sUBs

This is a note from the author of Smitfraudfix
Please restore the file, process.exe from DrWeb's quarantine folder; located here:

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\Process.exe

Place it back into the Smitfraudfix folder & run the tool whilst in Normal mode. We have already taken a sizable chunk out from the infection. Running it from normal mode should suffice.


* * * * * * * * * *


Then have Hijackthis fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll (file missing)
O4 - HKLM\..\Run: [hjkamga] c:\winnt\system32\hjkamga.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)


* * * * * * * * * *


Download & run this attachment - sUBs001.zip
We should get another log from it


* * * * * * * * * *


For your next reply, I shall also require:

1. Fresh HJT log
2. Rapport.txt
3. Fresh combofix log

How is the machine behaving now. Shoud be very much better.