I have the SMITFRAUD-C. virus on my computer. Please HELP!

  • CG
  • Born
  • Born
  • CG
  • Posts: 2

Post 3+ Months Ago

I have the SMITFRAUD-C. virus on my computer. I do not know what to do. Please Help!

Dear All,

I am new at computers and I am not familiar with removing viruses. I was surfing the internet and I wanted to watch a video that was embedded into a website. A pop-up came up asking me to download a plug in so I can watch the video. So I decided to download the plug in. That was a mistake! The next thing i know my web browser has some new toolbar that asks me to get new spy ware removal programs.

In the Internet Explorer toolbar area, there are four buttons that I believe are part of the infection: Remove Popups, Scan Spyware, Security Test, and Spam Protection. There is a red blinking icon with an "X." A popup appears randomly and periodically that states, "Spyware Alert! worm.win32.netsky is detected on your computer. Please click "yes" to remove this virus." I always click "no." A few minutes later internet explorer pops ups sending me to websites such as

"http://mediasmegaportal.com/phandler.php?sid=0&said=0&pn=&aid=0&pid=2&k=replica+handbags and

http://www.safenavweb.com/index.php?sid ... id=0&pid=0"

I disable internet explorer and it still appears. I ran Spybot Search and Destroy and it only catches Smitfraud-C and zlob.downloader.vcd. It does not catch Virtumonde, virtumonde.generic,etc. It says Smitfraud-C and zlob.downloader.vcd. are registry files.

I also have 3 desktop icons that say "Spyware & Protect, Private Protector, and Error Cleaner." These appear periodically when I turn my computer. Sometimes they do not appear. I normally just delete them from my desktop.

I ran my anti virus called NOD32 and it says "application Win32/Adware.Agent.NIJ found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file C:\WINDOWS\kopmet.dll."

I THINK I HAVE MORE THAN ONE VIRUS PLEASE HELP!

HiJackThis Log:



Logfile of HijackThis v1.99.1

Scan saved at 3:26:57 PM, on 12/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\$ISR\0\ISRService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\ESET\nod32.exe

C:\Documents and Settings\Zelo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: MSVPS System - {5EF40AC5-1BBE-4436-A9E3-F129C0D605D8} - C:\WINDOWS\vipextoxn.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: The voipwet - {D4170A6E-8CE3-444B-ACA4-B3A0AF12C55C} - C:\WINDOWS\voipwet.dll

O4 - HKLM\..\Run: [ISR_MONITOR] C:\$ISR\$APP\ISRMonitor.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... en/x86/cli ent/wuweb_site.cab?1190488359171

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: prio.dll

O21 - SSODL: kopmet - {25A46237-F5C3-4A3C-B0DB-42C27CD35E9A} - C:\WINDOWS\kopmet.dll

O21 - SSODL: jetctrl - {1D839606-2526-4357-B286-23541CD8010B} - C:\WINDOWS\jetctrl.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\0\ISRService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

HiJackThis start-up log:

StartupList report, 12/6/2007, 3:27:56 PM

StartupList version: 1.52.2

Started from : C:\Documents and Settings\Zelo\Desktop\HijackThis.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\$ISR\0\ISRService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Documents and Settings\Zelo\Desktop\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ISR_MONITOR = C:\$ISR\$APP\ISRMonitor.exe

nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

PeerGuardian = C:\Program Files\PeerGuardian2\pg2.exe

i8kfangui = C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

Yahoo! Pager = "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*

run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=prio.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

BitComet ClickCapture - E:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

(no name) - C:\WINDOWS\vipextoxn.dll - {5EF40AC5-1BBE-4436-A9E3-F129C0D605D8}

NCO 2.0 IE BHO - (no file) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}

(no name) - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}

--------------------------------------------------

Enumerating Download Program Files:

[{32505657-9980-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/ ... D74-A130-E 4CAB36EB01F/wmvadvd.cab

[WUWebControl Class]

InProcServer32 = C:\WINDOWS\system32\wuweb.dll

CODEBASE = http://www.update.microsoft.com/windows ... en/x86/cli ent/wuweb_site.cab?1190488359171

[Shockwave Flash Object]

InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx

CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

Windows NT checkdisk command:

BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':

PendingFileRenameOperations: C:\DOCUME~1\Zelo~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~ 1\Zelo~1\Cookies\index.dat||C:\DOCUME~1\Zelo~1\LOCALS~1\History\Histor y.IE5\index.dat|||~

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\system32\webcheck.dll

SysTray: C:\WINDOWS\system32\stobject.dll

kopmet: C:\WINDOWS\kopmet.dll

jetctrl: C:\WINDOWS\jetctrl.dll

--------------------------------------------------

End of report, 6,210 bytes

Report generated in 0.032 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

NOD32 ANTI VIRUS LOG

Scan performed at: 12/6/2007 14:05:53 PM

Scanning Log

NOD32 version 2707 (20071206) NT

Operating memory - Win32/Adware.Agent.NIJ application

Date: 6.12.2007 Time: 14:56:23

Anti-Stealth technology is enabled.

Scanned disks, folders and files: C:; E:

C:\pagefile.sys - error opening (File locked) [4]

C:\$ISR\1\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify. zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify. zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.z ip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.z ip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterUpdateDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterUpdateDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC13.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC13.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC25.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC25.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip »ZIP »sbRecovery.ini - incorrect CRC checksum, the file may be damaged

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip »ZIP »sbRecovery.ini - incorrect CRC checksum, the file may be damaged

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip »ZIP »sbRecovery.ini - incorrect CRC checksum, the file may be damaged

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS.zip »ZIP »dat.txt - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS1.zip »ZIP »dat.txt - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS1.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS2.zip »ZIP »dat.txt - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS2.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip »ZIP »sbRecovery.ini - incorrect CRC checksum, the file may be damaged

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd2.zip »ZIP »sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd2.zip »ZIP »sbRecovery.ini - error - password-protected file

C:\Documents and Settings\Zelo\NTUSER.DAT - error opening (File locked) [4]

C:\Documents and Settings\Zelo\ntuser.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\Zelo\Application Data\Mozilla\Firefox\Profiles\ibs1itfo.default\parent.lock - error opening (File locked) [4]

C:\Documents and Settings\Zelo\Local Settings\Application Data\Microsoft\Messenger\Zelo@hotmail.com\SharingMetadata\pkcool@hotmail.com\DFSR\Staging\CS{4302F299-7179-9B12-07E7-5EB31F1CA5A0 }\01\10-{4302F299-7179-9B12-07E7-5EB31F1CA5A0}-v1 - error opening [4]

C:\Documents and Settings\Zelo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]

C:\Documents and Settings\Zelo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\Zelo\Local Settings\Temporary Internet Files\Content.Word\~WRS{72ABDCF4-8577-47FE-AC67-88BBCD207BFC}.tmp - error opening (File locked) [4]

C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]

C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]

C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]

C:\WINDOWS\kopmet.dll - Win32/Adware.Agent.NIJ application

C:\WINDOWS\vipextoxn.dll - Win32/Adware.Agent.NIL application

C:\WINDOWS\system32\config\default - error opening (File locked) [4]

C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]

C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]

C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\software - error opening (File locked) [4]

C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]

C:\WINDOWS\system32\config\system - error opening (File locked) [4]

C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]

E:\Back-up1\Documentary Films\Redacted.LiMiTED.REPACK.DVDSCR.XViD-ALLiANCE\alli-redacted.xvid. rpk.part01.rar »RAR »alli-redacted.xvid.rpk.avi - next archive volume not found

E:\Back-up1\ULTIMATE\SPF2\specialforce2.part01.rar »RAR »specialforce2.exe - next archive volume not found

E:\Program Files\Ubisoft\Crytek\Far Cry\Levels\Cooler\level.pak »ZIP »terrain/cover.ctc - incorrect CRC checksum, the file may be damaged

E:\RECY[b]CLER\S-1-5-21-1644491937-1425521274-839522115-1003\De51.exe »NSIS »routipqno.exe - Win32/TrojanDownloader.Zlob.BLX trojan

E:\Sy[/b]stem Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]

Number of scanned files: 262952

Number of threats found: 3

Time of completion: 15:22:19 Total scanning time: 1556 sec (00:25:56)

Notes:

[4] File cannot be opened. It may be in use by another application or operating system.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

Before you do anything else, go to this post
http://www.wilderssecurity.com/showthread.php?t=75890

Read the first post there and follow those instructions to the letter. Afterwards report back with success or failure and repost a new log.
  • CG
  • Born
  • Born
  • CG
  • Posts: 2

Post 3+ Months Ago

HERE IS MY SMITFRAUD FIX LOG. I NEED HELP PLEASE!

SmitFraudFix v2.258

Scan done at 0:24:11.98, Fri 12/07/2007
Run from C:\Documents and Settings\Zelo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\$ISR\0\ISRService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ESET\nod32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 http://www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\jetctrl.dll FOUND !
C:\WINDOWS\vipext?.dll FOUND !
C:\WINDOWS\voipwet.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Zelo


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Zelo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Zelo~1\FAVORI~1

C:\DOCUME~1\Zelo~1\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Zelo~1\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Zelo~1\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\RichVideoCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!Attention, following keys are not inevitably infected!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!Attention, following keys are not inevitably infected!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="prio.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E170AA62-E3BB-4361-8B6E-804F973862F9}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E170AA62-E3BB-4361-8B6E-804F973862F9}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

OK it looks like that did what it was supposed to. Could you post a fresh hijackthis log, please? (only hijackthis log)

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 47 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.