Ive been having loads of trouble with trojans recently, I seem to have been bombarded with them in the last week. So far I always managed to get rid of them, but now Im stuck
Basically today "Trojan-Spy.HTML.Smitfraud.c" hit me, changing my desktop background and starting up lots of popups. Then also, before I even booted up Windows, the words " YOU FAILED" came out of my speakers... spooky...
anyhoo, so far Ive downloaded adware away, ad-aware and spybot and ive managed to stop the pop-ups (had to delete helper.exe and popuper.exe from WINDOWS/system32/)... what remains is the problem that I cant change my desktop background - the options tab for backgrounds just isnt there anymore...
HijackThis gives me this:
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
And Ad-Aware complains about: "HKEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon"Shell" (explorer.exe, msmsgs.exe) - Shell Possibly Compromised
Can anyone help me with this? Would it help if I got these files from someone else who is not infected and just overwrite my own?
Any help would be greatly appreciated!
Cheers Dave
Logfile of HijackThis v1.99.1
Scan saved at 22:41:38, on 12/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\sesinetd.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\hserver.exe
C:\Program Files\Pixar\license-1.0\lmgrd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\David\Desktop\HijackThis\HijackThis.exe
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.dans...B/e-Safekey.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javahk.exe (file missing)
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: Pixar Alfred Server 2.5 - Unknown owner - C:\Program Files\Pixar\alfserver-2.5\alfserver.exe
O23 - Service: Pixar License Server - GLOBEtrotter Software Inc. - C:\Program Files\Pixar\license-1.0\lmgrd.exe
O23 - Service: Pixar Maitre-D Server 5.5 - Unknown owner - C:\Program Files\Pixar\rat-5.5\bin\alfcmdline.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe