Hi, anything on here look like it shouldn't be present?

Thanks in advance.

Attached Files

hijackthis 1406.txt (6.7 KB, 1 views)

Hello.

It seems that you have SpyMarshal installed on your computer. It is a rogue anti-spyware program that comes bundled with malware, hijacks your DNS settings, displays fake alerts all as a scare tactic to have you purchase the commercial version of this software. It may also comes bundled with a rootkit, which further complicates the issue at hand.


First of all, go to Control Panel > Add/Remove Programs and remove:
SpyMarshal

Follow through the prompts and reboot after the uninstallation.

Next download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply, and we'll take it from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Hi, Spymarshal wasn't on add/remove programmes. I looked on crogramme files and there was a folder there for it but it was empty, so i just deleted the folder.

Here's my smitfraud file.

Cheers.

Attached Files

rapport1406.txt (4.6 KB, 1 views)

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer may remove your Desktop background.

Hi, rapport and hjt reports attached.

Is 'O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0843CA-7302-4C54-ADF0-1A3DB340A055}: NameServer = 194.72.0.114 62.6.40.162' a spurious one?

Also, when I logged back in after the smitfraud fix, my home page had changed from Google to msn.

Attached Files

	rapport1606.txt (2.5 KB, 2 views)
	hijackthis1606.txt (6.8 KB, 2 views)

Your HijackThis log appears clean, including that 017 entry you brought up.

Do you still have SuperAntiSpyware from before? Run a new scan with it and post the log in your next reply. That will take care of anything that HijackThis misses.