Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

smitfraudfix- Please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: smitfraudfix- Please help

Unread postby LDTate » January 12th, 2008, 8:48 am

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\wupeng.exe
C:\WINDOWS\system32\E522512530.dll

Folder::
C:\Program Files\MalwareCrush

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winupdate Engine"=-
"MalwareCrush"=-


Save this as Save this as "CFScript"


Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA
Advertisement
Register to Remove

Re: smitfraudfix- Please help

Unread postby budsker » January 14th, 2008, 11:31 pm

ComboFix 08-01-10.2 - HISDUSER 2008-01-14 20:58:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.559 [GMT -6:00]
Running from: C:\Documents and Settings\HISDUser\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HISDUser\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\E522512530.dll
C:\WINDOWS\system32\wupeng.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HISDUser\Start Menu\MalwareCrush 3.7.lnk
C:\Documents and Settings\HISDUser\Start Menu\Programs\MalwareCrush
C:\Documents and Settings\HISDUser\Start Menu\Programs\MalwareCrush\MalwareCrush 3.7 Website.lnk
C:\Documents and Settings\HISDUser\Start Menu\Programs\MalwareCrush\MalwareCrush 3.7.lnk
C:\Documents and Settings\HISDUser\Start Menu\Programs\MalwareCrush\Uninstall MalwareCrush 3.7.lnk
C:\Program Files\MalwareCrush
C:\Program Files\MalwareCrush\blacklist.txt
C:\Program Files\MalwareCrush\Lang\English.ini
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\Program Files\MalwareCrush\MalwareCrush.url
C:\Program Files\MalwareCrush\msvcp71.dll
C:\Program Files\MalwareCrush\msvcr71.dll
C:\Program Files\MalwareCrush\ref.dat
C:\Program Files\MalwareCrush\uninst.exe
C:\WINDOWS\system32\E522512530.dll
C:\WINDOWS\system32\wupeng.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-10 20:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 21:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-08 21:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-08 21:26 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-08 21:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-08 21:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-08 21:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-07 20:32 . 2008-01-07 20:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-30 22:44 . 2008-01-08 21:26 3,366 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-30 22:33 . 2007-12-30 22:33 <DIR> d-------- C:\Documents and Settings\HISDUser\Application Data\Grisoft
2007-12-30 22:33 . 2007-12-30 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 22:33 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 15:46 --------- d-----w C:\Documents and Settings\HISDUser\Application Data\dvdcss
2007-11-17 04:21 --------- d-----w C:\Documents and Settings\HISDUser\Application Data\Canon
2007-11-16 02:45 --------- d-----w C:\Program Files\iTunes
2007-11-16 02:45 --------- d-----w C:\Program Files\iPod
2007-11-16 02:44 --------- d-----w C:\Program Files\QuickTime
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_20.25.54.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 02:19:40 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 02:57:43 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 02:19:40 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 02:57:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 02:19:40 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 02:57:44 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 02:19:40 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 02:57:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 02:19:40 3,239,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-15 02:57:44 3,239,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 02:19:40 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 02:57:44 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 02:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 00:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 00:02 126976]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59 385024]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04 53248]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 09:37 28672 C:\WINDOWS\system32\nwtray.exe]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2005-06-14 09:46 40960]
"ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [2005-01-17 10:33 40960]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-15 19:06 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2005-01-25 16:18 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2005-01-10 12:36 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2005-06-14 09:44]
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2005-01-17 11:23]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2004-11-22 12:07]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2005-01-10 12:36]
R3 Darpan;Darpan;C:\WINDOWS\system32\DRIVERS\Darpan.sys [2005-01-10 10:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86c6eda6-9fec-11db-828e-0013ce556dec}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94d2129c-6920-11dc-8315-0013ce556dec}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 20:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 21:03:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xmlparse.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Novell\ZENworks\NLS\english\NalUIRes.dll
.
Completion time: 2008-01-14 21:05:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 03:04:54
ComboFix2.txt 2008-01-12 03:47:34
ComboFix3.txt 2008-01-11 02:26:31
.
2008-01-09 03:03:50 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 9:29:27 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.harlandale.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.harlandale.net/proxy/proxy.pac
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://plato1.harlandale.net/pathways/p ... wswaxf.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7125425008
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato1.harlandale.net/Pathways/p ... lninst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe


***The popup is gone, malware 3.7 is still there, but the computer seems to be acting normaly. Should I just delete malware software?
budsker
Regular Member
 
Posts: 15
Joined: January 3rd, 2008, 10:25 pm

Re: smitfraudfix- Please help

Unread postby LDTate » January 15th, 2008, 8:35 am

malware 3.7 is still there
Where does it show that it's still there?
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Re: smitfraudfix- Please help

Unread postby budsker » January 15th, 2008, 11:23 pm

It was just a shortcut on my desktop. I just deleted it. I believe that malware is gone. Thanks so much for your help. :D
budsker
Regular Member
 
Posts: 15
Joined: January 3rd, 2008, 10:25 pm

Re: smitfraudfix- Please help

Unread postby LDTate » January 15th, 2008, 11:37 pm

Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • [color="blue"]Make your Internet Explorer more secure[/color] - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    • [color="blue"]Update your AntiVirus Software[/color] - It is imperative that you update your Antivirus software at least once a week
      (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • [color="blue"]Use a Firewall[/color] - I can not stress how important it is that you use a Firewall on your computer.
      Without a firewall your computer is succeptible to being hacked and taken over.
      I am very serious about this and see it happen almost every day with my clients.
      Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:
      Note: I no longer suggest Zone Alarm

      [url="http://www.bleepingcomputer.com/forums/tutorial60.html"][color="red"]Understanding and Using Firewalls[/color][/url]

    • [color="blue"]Visit Microsoft's Windows Update Site Frequently[/color] - It is important that you visit [url="http://www.windowsupdate.com"][color="red"]http://www.windowsupdate.com[/color][/url] regularly.
      This will ensure your computer has always the latest security updates available installed on your computer.
      If there are new updates to install, install them immediately, reboot your computer, and revisit the site
      until there are no more critical updates.

    • [color="blue"]Install SpywareBlaster[/color] - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
      settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      [url="http://www.bleepingcomputer.com/forums/tutorial49.html"][color="red"]Using SpywareBlaster to protect your computer from Spyware and Malware[/color][/url]

    • [color="blue"]IE-SPYAD[/color] puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

      [url="http://www.spywarewarrior.com/uiuc/resource.htm"][color="red"]Using IE-SPYAD to help block unwanted sites and activities[/color][/url]

    • [color="blue"]Update all these programs regularly[/color] - Make sure you update all the programs I have listed regularly.
      Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Re: smitfraudfix- Please help

Unread postby NonSuch » January 20th, 2008, 5:19 pm

As this issue appears to be resolved, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 485 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware