Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Spy.HTML.Smitfraud [RESOLVED]

Started by joshuageeks6999 , Apr 17 2005 03:02 PM

  • This topic is locked This topic is locked

#46
Michelle
Posted 19 April 2005 - 11:19 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, I need you to go to Start > Run - type in:

win.ini

Copy & Paste the notepad here.

Go to Start > Run again - type in:

system.ini

Copy & paste the notepad here.

You've got some nasty viruses...do not do any online banking, use a credit card, try not to log-in to any accounts, etc.
  • 0

Advertisements

#47
joshuageeks6999
Posted 19 April 2005 - 11:25 PM

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
okay...i may have to shut down for the night...froze my cc's and bank acct yesterday just to be safe...

still suspect the Paretologic spyware remover i purchased off of the Spywarrior site about 2 weeks ago...

here you are...

win.ini first

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=mapi32.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
[LILACports]
EPS_LPT1:=
EPS_LPT2:=
EPS_LPT3:=


and system.ini

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


i'll check back later, but may sleep....thank you!!!!!!!!!!!!!
night
joshua
  • 0

#48
Michelle
Posted 19 April 2005 - 11:53 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
There is actually no reason to follow my previous instructions again. We have already gotten rid of the "smitfraud" infection - we're working on totally different infections now,....I need you to follow all of my directions regarding this! On that note, let's [try to] kill these files:

*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\Documents and Settings\dane\Start Menu\Programs\Startup\netdb.exe
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\bhoassw.dll
C:\WINDOWS\ibs.exe
C:\WINDOWS\XPsys.exe
C:\MISB.EXE
C:\WINDOWS\stlbd.dll

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.
  • 0

#49
joshuageeks6999
Posted 20 April 2005 - 08:23 AM

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi, will do...thanks for clarifying...i see what you mean re different infections! Thanks...please let me know if you're moving/shifting this to a new non-smitfraud thread...

...will be back on tonight and do as you request...

...was unable to get on IE this am stated bhoass blocked as before; went to HJT scan and deleted RO, RO, F2, D2 references to obvious problems, then able to use IE...at least a short term way to stay in touch...THANKS AGAIN...Will check in this pm...Joshua
  • 0

#50
joshuageeks6999
Posted 21 April 2005 - 02:16 AM

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi, just a courtesy update...on call tonight, unable to work on this...if i don't message by noon thursday, i won't be back until around 10pm sunday...Thank you again! and I look forward to finishing this process...actually, really enjoy your help and your knowledge...makes it "fun"...( I know...you're thinking...'get a life...you call this fun')...joshua
  • 0

#51
Michelle
Posted 21 April 2005 - 02:27 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hey, if I didn't think it was fun, then I wouldn't be doing it! Yep, I'm a "Geek" :tazz:

Michelle ;)

Edited by bananafanafo, 21 April 2005 - 02:36 AM.

  • 0

#52
Michelle
Posted 21 April 2005 - 02:31 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
BTW, Thank you for the courtesy update :tazz:
  • 0

#53
joshuageeks6999
Posted 25 April 2005 - 12:27 PM

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi, I'm back...bananafanafo, I'll be watching for your response. I've had major challenges even getting on here...had to pull hardware firewall out of system, ran ActiveScan and Cleanup...certainly helped...working thru prior instructions as the system allows.

Here's a new HJT log preceeded by the ActiveScan virus log...btw, as i will be bringing up a new system here at home, I'll be able to clean this harddrive and reinstall windows if that seems most appropriate...would rather get it down the hard way first, much more educational!!

