1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Smitfraud-C.Toolbar888 and invasion of viruses

Discussion in 'Virus & Other Malware Removal' started by skoman, Feb 13, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Hi to all,
    I hope that someone could give me hand to get rid of this thing Smitfraud-C.Toolbar888 which I believe is bringing viruses to my computer.
    I found it 2 days ago with Spybot SD.
    There were extra removal instructions saying to download Process explorer from a site related to the microsoft and use this stand alone tool to kill dll files in winlogon.exe which run 2 times .Than delete the same files which are shown in the Spybot.It was not clear at all.There were no shown dll files in Spybot.
    i tried this.NO result.Exept when I went to internet a lot of viruses came in.
    I rebooted in safe mode with networking.
    After reading what to do I find out that every case is very individual , so it is better to post a new topic.;)
    But I'll explain what has happend and what I did till now.
    Suddenly an error message came out saying "ipwins.exe has experienced a error and it needs to close.Send error , don not send"
    I did not send it.
    My norton antivirus does not work in safe mode, maybe because I uninstall live update.I do not know .The error says Symantec integrator has encounted an error."
    Is there any way to change the resolution in safe mode, because mine is so low that I can see only 1/4 of my desktop and the windows are huge.Because of the resolution I could not do a panda online scan.I could not see the scan button.
    I did a bitdefender online scan but not a complete.It would have taken more than 10 hours.
    I have a log.It is very big, written in some code, maybe HTML.I can post it if you want.Bitdefender deteced and deleted 6 viruses.
    Meanwhile I was scanning with Spybot a lot.Each of the results were different finding more malitious crap.Once it found I think a dll file.I delete it.
    No I can not open anything in the control panel.It says "windows can not find rundll32.exe" this is what I found in normal mode:

    http://img244.imageshack.us/img244/4545/rundll32exesearchfz4.png

    In normal mode without internet I did a full system scan with norton antivirus.Some files were deleted , some I put in quarantine.

    Norton AntiVirus Quarantine Report
    Created: 13 Februar 2007 г. 13:57:35
    ------------------------------------------------------------------------------

    File Name
    Location
    Status Size Virus Name
    User Name Machine Name Domain
    Date Quarantined
    Date Submitted

    ------------------------------------------------------------------------------

    svchosts.exe
    c:\windows\system32
    Quarantined 36.0 KB Downloader
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 12:49:50
    Not submitted

    ------------------------------------------------------------------------------

    ipwins.dll
    C:\Program Files\Ipwindows
    Backup of a deleted Security Risk 6.51 KB Packed.Adware
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 13:54:14
    Not submitted

    ------------------------------------------------------------------------------

    win3e4.tmp.exe
    c:\windows\temp
    Quarantined 89.3 KB Trojan Horse
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 12:48:15
    Not submitted

    ------------------------------------------------------------------------------

    ipwins.exe
    C:\Program Files\Ipwindows
    Backup of a deleted Security Risk 59.0 KB Packed.Adware
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 13:54:14
    Not submitted

    ------------------------------------------------------------------------------

    wmlopom.dll
    c:\windows\system32
    Quarantined 69.5 KB Trojan.Busky
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 12:51:32
    Not submitted

    ------------------------------------------------------------------------------

    122[1].net
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KNKT8T87
    Backup of a deleted Security Risk 125 KB Packed.Adware
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 13:54:14
    Not submitted

    ------------------------------------------------------------------------------

    EvID4226Patch.exe

    Backup of an infected file 31.5 KB Hacktool
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 11:40:52
    Not submitted

    ------------------------------------------------------------------------------

    Uninst.exe
    C:\Program Files\Ipwindows
    Backup of a deleted Security Risk 38.8 KB Packed.Adware
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 13:54:15
    Not submitted

    ------------------------------------------------------------------------------

    secwin.exe
    C:\My Backup -- 27-04-06 1316\WINDOWS\system32
    Backup of a deleted Security Risk 286 KB Packed.Spyware
    Administrator YOUR-6B8C8E5310 WORKGROUP
    28 April 2006 г. 23:15:31
    Not submitted

    ------------------------------------------------------------------------------

    Update.exe
    c:\Program Files\Common Files\{94B3A395-0AE6-1026-0607-050512200167}
    Backup of an infected file 14.0 KB Packed.SecurityRiskOn
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 11:26:30
    Not submitted

    ------------------------------------------------------------------------------

    wlzip32[1].exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AXPIZM9W
    Quarantined 89.3 KB Trojan Horse
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 13:49:51
    Not submitted

    ------------------------------------------------------------------------------

    b122.exe
    C:\WINDOWS\Temp
    Backup of a deleted Security Risk 125 KB Packed.Adware
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 13:42:43
    Not submitted

    ------------------------------------------------------------------------------

    system.dll
    C:\Program Files\Common Files\{94B3A395-0AE6-1026-0607-050512200167}
    Backup of a deleted Security Risk 7.00 KB Packed.SecurityRiskOn
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb2007 г. 13:54:15
    Not submitted

    ------------------------------------------------------------------------------

    ghonuxh.dll
    c:\windows\system32
    Quarantined 91.0 KB Trojan.Busky
    Administrator YOUR-6B8C8E5310 MSHOME
    13 Feb 2007 г. 12:54:31
    Not submitted

    ------------------------------------------------------------------------------

    This is the latest hijacklog(I renamed it to this.will.kill.u.exe)
    If you need I can give you the logs from safe mode.

    Logfile of HijackThis v1.99.1
    Scan saved at 20:41:03, on 13.2.2007 г.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Hijackthis\this.will.kill.u.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.bg/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.10.2
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {14FA72E8-AF04-175D-5F51-094E08FD1058} - C:\WINDOWS\system32\wmlopom.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgaz.dll,startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: adobe reader speed launch.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB2F58C-FA8F-41B5-AB24-75BA67AE13F4}: NameServer = 85.187.152.161,80.72.64.4
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    ----------------------------------------------------
    The latest full system scan with Norton Antivirus says no threats.
    Spybot says Smitfraud-C.Toolbar888
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

    Your help will be appreciated.And I would like to ask you if you are going to help me please explain it to me why for example I have to do this and that.I just would like to learn.Thanks
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.



    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.


    Download: ResetProtocolDefaults.reg
    http://www.mvps.org/winhelp2002/Rese...olDefaults.reg

    Locate "ResetProtocolDefaults.reg"
    Right-click and select: Merge (Ok the prompt)



    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition files.
    * On the main screen select the icon "Update" then select the "Update now" link.
    * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



    * Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    O2 - BHO: (no name) - {14FA72E8-AF04-175D-5F51-094E08FD1058} - C:\WINDOWS\system32\wmlopom.dll (file missing)
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgaz.dll,startup
    O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll




    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    C:\Program Files\Ipwindows\ipwins.exe
    C:\Program Files\Ipwindows
    C:\WINDOWS\system32\drvgaz.dll
    C:\WINDOWS\SYSTEM32\wintfj32.dll




    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.



    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.



    reboot to normal mode and run a few online scans!



    Note: this is a stand alone, it doesn't install to start/programmes.

    Download Mwav,

    http://www.spywareinfo.dk/download/mwav.exe


    double click on it and it will extract to C:\kaspersky. Click
    on the kaspersky folder and click on Kavupd, a black dos window will open
    and it will update the programme for you, be patient it will take 5-10
    minutes to download the new definitions. Once it's updated, click on mwavscan
    to launch the programme.

    Use the defaults of:

    Memory
    startup folders
    Registry
    system folders
    services

    Choose drive , all drives and, click scan all files
    and then click scan/clean. After it finishes scanning and cleaning post
    the log here with a new hijack this log.

    Note: this is a very thorough scanner, it might take anything up to an hour
    or more, depending on how many drives you have and how badly infected your
    pc is.



    Highlight the portion of the scan that lists infected items and hold
    CTRL + C to Copy then paste it here. The whole log with be extremely
    big so there is no way to copy the whole thing. I just need the
    infected items list.




    post another hijack this log, the AVG Anti-Spyware log, smitfraud, and the Mwav scan log.
     
  3. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Thank you so much for your respond and for your will to help me.I am sorry but I do not have any killbox.exe. Where should I get it from?I am so confused.
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  5. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    cheers Mike! :)
     
  6. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Here are the logs you requested.I was not able to do a scan with AVG anti-spyware in safe mode because of the resolution problem I have , which I explained in my first post.
    I still can not access anything from the control panel because of the missing rundll32.exe.
    But the good news is that Smitfraud C.toolbar888 is gone.Spybot SD finaly removed the registry entry after killbox.exe did its job.

    1.Smithfraud fix log - I was not prompted to reboot or set a permition to replace any file.

    SmitFraudFix v2.142

    Scan done at 22:24:17,70, 14.02.2007 Ј.
    Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    2.AVG Anti-spyware logs:
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 23:45:24 14.2.2007 г.

    + Scan result:

    C:\Documents and Settings\Administrator\My Documents\Сборно\Bitcomet Downloads\NFS V\Нови коли и модификации за NFS PU\32trainer.zip/Cash.exe -> Dropper.Small : Cleaned.
    C:\!KillBox\drvgaz.dll -> Trojan.Agent.qt : Cleaned.
    C:\!KillBox\wintfj32.dll -> Trojan.Agent.qt : Cleaned.
    C:\!KillBox\wintfj32.dll( 1) -> Trojan.Agent.qt : Cleaned.
    C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121801.dll -> Trojan.Agent.qt : Cleaned.
    C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121822.dll -> Trojan.Agent.qt : Cleaned.
    C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121824.dll -> Trojan.Agent.qt : Cleaned.
    C:\WINDOWS\system32\drvgis.dll -> Trojan.Agent.qt : Cleaned.
    C:\WINDOWS\system32\drvhah.dll -> Trojan.Agent.qt : Cleaned.
    C:\WINDOWS\system32\drvtuk.dll -> Trojan.Agent.qt : Cleaned.


    ::Report end

    3.There are a lot of errors in the full MWAV log of files which can not be scanned.
    Would you like to present them?

    This is what came out as a "Virus Log Information" after MWAV scan:

    File C:\WINDOWS\system32\unsvchosts.exe tagged as not-a-virus:RiskTool.Win32.Starter.a. No Action Taken.
    File C:\DESKTOP\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
    File C:\DESKTOP\SmitfraudFix.zip tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
    File C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
    File C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
    File C:\Documents and Settings\Administrator\Recent\Commandos:Beyong.the.call.of.duty.lnk infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121850.dll infected by "PECompact" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121851.dll infected by "PECompact" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121852.dll infected by "PECompact" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121853.dll infected by "PECompact" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121854.dll infected by "PECompact" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121858.exe infected by "Trojan-Downloader.Win32.Agent.bdr" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121859.exe infected by "Trojan-Downloader.Win32.Agent.bca" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121860.dll infected by "Trojan-Downloader.Win32.Busky.gen" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121861.exe infected by "Trojan-Downloader.Win32.Agent.bdr" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121862.dll infected by "Trojan-Downloader.Win32.Busky.gen" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121863.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.ab. No Action Taken.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121866.exe tagged as not-a-virus:AdWare.Win32.Maxifiles.ab. No Action Taken.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121867.exe tagged as not-a-virus:Monitor.Win32.Ardamax.24. No Action Taken.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121868.dll tagged as not-a-virus:AdWare.Win32.Softomate.ac. No Action Taken.
    File C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP176\A0121870.exe tagged as not-a-virus:AdWare.Win32.Softomate.ac. No Action Taken.
    File C:\WINDOWS\system32\unsvchosts.exe tagged as not-a-virus:RiskTool.Win32.Starter.a. No Action Taken.

    4.Latest hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 13:44:46, on 15.2.2007 г.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Hijackthis\this.will.kill.u.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.10.2
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: adobe reader speed launch.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB2F58C-FA8F-41B5-AB24-75BA67AE13F4}: NameServer = 85.187.152.161,80.72.64.4
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

    May I ask you what is this? :prismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    I think I have never installed anything like that.
    Once again thank you for the help.

    PS: I forgot to mention something that might be important.Almost every time I shut down from windows my machine restarts after a quick blue screen error. I have to press again the shut down button in order to turn it off.That is an old issue I have long before the infection with Smitfraud C.toolbar888.
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    http://www.bleepingcomputer.com/startups/PRISMXL.SYS-10410.html



    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box.Then click yes
    to reboot after you entered the last one.


    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    C:\WINDOWS\system32\unsvchosts.exe



    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.



    Download Superantispyware.

    http://www.superantispyware.com/


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!



    All tools can be downloaded at the link below and found on that page!

    . SUPERAntiSpyware
    . Nail/Bolder/Aurora Remover
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html


    Make sure your ActiveX controls are set as follows:

    Go to Internet Options - Security - Internet, press 'default level', then OK.
    Now press "Custom Level."

    In the ActiveX section, set the first two options (Download signed and
    unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
    controls not marked as safe" to 'disable'.


    Active X settings

    http://www.compu-docs.com/activex.htm



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!


    post another log and the panda scan log!
     
  8. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Hi,
    I 'm sorry for this stupid question.I just want to make sure that I got everything right.

    You want me to remove only this entry with Killbox.
    C:\WINDOWS\system32\unsvchosts.exe
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
  10. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Panda online scan log:

    Incident Status Location Adware:adware/iebar Not disinfected WindowsRegistry
    Adware:adware/ist.istbar Not disinfected WindowsRegistry
    Potentially unwanted tool:Application/Processor Not disinfected C:\DESKTOP\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\DESKTOP\SmitfraudFix.zip [SmitfraudFix/Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe

    Hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 00:28:20, on 16.2.2007 г.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Hijackthis\this.will.kill.u.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.10.2
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: adobe reader speed launch.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB2F58C-FA8F-41B5-AB24-75BA67AE13F4}: NameServer = 85.187.152.161,80.72.64.4
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

    How can I fix the problem with missing file rundll32.exe in Control panel?
    I've just noticed something weird.I renamed the c:\Hijackthis\hijackthis.exe to c:\Hijackthis\this.will.kill.u.exe right away after I unzip it.Now there is one more exe file in the same folder c:\Hijackthis .The file is HIJACKTHIS.exe.And when I point it with the mouse the information box says that it is been created on 15 of FEB. 2007. size 0 bytes
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Are you in Bulgaria?
     
  12. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Yes.What difference does it make?
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    It can make a big difference if your DNS is a hijacker from the Ukraine and your in say the UK! but yours is from Bulgaria, so hence the reason I asked if your a Bulgar!


    clean log!


    You should now turn off system restore to flush out the bad restore points and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    http://www.spywarewarrior.com/uiuc/resource.htm


    Spyware Terminator

    http://www.spywareterminator.com/dnl/landing.aspx


    In spyware terminator, click real time protection and tick the box to use
    real time protection and tick all the boxes except file exceptions shield.
    If your confident in using its advanced feature, click advanced and tick
    the HIPS box.

    If you want to install and uninstall programs it is best to
    temporarily disable Spyware terminator and then re-enable it after you
    have installed or uninstalled a program as it will create a lot of pop ups asking you do you wish this to happen!

    Right click spyware terminator on the bottom right of your status bar and
    choose exit.Then tick the box and that is spyware terminator disabled!



    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  14. skoman

    skoman Thread Starter

    Joined:
    Feb 13, 2007
    Messages:
    21
    Is that going to fix my rundll32.exe problem?
     
  15. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    what is the rundll32 problem, explain the error you are getting!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/543769

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice