Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Smitfraud - Help[CLOSED]

Started by fixmenow , Apr 17 2005 03:43 PM

This topic is locked

#16
Michelle

Posted 21 April 2005 - 09:41 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Then, reboot into Safe Mode. And locate these items with Windows Explorer, and delete them manually (this way we can get rid of them without having to use Killbox):

C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\Log Files

And don't forget to delete the zipped folders you made of each of them!

Post a new HiJackThis log.

#17
fixmenow

Posted 21 April 2005 - 07:24 PM

Member

Topic Starter
Member
21 posts

Ok, followed you instructions. It seems I can't run HiJack unless I am in safe mode. As will Killbox the program is running in processes but it never comes up on screen. I ran it in safe and followed your list with Fix Checked. Set up Unreg.bat a few times and this is the message I get.

Regsvr32
Loadlibrary("C:\windows\system\BHOmod.dll")Failed - The specific module could not be found.

Logfile of HijackThis v1.99.1
Scan saved at 9:06:52 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmai...earch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmai...earch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://ramc.mlxchang...ectComboBox.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {63BE9F48-B516-11D1-87CD-00A02476EC4D} (Labelselector Control) - http://rmls.rexplorer.net/rex$rea/cab/LabelSelector.cab
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://www.imagestat...rintActiveX.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://ramc.mlxchang...ClientUtils.cab
O16 - DPF: {845A8B24-D89F-11D1-9DA4-0080C885B976} (Galaxy PrintDC Class) - http://rmls.rexplorer.net/rex$rea/cab/Galaxy.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple...TSWeb/msrdp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...1.10/ttinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://hpeapps.doh.s...tivexviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

#18
fixmenow

Posted 21 April 2005 - 07:26 PM

Member

Topic Starter
Member
21 posts

Also, All my trouble seem to start when www.searchmaid.com took over my browser home page. I cannot get rid of it!

#19
Michelle

Posted 21 April 2005 - 07:30 PM

Malware Removal Goddess

Retired Staff
8,928 posts

The message from the unreg means it was no longer there which is great! Were you able to delete the files manually?

#20
fixmenow

Posted 21 April 2005 - 07:59 PM

Member

Topic Starter
Member
21 posts

Yes, I deleted the files. Did not see the second page to your post so the HJ log is prior to deleting of files. System seems to be running a faster now! Do you want a fresh log?

#21
Michelle

Posted 21 April 2005 - 07:59 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Did you follow my previous instructions for going into Add/remove programs and removing SearchMaid along with the other 2 programs?

#22
Michelle

Posted 21 April 2005 - 08:00 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Yes, please :tazz:

#23
fixmenow

Posted 21 April 2005 - 08:03 PM

Member

Topic Starter
Member
21 posts

I did but did not see Searchmaid even after I set up to view hidden files as you had instructed. This HJ log was the first I have seen since looking?

#24
fixmenow

Posted 21 April 2005 - 08:05 PM

Member

Topic Starter
Member
21 posts

I have to restart in Safe and save the log, then restart regular so I can get on the net. Be back soon!

#25
fixmenow

Posted 21 April 2005 - 08:16 PM

Member

Topic Starter
Member
21 posts

My Log

Logfile of HijackThis v1.99.1
Scan saved at 10:08:58 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmai...earch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmai...earch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://ramc.mlxchang...ectComboBox.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {63BE9F48-B516-11D1-87CD-00A02476EC4D} (Labelselector Control) - http://rmls.rexplorer.net/rex$rea/cab/LabelSelector.cab
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://www.imagestat...rintActiveX.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://ramc.mlxchang...ClientUtils.cab
O16 - DPF: {845A8B24-D89F-11D1-9DA4-0080C885B976} (Galaxy PrintDC Class) - http://rmls.rexplorer.net/rex$rea/cab/Galaxy.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple...TSWeb/msrdp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...1.10/ttinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://hpeapps.doh.s...tivexviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

#26
Michelle

Posted 21 April 2005 - 10:43 PM

Malware Removal Goddess

Retired Staff
8,928 posts

The first thing I recommend is going into Start > Control Panel > Add/Remove programs and remove the following:

SpySpotter

It is a rogue/suspect Anti-Spyware program. You definitely don't need/want that program. You can read more about it here: http://www.spywarewa...nti-spyware.htm

I also recommend removing your P2P program (bearshare)... It's up to you, but if you continue to use it, it won't be long before we see you back here for more malware problems. Just my recommendation! DEFINITELY don't run BearShare while we're trying to clean your computer! :tazz:

Then delete this folder if it's still there: C:\Program Files\SpySpotter

Please read through all of these directions before continuing.

Then I've been thinking of our next course of action since you can not run these programs in normal mode. I recommend copying the follow instructions and pasting them into Notepad so that you can access them in Safe Mode.

Reboot into Safe Mode. Run HiJackThis and place a check next to the following items and click "FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmai...earch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmai...earch.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (*NOTE* This item is optional - it's legit, but a resource hog. Only "fix" if you want to free up some system resources).

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab

Close HiJackThis.

Save a new HiJackThis log (after fixing the items above).

Then, since you have already downloaded Registrar Lite, try installing it and running it while in Safe Mode. (It will run in Safe Mode - I just tried it to be sure!) You may want to move it to C:\Program Files PRIOR to booting into Safe Mode so that you can access it to install it. Then follow these instructions:

*Double click the purple Registrar Lite icon.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer and let me know if it's running any better. Also, try running HijackThis again in normal mode to see if it will let you. If it will, then post the HiJackThis log. If not, then just copy the one from Safe Mode that you saved and paste it here.

Then, please download this program:

Ewido Security Suite

It has to be installed and updated before it can be run. So, try to see if it will let you install and update it. If not, we can try booting into Safe Mode with Networking so you can get online in Safe Mode just to update it, then immediately disconnecting from the Internet and running the program. If you are able to do this, please save the log from Ewido and pasting it here.

#27
fixmenow

Posted 27 April 2005 - 05:57 AM

Member

Topic Starter
Member
21 posts

Hello... have been working many hours and did not have a chance to get back with you.

I have completed your instructions and posting the report below. The system is running much better, thank you!

Can you tell me how to get rid of the black screen caused by Smitfraud. I cant seem to find the settings that allow the change.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:49:31 AM, 04/27/2005
+ Report-Checksum: 8D2C6D12

+ Date of database: 04/27/2005
+ Version of scan engine: v3.0

+ Duration: 679 min
+ Scanned Files: 150856
+ Speed: 3.70 Files/Second
+ Infected files: 55
+ Removed files: 54
+ Files put in quarantine: 54
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\SYSTEM\Loader.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\Program Files\MySearch\bar\2.bin\NPMYSRCH.DLL -> Spyware.MyWay.j -> Cleaned with backup
C:\Program Files\MySearch\bar\2.bin\S42NS.EXE -> Spyware.MyWay.j -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony [email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@dcskqeg2voifwznnd6alhtnei_8f3u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@dcsu5fw8z4twkfrvnc2j6wg6m_2z6k[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\Cookies\valued sony customer@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Local Settings\Temp\remove.exe -> TrojanDownloader.Keenval.f -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@5[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@48906582[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@35487201[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@dcsaw1ekr000000s9ak3rqvg5_2y7i[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony customer@dcst86ivc21e5hinns3nrxalb_8c1s[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Valued Sony Customer\Cookies\valued sony [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0128032.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0129032.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0130032.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0130038.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0131039.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0132041.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0133041.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0134043.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0135043.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0136044.exe -> Trojan.Puper.b -> Cleaned with backup
C:\System Volume Information\_restore{9F99FEA4-5093-4FC7-A531-688588EA974E}\RP674\A0136046.exe -> Trojan.Puper.b -> Cleaned with backup
C:\Recycled\Q330995.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Recycled\Dc13.exe -> Trojan.Agent.ct -> Cleaned with backup
C:\Recycled\Dc36.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
C:\Recycled\Dc64\popuper.zip/popuper.exe -> Trojan.Puper.b -> Cleaned with backup
C:\Recycled\Dc64\helper.zip/helper.exe -> Spyware.Agent.cr -> Cleaned with backup
C:\Recycled\Dc64\intmonp.zip/intmonp.exe -> Trojan.Puper.b -> Cleaned with backup
C:\Recycled\Dc64\msmsgs.zip/msmsgs.exe -> TrojanDownloader.Agent.lx -> Cleaned with backup
C:\Recycled\Dc64\msole32.zip/msole32.exe -> Spyware.Agent.cr -> Cleaned with backup
C:\Recycled\Dc64\ole32vbs.zip/ole32vbs.exe -> Trojan.Favadd.t -> Cleaned with backup
C:\Recycled\Dc65.exe -> Trojan.Puper.b -> Cleaned with backup
C:\Recycled\Dc67.exe -> Spyware.Agent.cr -> Cleaned with backup
C:\Recycled\Dc69.exe -> TrojanDownloader.Agent.lx -> Cleaned with backup
C:\Recycled\Dc70.exe -> Trojan.Favadd.t -> Cleaned with backup
C:\Recycled\Dc71.exe -> Spyware.Agent.cr -> Cleaned with backup

::Report End

#28
Michelle

Posted 27 April 2005 - 11:27 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Yep, that would be the part we couldn't do because you were having problems with Registrar Lite, maybe it will work now :tazz:

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer and post a new HiJackThis log.

#29
fixmenow

Posted 27 April 2005 - 04:42 PM

Member

Topic Starter
Member
21 posts

I had to run reglite in safe mode and did not find the Systems folder.

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 6:33:22 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\windows\Explorer.EXE
C:\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://ramc.mlxchang...ectComboBox.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {63BE9F48-B516-11D1-87CD-00A02476EC4D} (Labelselector Control) - http://rmls.rexplorer.net/rex$rea/cab/LabelSelector.cab
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://www.imagestat...rintActiveX.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://ramc.mlxchang...ClientUtils.cab
O16 - DPF: {845A8B24-D89F-11D1-9DA4-0080C885B976} (Galaxy PrintDC Class) - http://rmls.rexplorer.net/rex$rea/cab/Galaxy.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple...TSWeb/msrdp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...1.10/ttinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://hpeapps.doh.s...tivexviewer.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

#30
fixmenow

Posted 27 April 2005 - 06:01 PM

Member

Topic Starter
Member
21 posts

As you know I cant run the downloaded programs uless I am in Safe mode. I have attempted to install HP printer software for my printer an it does the same thing...nothing. Is this part of the problems with Smitfraud?