Logfile of HijackThis v1.99.1
Scan saved at 3:15:38 AM, on 4/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Matthew\Desktop\FreeRAM XP Pro 1.40.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
E:\Downloads\Fixers\Uptimer4.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe
E:\Downloads\Fixers\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Matthew\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110397666992
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--Story--
I managed to get myself the smitfraud...trojan...malware, thing(). Anyhow, I noticed it when my desktop went berserk, some windows popup (or close facimile) tried to get me to install a 3rd party AV/Spyware Remover, and most (if not all) of my options were gimped.
I came here, followed the instructions in the 2 longest posts about this subject, and eventually came out on top. Of interesting note, though. Spybot's TeaTimer (the resident helper), ZoneAlarm and WinPatrol worked together to block spoolsrv32.exe (and thun32.dll, as well as a sq-something dll I can't remember) from accessing the internet or starting up with the computer, but all three were loaded by the time Windows ran. Windows start time took about 2 minutes instead of 2-4 seconds as normal.
I want to share this story in case it helps understand the problem any. I deleted the C:\wp.exe and C:\wp.bmp on my own, but it didn't help. So I deleted my HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System folder. The entire thing. It allowed me use of my desktop again. Unfortunately I still had the spoolsrv32.exe popup, as well as Windows trying to convince me to use the Secure IGuard software. My desktop relinquished, but my computer not mine, I first add/remove programmed the Secure IGuard, deleted it fully. I then used the programs listed in the other thread: lopremover.exe, deldomains.inf, and killbox.exe (in that order, rebooting between each). I managed to remove the pesky files, then ran ever single program listed in the downloads section as cleanup. Spybot, AdAware, SpySweeper, AVG, everything. I got a few more hits from SpySweeper about CWS, Vesbiz downloader, and a desktop hijacker (smitfraud?) and learned that my processor goes "Beep beep" when it overheats, then came to this point.
I want to know, am I in the clear now? I'm almost afraid to reboot, because it might come back. Thanks in advance, and I hope my steps to fix this helped you guys maybe find a quickfix or write a program or something for those without firewall/startup protection constantly running. No one had mentioned the spoolsrv32.exe, and it was NOT the spoolsrv.exe that Windows XP Home uses, so I felt it deserved mention. Lemme know if I'm clean, will be a weight off my shoulders