...PS I've enjoyed chatting with you here!!! :tazz: ....but I just saw your photo on your profile ;) ;) ....too bad texas is not on the same planet...joshua
  • 0

#54
Michelle
Posted 25 April 2005 - 12:39 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
;) Thanks Joshua ;)

I think you got sidetracked and forgot to post your log :tazz:

I'll be watching for them :)
  • 0

#55
joshuageeks6999
Posted 25 April 2005 - 12:43 PM

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
...and here's the logs as of 4/25/05 11:30am seattle time...

win.ini, system.ini, Acticescan, and HJT

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=mapi32.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
[LILACports]
EPS_LPT1:=
EPS_LPT2:=
EPS_LPT3:=


******************

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


******************


Incident Status Location

Virus:Trj/StartPage.NA Disinfected Operating system
Spyware:Spyware/Heterofind No disinfected C:\spe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\seksdialer.exe
Virus:Trj/StartPage.NA Disinfected Operating system
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\toolbar.exe
Virus:Trj/Trexe.A Disinfected Operating system
Adware:Adware/Delta No disinfected Windows Registry
Virus:Bck/Dumador.O Disinfected Operating system
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\System32\SEARCHDLL.DLL
Adware:Adware/Spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Virus:Trj/Agent.OM Disinfected Personal Folders\Sent Items\geeks..smitfraud trojan \wp.zip[wp.exe]
Virus:Exploit/URLSpoof Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\0P6705Q3\%68%70[1][Content]
Virus:Exploit/URLSpoof Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\291YNE54\%68%70[1]
Virus:Trj/Dropper.GC Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\58835LKX\winupdate45458101[1].exe
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\APTERAXK\sploit[1].anr
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LDXVOUNT\555[1].ani
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LDXVOUNT\mtrslib2[1].js
Virus:Trj/Relink.A Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LRQJ8OV6\dir31320646[1].htm
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LRQJ8OV6\ifect[1].anr
Virus:Exploit/URLSpoof Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LX0J5IZ9\%68%70[1][Content]
Virus:Trj/Downloader.AME Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LX0J5IZ9\zaebalinah[1].exe
Adware:Adware/StartPage.ABA No disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\MLNGTG3M\up8[1].txt
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\UF67IV6Z\555[1].ani
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\UF67IV6Z\js[1].htm
Virus:Trj/Downloader.BOG Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\W5CN870R\win32[1].exe
Virus:Trj/Dropper.GC Disinfected C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\ZAK3V5OT\winupdate50901410[1].exe
Adware:Adware/Wow No disinfected C:\Documents and Settings\patty\Local Settings\Temp\fdil.dat
Adware:Adware/SearchBar No disinfected C:\Documents and Settings\patty\Local Settings\Temp\WWWTBar.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
Virus:VBS/Inor.AF Renamed C:\ntdetect.hta
Virus:Trj/Multidropper.CX Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3C1A4E1D-B1B8-440F-B196-1FD98B.asq
Virus:Trj/Multidropper.CX Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4C7957F6-D379-4AB2-B078-2A4161.asq
Virus:Trj/Multidropper.CX Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A6862C20-1F1B-4B31-B067-AB0C58.asq
Virus:Trj/Multidropper.CX Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E2B685F5-820A-41A5-9E2D-15D664.asq
Virus:Trj/Downloader.AMC Disinfected C:\RECYCLER\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc42.exe
Virus:Trj/Downloader.AME Disinfected C:\RECYCLER\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc43.exe
Virus:Trj/Multidropper.CX Disinfected C:\RECYCLER\xxx\Dc53\Dc51\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc49\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc21\Dc15.exe
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\xxx\Dc53\Dc51\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc49\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc21\Dc21\UGG1Av6.exe
Spyware:Spyware/Heterofind No disinfected C:\spe\start.chm
Virus:Trj/StartPage.NA Disinfected C:\WINDOWS\bhoass.dll
Adware:Adware/StartPage.ABA No disinfected C:\WINDOWS\bhoassw.dll
Adware:Adware/Exex No disinfected C:\WINDOWS\jsconsole.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\ms1.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\ms3.exe
Virus:Trj/StartPage.JW Disinfected C:\WINDOWS\remove_me.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\seksdialer.exe
Virus:Trj/Multidropper.CX Disinfected C:\WINDOWS\system32\notepad.com
Adware:Adware/GloboSearch No disinfected C:\WINDOWS\system32\popup_bl.dll
Virus:Trj/Downloader.BCK Disinfected C:\WINDOWS\system32\searchdll.dll
Adware:Adware/GloboSearch No disinfected C:\WINDOWS\system32\systr.OLD
Adware:Adware/SearchBar No disinfected C:\WINDOWS\system32\WWWTBar.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\tool.exe
Virus:Trj/Downloader.KC Disinfected C:\WINDOWS\toolbar.exe
Adware:Adware/SearchBar No disinfected C:\WINDOWS\WWWTBar.dll
Virus:Trj/Downloader.AMC Disinfected C:\WINDOWS\XPsys.exe
Virus:Trj/DialerDrop.A Disinfected C:\winhelp.chm
*************************

Logfile of HijackThis v1.99.1
Scan saved at 11:36:00 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\dane\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6C6BBA-79AC-4A08-B60D-280829FFE112}: NameServer = 207.115.64.2,207.115.64.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Thanks again!!!.....you did remind me not to do any online banking etc., so i havn't yet used the pay system here...AND I KNOW THAT YOU'RE SAYING THAT I DON'T NEED TO DONATE ANYTHING..GOT THAT...but would still like to know shat sort of donation range has felt appropriate for you in the past...if you don't mind...joshua
  • 0

Advertisements

#56
Michelle
Posted 25 April 2005 - 12:56 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well, Joshua, you're in luck! Since you last posted another staff member posted about an awesome program (Ewido Security Suite)... So we're going to kill "no disinfected files" from ActiveScan, then run that program. I will be right back!!
  • 0

#57
Michelle
Posted 25 April 2005 - 01:12 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need you to copy all of these instructions and paste them into a notepad and save it for use while in safe mode.

1) Please download the Killbox. *This is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\spe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\System32\SEARCHDLL.DLL
C:\WINDOWS\ms2.exe
C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\LDXVOUNT\mtrslib2[1].js
C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\MLNGTG3M\up8[1].txt
C:\Documents and Settings\dane\Local Settings\Temporary Internet Files\Content.IE5\UF67IV6Z\js[1].htm
C:\Documents and Settings\patty\Local Settings\Temp\fdil.dat
C:\Documents and Settings\patty\Local Settings\Temp\WWWTBar.dll
C:\new.exe
C:\ntdetect.hta
C:\RECYCLER\xxx\Dc53\Dc51\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc49\S-1-5-21-3133878665-3290079477-1788334251-1003\Dc21\Dc21\UGG1Av6.exe
C:\spe\start.chm
C:\WINDOWS\bhoassw.dll
C:\WINDOWS\jsconsole.dll
C:\WINDOWS\ms1.exe
C:\WINDOWS\ms2.exe
C:\WINDOWS\ms3.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\system32\popup_bl.dll
C:\WINDOWS\system32\systr.OLD
C:\WINDOWS\system32\WWWTBar.dll
C:\WINDOWS\tool.exe
C:\WINDOWS\WWWTBar.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the system reboot then follow these instructions:

Please download Ewido Security Suite, install it, then be sure to update it (it won't scan until it's updated). Let it scan your computer (it may take a little while). Post the results from the scan. along with a new HiJackThis log.

Edited by bananafanafo, 25 April 2005 - 01:13 PM.

  • 0

#58
joshuageeks6999
Posted 25 April 2005 - 02:15 PM

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Looks good...butttt.... I ran the new Killbox version with the clipboard entries from your list. Downloaded Ewido from your link, however, it will not update unless i purchase the Online Copy...did you intend that? I reach the screen where it says Start Update but when i click on that, it responds Connection could not be found.

joshua

here's the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:14:04 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\dane\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6C6BBA-79AC-4A08-B60D-280829FFE112}: NameServer = 207.115.64.2,207.115.64.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#59
Michelle
Posted 25 April 2005 - 02:21 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
hmmm, no you shouldn't have to purchase anything. It's a free 14 day trial of the plus version, then after that 14 days, you have the freeware version that you can use an unlimited amount.
  • 0

#60
Michelle
Posted 25 April 2005 - 02:26 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Open Ewido (click on the big yellow e), click on "Scanner" on the left hand side, then click "Start" and see if it wil let you - it will probably prompt you to update. I've downloaded this program myself and you don't have to purchase to update it.

Edited by bananafanafo, 25 April 2005 - 02:47 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP