1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Task Manager disabled/"Access Members Area"

Discussion in 'Windows - Virus and spyware problems' started by ms3039, May 23, 2006.

  1. ms3039

    ms3039 Member

    Joined:
    May 23, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Hello,
    I have a spyware/adware problem. I used to have a dialler pop-up which asked me to pay $1.50 a minute etc. and an icon would appear on my desktop saying "Access Members Area". I think I have managed to remove this, by following instructions on this and other sites given to other people. However, when I try and bring up task manager, I am told "Task Manager has been disabled by your administrator". I have run AVG, Spybot S&D, AD-Aware. Here is my Hijack-this log:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:37:23, on 23/05/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\System32\nvraidservice.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\BitLord\BitLord.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\MSI\DigiCell\DigiCell.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Documents and Settings\Mark\Start Menu\Programs\Spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    O1 - Hosts: localhost 127.0.0.1
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [pizda] RtlFindVal.exe
    O4 - HKLM\..\Run: [ActionScr] MsNetHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [dmrfb.exe] C:\WINDOWS\System32\dmrfb.exe
    O4 - HKCU\..\Run: [typeconf] panel_its.exe
    O4 - HKCU\..\Run: [bnui] SAPSTR.exe
    O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe"
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{50ACC1E0-17CB-48EB-8398-2AD1F325FA70}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{561DED6B-BD61-4DB2-B195-6427416A7082}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91925AC6-F458-43BE-AC8B-2BFD9C7C614A}: NameServer = 85.255.116.131
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Any Ideas?
     
  2. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Hi ms3039

    Please print out these instructions or save them as text file.

    Fix with HjT (open HijackThis, click do a system scan, checkmark these and press fix checked):

    O1 - Hosts: localhost 127.0.0.1
    O4 - HKLM\..\Run: [pizda] RtlFindVal.exe
    O4 - HKLM\..\Run: [ActionScr] MsNetHelper.exe
    O4 - HKLM\..\Run: [dmrfb.exe] C:\WINDOWS\System32\dmrfb.exe
    O4 - HKCU\..\Run: [typeconf] panel_its.exe
    O4 - HKCU\..\Run: [bnui] SAPSTR.exe
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{50ACC1E0-17CB-48EB-8398-2AD1F325FA70}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{561DED6B-BD61-4DB2-B195-6427416A7082}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91925AC6-F458-43BE-AC8B-2BFD9C7C614A}: NameServer = 85.255.116.131
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131


    Please download ewido anti malware it is a free version of the program -> http://www.ewido.net/en/download/

    1. Install ewido security suite
    2. When installing, under "Additional Options" uncheck..
    * Install background guard
    * Install scan via context menu
    3. Launch ewido, there should be an icon on your desktop, double-click it.
    4. The program will now open to the main screen.
    5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    6. You will need to update ewido to the latest definition files.
    * On the left hand side of the main screen click update.
    * Then click on Start Update.
    7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")

    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates -> http://www.ewido.net/en/download/updates/

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    [*]Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
    [*]The fix will begin; follow the prompts.
    [*]You will be asked to reboot your computer; please do so.
    [*]Your system may take longer than usual to load; this is normal.

    Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

    Delete if found:

    C:\WINDOWS\System32\dmrfb.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

    Please do a search:
    "Run "Start">"Search">"All Files and Folders"> enter RtlFindVal.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete.

    Repeat the search step above with these:

    MsNetHelper.exe
    panel_its.exe
    SAPSTR.exe

    Then launch ewido:

    * Click on scanner
    * Click on Complete System Scan and the scan will begin.
    * You will be prompted to clean the first infection.
    * Select "Perform action on all infections", then proceed.
    * Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    * Click Save report.
    * Save the report .txt file to your desktop or a location where you can find it easily.

    Close ewido anti-malware.

    Reboot back to normal mode

    Send ewido report a fresh HjT log along with contents of c:\fixwareout\report.txt.
     
  3. ms3039

    ms3039 Member

    Joined:
    May 23, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Thank you for your help. I followed your advice, but my task manager is still disabled. Here are the logs:

    E-wido:
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 19:33:18, 24/05/2006
    + Report-Checksum: BA92ADC0

    + Scan result:

    C:\Documents and Settings\Mark\Cookies\mark@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@adtech[2].txt -> TrackingCookie.Adtech : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@com[1].txt -> TrackingCookie.Com : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wfkowlcjmgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wfkyopc5agq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wfliejcpadp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wflokmd5glp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@e-2dj6wjkyohdzoco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@premiumtv.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned without backup
    C:\Documents and Settings\Mark\Cookies\mark@yadro[1].txt -> TrackingCookie.Yadro : Cleaned without backup
    C:\Program Files\Avant Browser\Skins\sdff1f -> Downloader.Small.awa : Cleaned without backup
    C:\WINDOWS\system32\dial23.exe -> Dialer.GBDialer.d : Cleaned without backup
    C:\WINDOWS\system32\dmuyf.exe -> Trojan.Pakes : Cleaned without backup
    C:\WINDOWS\system32\simpole.tlb -> Downloader.Zlob.nz : Cleaned without backup
    C:\WINDOWS\system32\t1t.exe -> Downloader.Small.awa : Cleaned without backup


    ::Report End

    Fixwareout:
    Fixwareout ver 1.003
    Last edited 04/26/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fyumd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmuyf.exe"=-
    ...

    PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Example ipsec6.exe is lagitamate

    »»»»» Search by size and names...

    »»»»» Misc files

    »»»»» Checking for older varients covered by the Rem3 tool

    »»»»»
    Search five digit cs, dm and jb files
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\DMUYF.EXE 44,084 2002-09-03

    HJT:
    Logfile of HijackThis v1.99.1
    Scan saved at 19:38:24, on 24/05/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\System32\nvraidservice.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\BitLord\BitLord.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\MSI\DigiCell\DigiCell.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Avant Browser\avant.exe
    C:\Program Files\Mulberry v3\Mulberry.exe
    C:\Documents and Settings\Mark\Start Menu\Programs\Spyware\HijackThis.exe

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
    O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  4. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Logs look good.

    Click this link with right mouse button -> http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to desktop. Doubleclick taskmanager.reg on desktop, click yes and ok.

    Reboot.

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes).

    Does task manager work now?
     
  5. ms3039

    ms3039 Member

    Joined:
    May 23, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Hello,
    Task Manager is working. Here is smitfraud log:
    SmitFraudFix v2.47

    Scan done at 15:07:38.25, 25/05/2006
    Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\regperf.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mark\FAVORI~1

    C:\DOCUME~1\Mark\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Thank you for all your help. Could you recommend a free firewall that works well?
    Mark
     
  6. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    * Double-click smitfraudfix.cmd
    * Select 2 and hit Enter to delete infect files.
    * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Send contents of -> C:\rapport.txt here

    As for firewall, Kerio and ZoneAlarm are good freebies.
     
  7. ms3039

    ms3039 Member

    Joined:
    May 23, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    SmitFraudFix v2.48

    Scan done at 17:00:57.15, 26/05/2006
    Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    When SmitFraud ran "Disk Cleanup", it got stuck very early at the "compress old files" stage. Does this matter? I know how to manually clean temp and temp internet files anyway, and it didn't appear to affect smit fraud.
     
  8. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Looks clean. Still problems?
     
  9. ms3039

    ms3039 Member

    Joined:
    May 23, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    When SmitFraud ran "Disk Cleanup", it got stuck very early at the "compress old files" stage. Does this matter? I know how to manually clean temp and temp internet files anyway, and it didn't appear to affect smit fraud.
    Other than that, it's fine.
    kiittää te
     
  10. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    No,it doesn't matter if you know how clean them by yourself. You're welcome :)
     

Share This Page