Here is the report, my main problem is a slow pc, ive downloaded adaware, spybot, bitdefender et al and i keep getting this yellow warning triangle in my "notification area" by the clock. Any help would be greatly appreciated Logfile of HijackThis v1.99.1 Scan saved at 21:57:36, on 03/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender9\vsserv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dcomcfg.exe C:\WINDOWS\system32\atmclk.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Softwin\BitDefender9\bdnagent.exe D:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnljih.dll O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe" O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B8B2EF-B7EC-47BD-88AF-64FD7F619A5B}: NameServer = 195.92.195.95 195.92.195.94 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: pmnljih - C:\WINDOWS\SYSTEM32\pmnljih.dll O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing) O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Right guys, now windows explorer doesnt work! When i click on My computer, my documents, or controll panel. I cant get internet explorer to start up, and everythings taken a fkin long time to load! Any help would be greatly appreciated x
Hi rowski Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip Unzip it (folder named SmitFraudFix) to your desktop: Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist) Post the contents of this textfile to here. (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Cheers for the reply tapiiri, but im on a different pc atm simply because the browsers do not work! And since i do no have access to file explorer, my computer etc i couldnt download the file to pen drive and transport it to the other pc? Should i just restart the system. I'd prefer not to since icannot create any backups :S
How would i launch the cmd file from msdos? Ive manages to extract the files from the zip. Step by step please thanks
Right i did the scan and got a bit carried away and cleaned aswell :s heres the report, my pc's still running slow, if not slower now SmitFraudFix v2.67 Scan done at 9:55:35.18, 05/07/2006 Run from D:\Documents and Settings\Chris.SN048853520471.000\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{7916f057-223f-4612-ac84-e882cbe043d4}"="bals" [HKEY_CLASSES_ROOT\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32] @="C:\WINDOWS\system32\hvcycg.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32] @="C:\WINDOWS\system32\hvcycg.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\hvcycg.dll -> Missing File »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files Problem while deleting C:\WINDOWS\system32\atmclk.exe Problem while deleting C:\WINDOWS\system32\dcomcfg.exe Problem while deleting C:\WINDOWS\system32\hp???.tmp Problem while deleting C:\WINDOWS\system32\hp????.tmp C:\WINDOWS\system32\ld???.tmp Deleted C:\WINDOWS\system32\ot.ico Deleted Problem while deleting C:\WINDOWS\system32\simpole.tlb C:\WINDOWS\system32\1024\ Deleted D:\DOCUME~1\CHRISS~1.000\FAVORI~1\Antivirus Test Online.url Deleted C:\Program Files\SpyQuake2.com\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Reboot Problem while deleting C:\WINDOWS\system32\atmclk.exe Problem while deleting C:\WINDOWS\system32\dcomcfg.exe Problem while deleting C:\WINDOWS\system32\hp???.tmp Problem while deleting C:\WINDOWS\system32\hp????.tmp Problem while deleting C:\WINDOWS\system32\simpole.tlb »»»»»»»»»»»»»»»»»»»»»»»» End
Yes there are several infections, Print instructions. Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Put a check next to Run VundoFix as a task. * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK * When VundoFix re-opens, click the Scan for Vundo button. * Once the scan is ready, rightclick list box (white box that lists the found files) and choose Add more files * Copy/Paste the following two lines to the upper field: C:\WINDOWS\system32\pmnljih.dll C:\WINDOWS\system32\hijlnmp.* Scan hijack and check: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnljih.dll O20 - Winlogon Notify: pmnljih - C:\WINDOWS\SYSTEM32\pmnljih.dll O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll Close all programs exept hijac and click fix checked. Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Delete : C:\WINDOWS\SYSTEM32\ >>>>wineak32.dll When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Warning : Running option 2 in a clean computer will delete your desktop wallpaper. Post the following logs to here: -> a fresh HijackThis log -> C:\rapport.txt -> contents of C:\vundofix.txt
