View Single Post

**Buzz1927** · 11-23-2007, 07:27 AM

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\WINDOWS\system32\dwvtxswo.dll
C:\WINDOWS\system32\ursrqrs.dll
C:\WINDOWS\system32\bkkuocph.dll
C:\Documents and Settings\All Users\Application Data\yfudmjyz.dll
C:\WINDOWS\system32\jkhff.dll

Folder::
C:\Program Files\Zjqruxcm
C:\Program Files\Ultimate Defender
C:\Program Files\rafyfips

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08C525F4-2EBD-396D-B12A-005661A8CF95}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f5e1597e-dc1f-49c8-b76b-97d64b7e3fbd}]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrqrs]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwsa32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wfshalml]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yfudmjyz]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Once done, please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please post:

The ComboFix log
The Smitfraudfix log
A new HijackThis log

11-23-2007, 07:27 AM	#7 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,926	Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: C:\WINDOWS\system32\dwvtxswo.dll C:\WINDOWS\system32\ursrqrs.dll C:\WINDOWS\system32\bkkuocph.dll C:\Documents and Settings\All Users\Application Data\yfudmjyz.dll C:\WINDOWS\system32\jkhff.dll Folder:: C:\Program Files\Zjqruxcm C:\Program Files\Ultimate Defender C:\Program Files\rafyfips Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08C525F4-2EBD-396D-B12A-005661A8CF95}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f5e1597e-dc1f-49c8-b76b-97d64b7e3fbd}] [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrqrs] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwsa32] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"=- [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wfshalml] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yfudmjyz] Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. CAUTION: Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. Once done, please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press Enter; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Please post: The ComboFix log The Smitfraudfix log A new HijackThis log __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!