dbaoti

Please go here

And Download SmitFraudFix by S!ri

Rt click the program Extract all the archive content to your desktop
• Open the SmitfraudFix folder:
o Double-click smitfraudfix.cmd
o Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread

Do Not run option 2 until instructed to do so


bamajim

Training at Malware Removal University

dbaoti

Thanks for the log

First Reboot into Safemode

• This can be done by restarting your PC
  Then after it starts, but before you see the Windows splash screen,
  Tap the F8 key twice a second until you arrive at another menu screen
  Use your arrow keys->>Select Safe Mode->>Enter

Next Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press"Enter" to delete infected files.
When prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typingY ->>"Enter"

The tool will now check if wininet.dll is infected.
If prompted to replace the infected file (if found); answer "Yes" by typing Y ->>"Enter".

After the tool finishes, if your PC does not reboot, please restart it into Normal Mode.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Next Rerun Hijackthis and post a fresh Hijackthis log

Your reply should include

• Your rapport.txt log
  A fresh Hijackthis log

thanks bamajim

Training at Malware Removal University

First let me thank you for all your help
This is the rapport.txt

SmitFraudFix v2.79

Scan done at 14:30:08.26, Fri 08/04/2006
Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_28.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_28.dll"

Logfile of HijackThis v1.99.1
Scan saved at 2:39:20 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winbmsv1.exe
E:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Chris\LOCALS~1\Temp\117.tmp5120.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://pagibbs.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = academic.com
O17 - HKLM\Software\..\Telephony: DomainName = academic.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = academic.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = academic.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = academic.com
O20 - AppInit_DLLs:  tlntwucl.dll mciawmsp.dll dfgdsp.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: winbmsv1 - C:\WINDOWS\system32\winbmsv1.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_28.dll
O21 - SSODL: cIwmMBbIkPE - {BC5EAB65-16F4-01CF-7D2D-62DAA7C55884} - C:\WINDOWS\system32\xk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

dbaoti

Looking better, still have a few things to address

First Please go here and Download AVG free

Install it update and run a full system scan. Fix any problems it finds

Once that is complete:

Re run Hijackthis and post a fresh Hijackthis log

thanks bamajim

Training at Malware Removal University

dboati

Please print out these instructions for reference

Please download the Killbox.
Save it to the desktop (But do not run it).

Next Rerun Hijackthis (scan only) and place checks beside the following entries

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Chris\LOCALS~1\Temp\117.tmp5120.exe
O20 - AppInit_DLLs: tlntwucl.dll mciawmsp.dll dfgdsp.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O20 - Winlogon Notify: winbmsv1 - C:\WINDOWS\system32\winbmsv1.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_28.dll (file missing)
O21 - SSODL: cIwmMBbIkPE - {BC5EAB65-16F4-01CF-7D2D-62DAA7C55884} - C:\WINDOWS\system32\xk.dll

Close all other open windows except Hijackthis and Select "Fix checked"

If prompted to reboot select No and Exit Hijackthis

Next Run Killbox

1) Select "Delete on Reboot", and then select "All files".
2) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Chris\Local Settings\Temp\117.tmp5120.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\WINDOWS\system32\2236_28.dll
C:\WINDOWS\system32\xk.dll
C:\WINDOWS\System32\winbmsv1.dll
C:\WINDOWS\System32\tlntwucl.dll
C:\WINDOWS\System32\mciawmsp.dll
C:\WINDOWS\System32\dfgdsp.dll

3) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
4) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Next Reboot your PC ->>Re run Hijackthis and post a fresh Hijackthis log

Thanks bamajim

Training at Malware Removal University

• O20 - AppInit_DLLs: tlntwucl.dll mciawmsp.dll
  O20 - Winlogon Notify: winbmsv1 - C:\WINDOWS\system32\winbmsv1.dll (file missing)

• 
  1) Select " Delete on Reboot", and then select " All files".
  2) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  
  • 
    C:\WINDOWS\System32\tlntwucl.dll
    C:\WINDOWS\System32\mciawmsp.dll
    
  
  3) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
  4) Check the " Delete on Reboot prompt" button
  5) Check " Unregister .dll before Deleting" button
  6) Click the red-and-white " Delete File" button.  
  Click " Yes" at the Delete on Reboot prompt.
  7) Click "  Click " No" at the Pending Operations prompt.

Reboot your PC->> Rerun Hijackthis and post a fresh Hijackthis log

Thanks bamajim

Training at Malware Removal University

dbaoti

Before we proceed, please give me an update on how you PC is running

thanks bamajim

Training at Malware Removal University

It seems to be back to normal but there is some hesitation when I log on. Other than that there isn't any problems.

Thanks again

dbaoti

Glad to hear it, but we're not quite done. Since your PC was unprotected for a time I'd like to make sure we haven't left anything in hiding

First Download CCleaner from here to clean temp files from your computer.

• Double click on the file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default install location. Click Install then finish to complete installation

• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla. Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours." Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program

• After CCleaner has completed its process, click Exit

• Under " Your computers Security" Click change status on Resident shield to inactive Click Update now (next to last update) After the update loads Under Automatic updates Uncheck download and install updates automatically(recommended) (you can always select maual updates the next day)

• Under How to act? Set default action for detected malwareTo Quarantine Under how to scan All boxes should be checked Under Possibly unwanted software All boxes should be checked Under reports Select Automatically generate report after every scanUncheck Only if threats were found Under what to scan Scan every file should be highlited

• Click scanner Select Complete system scan

• Select Apply all actions (The items found will be quarantined) Click save report as (Another window will open) Save it to your desktop (By default It will be saved in the Ewido folder as) C:\Program Files\ewido anti-spyware 4.0\Reports

• Double click the report-scan txt. you saved to your desktop It will open in Notepad Copy and paste that report as a reply to this thread Do not run any other options untill instructed to do so

Next Re run Hijackthis and post a fresh Hijackthis log

Your reply should include

• Your report_scan txt. log from Ewdio
• A fresh Hijackthis log

thanks bamajim

Training at Malware Removal University

• Lets create a clean System Restore point
  the instructions are here

• Download the latest version of
  Java Runtime Environment (JRE) 5.0 Update 7.
  Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  Click the " Download" button to the right.
  Check the box that says: " Accept License Agreement".
  The page will refresh.
  Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  Close any programs you may have running - especially your web browser.
  Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  Click the Remove or Change/Remove button.
  Repeat as many times as necessary to remove each Java versions.
  Reboot your computer once all Java components are removed.
  Then from your desktop double-click on jre-1_5_0_07-windowsi586-p.exe to install the newest version.

• Open Internet Explorer click Tools->> Options.
  Click Security tab
  Click once on the Internet icon so it becomes highlighted.
  Click Custom Level.
  Change the Download signed ActiveX controls to Prompt
  Change the Download unsigned ActiveX controls to Disable
  Change the Initialise and script ActiveX controls not marked as safe to Disable
  Change the Installation of desktop items to Prompt
  Change the Launching programs and files in an IFRAME to Prompt
  Change the Navigate sub-frames across different domains to Prompt
  When all these settings have been made, click OK.
  If it prompts you to save the settings, press Yes.
  Next press Apply and then OK to exit the Internet Properties page

• The Windows Firewall is good at blocking incoming threats, but not outgoing threats such as "Backdoor Trojans"
  Some others are
  Sygate
  And
  Sunbelt personal
  All of which are free

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Documents and Files and a regular basis
To a disc or a USB key, not your Hardrive

You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe

Thanks bamajim

Training at Malware Removal University