Okay, here it goes . . . A) - rapport.txt: SmitFraudFix v2.67 Scan done at 8:29:57.00, 06/07/2006 Run from D:\Documents and Settings\Chris.SN048853520471.000\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files Problem while deleting C:\WINDOWS\system32\atmclk.exe Problem while deleting C:\WINDOWS\system32\dcomcfg.exe Problem while deleting C:\WINDOWS\system32\hp???.tmp Problem while deleting C:\WINDOWS\system32\hp????.tmp Problem while deleting C:\WINDOWS\system32\simpole.tlb »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Reboot Problem while deleting C:\WINDOWS\system32\atmclk.exe Problem while deleting C:\WINDOWS\system32\dcomcfg.exe Problem while deleting C:\WINDOWS\system32\hp???.tmp Problem while deleting C:\WINDOWS\system32\hp????.tmp Problem while deleting C:\WINDOWS\system32\simpole.tlb »»»»»»»»»»»»»»»»»»»»»»»» End B) - vundofix.txt: VundoFix V4.2.84 Checking Java version... Java version is 1.5.0.2 Scan started at 16:47:14 05/07/2006 Listing files found while scanning.... C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll VundoFix V4.2.84 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.2 Scan started at 16:48:02 05/07/2006 Listing files found while scanning.... C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll VundoFix V4.2.84 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.2 Scan started at 16:58:40 05/07/2006 Listing files found while scanning.... C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll Attempting to delete C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\ddccc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\ddccc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\pmnljih.dll C:\WINDOWS\system32\pmnljih.dll Has been deleted! Performing Repairs to the registry. Done! C) - Hijack This! txt file: Logfile of HijackThis v1.99.1 Scan saved at 08:38:31, on 06/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Softwin\BitDefender9\vsserv.exe C:\WINDOWS\NOTEPAD.EXE C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\progra~1\softwin\bitdef~1\bdnagent.exe C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe C:\progra~1\softwin\bitdef~1\bdswitch.exe C:\WINDOWS\system32\devldr32.exe D:\Program Files\PeerGuardian2\pg2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitTorrent\bittorrent.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\WinRAR\WinRAR.exe D:\DOCUME~1\CHRISS~1.000\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe" O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B8B2EF-B7EC-47BD-88AF-64FD7F619A5B}: NameServer = 195.92.195.95 195.92.195.94 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing) O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) I don't notice much difference in the speed but i've regained full functionality
Ok we'll have to use a stronger tool.... 1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop 2. Copy all text in quote box below to Notepad (starting from Files to delete Files to delete: C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\atmclk.exe C:\WINDOWS\system32\dcomcfg.exe C:\WINDOWS\system32\hp???.tmp C:\WINDOWS\system32\hp????.tmp C:\WINDOWS\system32\simpole.tlb Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system 3. Now, open The Avenger ->"Below Script file to execute" select "Input Script Manually". ->Now click magnifying glass which opens a new window "View/edit script". -> Paste the text you earlier copied to Notepad here -> Click Done. -> Now click green light in order to start script. -> Click "Yes" . 4.Avenger will do the following -> Reboot your computer. -> While booting, it will open a dos prompt, it's normal -> After reboot it will create a logfile which should open . This log is in C:\avenger.txt -> Avenger has created a backup here -> C:\avenger\backup.zip. 5. Copy/paste contents of avenger.txt along with a fresh HjT-log.
Ok. . . .nothing came up in the avenger txt file :s Logfile of HijackThis v1.99.1 Scan saved at 17:50:23, on 06/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender9\vsserv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\progra~1\softwin\bitdef~1\bdnagent.exe C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe C:\progra~1\softwin\bitdef~1\bdswitch.exe C:\WINDOWS\system32\devldr32.exe D:\Program Files\PeerGuardian2\pg2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\WinRAR\WinRAR.exe D:\DOCUME~1\CHRISS~1.000\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5CD3B899-DC62-41D4-A84C-075263C3B192} - C:\WINDOWS\system32\ddccc.dll (file missing) O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe" O4 - HKLM\..\Run: [uqyjwnol] C:\tcigbaxy.bat O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B8B2EF-B7EC-47BD-88AF-64FD7F619A5B}: NameServer = 195.92.195.95 195.92.195.94 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing) O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing) O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) Help . . .
I checked the contents of the C drive and found the avenger txt file Hijack this file was after avenger was finished Here it is: ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Error: could not create zip file. Error code: 0 ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\ihrfcuuq ******************* Script file located at: \??\C:\WINDOWS\euuocucf.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\cccdd.bak1 deleted successfully. File C:\WINDOWS\system32\cccdd.bak2 deleted successfully. File C:\WINDOWS\system32\cccdd.tmp deleted successfully. File C:\WINDOWS\system32\cccdd.ini2 deleted successfully. File C:\WINDOWS\system32\ddccc.dll deleted successfully. File C:\WINDOWS\system32\cccdd.ini2 not found! Deletion of file C:\WINDOWS\system32\cccdd.ini2 failed! Could not process line: C:\WINDOWS\system32\cccdd.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.bak2 not found! Deletion of file C:\WINDOWS\system32\cccdd.bak2 failed! Could not process line: C:\WINDOWS\system32\cccdd.bak2 Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.tmp not found! Deletion of file C:\WINDOWS\system32\cccdd.tmp failed! Could not process line: C:\WINDOWS\system32\cccdd.tmp Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.ini2 not found! Deletion of file C:\WINDOWS\system32\cccdd.ini2 failed! Could not process line: C:\WINDOWS\system32\cccdd.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\ddccc.dll not found! Deletion of file C:\WINDOWS\system32\ddccc.dll failed! Could not process line: C:\WINDOWS\system32\ddccc.dll Status: 0xc0000034 File C:\WINDOWS\system32\atmclk.exe deleted successfully. File C:\WINDOWS\system32\dcomcfg.exe deleted successfully. Could not open file C:\WINDOWS\system32\hp???.tmp for deletion Deletion of file C:\WINDOWS\system32\hp???.tmp failed! Could not process line: C:\WINDOWS\system32\hp???.tmp Status: 0xc0000033 Could not open file C:\WINDOWS\system32\hp????.tmp for deletion Deletion of file C:\WINDOWS\system32\hp????.tmp failed! Could not process line: C:\WINDOWS\system32\hp????.tmp Status: 0xc0000033 File C:\WINDOWS\system32\simpole.tlb deleted successfully. Completed script processing. ******************* Finished! Terminate.////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\ubcbtosx ******************* Script file located at: \??\C:\Documents and Settings\dihqcafg.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\cccdd.bak1 not found! Deletion of file C:\WINDOWS\system32\cccdd.bak1 failed! Could not process line: C:\WINDOWS\system32\cccdd.bak1 Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.bak2 not found! Deletion of file C:\WINDOWS\system32\cccdd.bak2 failed! Could not process line: C:\WINDOWS\system32\cccdd.bak2 Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.tmp not found! Deletion of file C:\WINDOWS\system32\cccdd.tmp failed! Could not process line: C:\WINDOWS\system32\cccdd.tmp Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.ini2 not found! Deletion of file C:\WINDOWS\system32\cccdd.ini2 failed! Could not process line: C:\WINDOWS\system32\cccdd.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\ddccc.dll not found! Deletion of file C:\WINDOWS\system32\ddccc.dll failed! Could not process line: C:\WINDOWS\system32\ddccc.dll Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.ini2 not found! Deletion of file C:\WINDOWS\system32\cccdd.ini2 failed! Could not process line: C:\WINDOWS\system32\cccdd.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.bak2 not found! Deletion of file C:\WINDOWS\system32\cccdd.bak2 failed! Could not process line: C:\WINDOWS\system32\cccdd.bak2 Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.tmp not found! Deletion of file C:\WINDOWS\system32\cccdd.tmp failed! Could not process line: C:\WINDOWS\system32\cccdd.tmp Status: 0xc0000034 File C:\WINDOWS\system32\cccdd.ini2 not found! Deletion of file C:\WINDOWS\system32\cccdd.ini2 failed! Could not process line: C:\WINDOWS\system32\cccdd.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\ddccc.dll not found! Deletion of file C:\WINDOWS\system32\ddccc.dll failed! Could not process line: C:\WINDOWS\system32\ddccc.dll Status: 0xc0000034 File C:\WINDOWS\system32\atmclk.exe not found! Deletion of file C:\WINDOWS\system32\atmclk.exe failed! Could not process line: C:\WINDOWS\system32\atmclk.exe Status: 0xc0000034 File C:\WINDOWS\system32\dcomcfg.exe not found! Deletion of file C:\WINDOWS\system32\dcomcfg.exe failed! Could not process line: C:\WINDOWS\system32\dcomcfg.exe Status: 0xc0000034 Could not open file C:\WINDOWS\system32\hp???.tmp for deletion Deletion of file C:\WINDOWS\system32\hp???.tmp failed! Could not process line: C:\WINDOWS\system32\hp???.tmp Status: 0xc0000033 Could not open file C:\WINDOWS\system32\hp????.tmp for deletion Deletion of file C:\WINDOWS\system32\hp????.tmp failed! Could not process line: C:\WINDOWS\system32\hp????.tmp Status: 0xc0000033 File C:\WINDOWS\system32\simpole.tlb not found! Deletion of file C:\WINDOWS\system32\simpole.tlb failed! Could not process line: C:\WINDOWS\system32\simpole.tlb Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.
Hi rowski Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Warning : Running option 2 in a clean computer will delete your desktop wallpaper. Scan hijack and send a fresh log and rapport.txt
