My PC has been hijacked

[brylyn]

Please help! I'm an IMAC user and now have a PC so it's a littl
different here with all this spyware/virus, etc. My IE won't go t
home page,or any other page, except advertisement of virus. A frien
informed me it sounded like I needed to run smitfraud and post alon
with HJT log, but she wasn't sure what to have HJT log to delete
sooooooooooo, here it is. If someone can look at the logs and advis
as to what to do, I'd be greatly indebted and will also learn somethin
valuable about a PC.
Here is the smitfraud and I'll second post the HJT log due to length.


SmitFraudFix v2.219

Scan done at 20:41:54.43, Tue 09/04/2007
Run from C:\Documents and Settings\Cathy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}
DhcpNameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CCS\Services\Tcpip\..\{472B0471-F6ED-4547-BDCC-0F16999180DE}
DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{472B0471-F6ED-4547-BDCC-0F16999180DE}
NameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6A28DDAF-CB79-487A-9577-E3F0E8D06622}
DhcpNameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6A28DDAF-CB79-487A-9577-E3F0E8D06622}
NameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}
DhcpNameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CS1\Services\Tcpip\..\{472B0471-F6ED-4547-BDCC-0F16999180DE}
DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{472B0471-F6ED-4547-BDCC-0F16999180DE}
NameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6A28DDAF-CB79-487A-9577-E3F0E8D06622}
DhcpNameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6A28DDAF-CB79-487A-9577-E3F0E8D06622}
NameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}
DhcpNameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CS3\Services\Tcpip\..\{472B0471-F6ED-4547-BDCC-0F16999180DE}
DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{472B0471-F6ED-4547-BDCC-0F16999180DE}
NameServer=85.255.115.237,85.255.112.78
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.25
192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.23
85.255.112.78
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.25
192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.23
85.255.112.78
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.25
192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.115.23
85.255.112.78


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window
NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» En

 

[Guest]

Please help! I'm an IMAC user and now have a PC so it's a little
different here with all this spyware/virus, etc. My IE won't go to
home page,or any other page, except advertisement of virus. A friend
informed me it sounded like I needed to run smitfraud and post along
with HJT log, but she wasn't sure what to have HJT log to delete,
sooooooooooo, here it is. If someone can look at the logs and advise
as to what to do, I'd be greatly indebted and will also learn something
valuable about a PC.
Here is the smitfraud and I'll second post the HJT log due to length.


SmitFraudFix v2.219

Scan done at 20:41:54.43, Tue 09/04/2007
Run from C:\Documents and Settings\Cathy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Please don't surf the internet until you got this sorted and try to unplug
the phone line when you are not connected, you have sever infection and some
diallers!.
Go through these cleaning steps to see or get a clear opinion on how
clean your machine is:
= Click Start >> Control Panel>>Network and Internet Connections >> Double
click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced.
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
[ ] Disable script Debugging (internet Explorer) <= check this box
[ ] Disable Script Debugging (Other) <= check this box

Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.

2.... And also for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://www.sophos.com
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
http://free.grisoft.com/doc/5390/lng/us/tpl/v5
=How to perform a clean boot procedure to prevent background programs from
interfering with a game or a program that you currently use
http://support.microsoft.com/kb/331796
Download the FileMon to see the Running Processes in realtime from here:
http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx
Or Process Explorer :
http://www.microsoft.com/technet/sysinternals/Processesandthreadsutilities.mspx

Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to:
http://www.spywareinfo.com/~merijn/downloads.html
http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.bleepingcomputer.com/forums/
http://forums.whatthetech.com/forums.html
http://www.security-forums.com/viewforum.php?f=48
http://www.virusvault.co.uk/fusionbb/showforum.php?fid/15/
http://www.lavasoftsupport.com/index.php?showforum=36
http://forums.techguy.org/54-malware-removal-hijackthis-logs/
Or other appropriate
forums for expert analysis, not here.
HTH.
nass