Winlogon Notify: winzwr32 - C:\WINNT\SYSTEM32\winzwr32.dll


Close all windows exept hijackthis. Click FIX CHECKED.

Click config, Misc tools, Delete file on reboot. Navigate or copy and paste follow:

C:\WINNT\SYSTEM32\winzwr32.dll

klick ok to question of reboot.

boot straight to SAFE MODE

C:\Program Files\ >MyWebSearch\
C:\WINNT\System32\ >8518iaf7.exe
C:\Program Files\ >Xoirw\
C:\WINNT\TEMP\ >winA44.tmp.exe

Launch Ewido

By options mark "scan every file" and make complete system scan. Save the raport.

Boot normally and send fresh hijack log and ewido's raport.

LauraWarren

Hi Nuppi:

I hope I performed the steps correctly. Here is the HiJackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 6:09:15 PM, on 5/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\servudaemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\PRESTO~1\PRESTO~1.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Cloudmark\SafetyBar\OE\snoe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PrestoNotes] C:\PROGRA~1\PRESTO~1\PRESTO~1.exe
O4 - HKCU\..\Run: [Elprime Clock Pro] F:\Program Files\ElprimeClockPro\EClock.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SafetyBar for Microsoft Outlook Express.lnk = C:\Program Files\Cloudmark\SafetyBar\OE\snoe.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Girafa - {78A7D3B4-23E3-11D4-A682-0050DA502650} - F:\Program Files\Girafa\GirafaBar.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140552433312
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\servudaemon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Following is the ewido report:

---

ewido anti-malware - Scan report

---

+ Created on: 5:41:40 PM, 5/8/2006
+ Report-Checksum: 29BE0321

+ Scan result:

HKLM\SOFTWARE\Classes\WinRes.WindowsResources -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Cleaned with backup
[496] C:\WINNT\temp\winA44.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
:mozilla.23:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.24:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.25:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.27:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.28:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.29:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.57:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.91:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.92:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.93:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.94:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.95:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.98:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.109:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.113:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.114:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.143:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.144:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.145:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.146:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.149:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.162:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.163:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.164:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.165:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.166:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.167:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.168:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.169:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.170:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.171:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.172:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.212:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.214:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.218:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.221:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.224:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.225:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.226:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.236:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.238:C:\Documents and Settings\user\Application Data\Netscape\NSB\Profiles\hs5rvvhr.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@ad.yieldmanager[2].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@ads.pointroll[2].txt[/email] -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@advertising[2].txt[/email] -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@image.masterstats[1].txt[/email] -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@mediaplex[2].txt[/email] -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@questionmarket[1].txt[/email] -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user\Cookies\laura [email]warren@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINNT\system32\regperf.exe -> Downloader.Zlob.ni : Cleaned with backup
C:\WINNT\temp\win9F5.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINNT\temp\winA01.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINNT\temp\winA18.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINNT\temp\winA36.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINNT\temp\winA44.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup


::Report End


Are things any better?
Thank you SO MUCH for your help.

Laura Warren

Nuppi

It's almost clear. Hijack log is ok.

This file belongs to newest variant of smitfraud.

C:\WINNT\system32\regperf.exe -> Downloader.Zlob.ni : Cleaned with backup

Yesterday smitfraudfix was updated for that variant. To ensure that everything is gone, you can download that newest smitfraudfix, and run option #1.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

LauraWarren

Hi Nuppi:

Here is the log file:

SmitFraudFix v2.41

Scan done at 23:47:15.29, Mon 05/08/2006
Run from C:\Documents and Settings\user\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Thanks again so much!!

Nuppi

Hi LauraWarren.
Its's clean

Scan hjack check and fix that

O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)

Boot your comp.