Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smit fraud again ... sorry! [RESOLVED]


  • This topic is locked This topic is locked

#16
JenWren

JenWren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
No it doesn't say Internet Explorer (or Netscape for that matter!).

Could it be that I am using the BT Yahoo browser, which came with my broadband package?

Jen :tazz:

PS - I will run the online scan - thanks for the explanation!
  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ah, I see ;) (I forgot, yes, the yahoo is most likely that's what you're using ;) )

Save the results from ActiveScan and copy then paste them here so we can get rid of the items it finds (if any) :tazz:

Edited by bananafanafo, 24 April 2005 - 02:24 AM.

  • 0

#18
JenWren

JenWren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi again!

Results from Active Scan are in .... Is this what you wanted?


Incident Status Location

Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINNT\alchem.???
Adware:Adware/AdLogix No disinfected C:\WINNT\system32\adupdmanager.xml
Virus:Trj/StartPage.NA Disinfected Operating system
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Administrator\Desktop\Geeks\backups\backup-20050423-210725-139.inf
Adware:Adware/AdLogix No disinfected C:\Documents and Settings\Administrator\Desktop\Geeks\backups\backup-20050423-210725-553.dll
Adware:Adware/AdLogix No disinfected C:\RECYCLER\S-1-5-21-2052111302-1957994488-839522115-500\Dc1.exe
Adware:Adware/IPInsight No disinfected C:\WINNT\inf\alchem.inf
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
That's what I needed :tazz:

I'll be right back! Only take me a second!
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! Be sure there is no space before or after the file path when put into killbox. I would just copy each file path and paste it in the field):

C:\WINNT\alchem.???
C:\WINNT\system32\adupdmanager.xml
C:\WINNT\system32\wldr.dll
C:\Documents and Settings\Administrator\Desktop\Geeks\backups\backup-20050423-210725-139.inf
C:\Documents and Settings\Administrator\Desktop\Geeks\backups\backup-20050423-210725-553.dll
C:\RECYCLER\S-1-5-21-2052111302-1957994488-839522115-500\Dc1.exe
C:\WINNT\inf\alchem.inf


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

Post a new HiJackThis log to make sure everything is still good!
  • 0

#21
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Jen - It's 3:30 am here so I'm heading to bed! I will be back later in the morning to check out your last log. Just letting you know so you don't think I just took off! :tazz:
  • 0

#22
JenWren

JenWren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sleep well ....!! You deserve it. I'll post the hijack log in a while and wait to hear back from you ....... it's 10.30 a.m. here!! Jen :tazz:
  • 0

#23
JenWren

JenWren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK - here it is ..... thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 10:28:15, on 24/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Mixer.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\BTYAHO~1\SMARTB~1\BTHelpNotifier.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\PROGRA~1\BTYAHO~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Administrator\Desktop\Geeks\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btopenworld.com/default
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.btopenwor...d.com/default/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\b8t73mvc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\b8t73mvc.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: BT - {8DD314AD-0BE9-4C21-9A29-06760D907CA4} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {C6CDF970-6B62-4278-A61D-0DAD6285EBFF} - http://bt.yahoo.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://c:\program files\internet explorer\plugins\awswaxf.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{707CB8A9-A1E7-4038-B5D7-02C6C853FFF5}: NameServer = 194.74.65.68 194.72.0.114
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BTYAHO~1\SMARTB~1\SBHookSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Congratulations your log is clean! ;) Great job on the clean up :tazz:

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.

  • 0

#25
JenWren

JenWren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi again! Thank you so much for all your help and tips for the future. I have learned so much this last few days. Thank you also to everyone on the site for their commitment to helping others overcome such problems.

Thanks again Jen :tazz:
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome!! I'm happy I could help ;)

Michelle :tazz:
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Jen - I received the donation! You didn't have to do that! That was very sweet of you! :tazz:

Thanks so much!
Michelle
  • 0

#28
JenWren

JenWren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
You are more than welcome. I can't tell you how much I admire you guys for what you do. Those of us who really enjoy our home PC's (and the access to information/the world that the internet gives us) but don't understand too much about the technicalities are so vulnerable. You guys help us protect ourselves. It is priceless really. Don't want to get too soppy but thank you so much.

Jen :tazz:
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
That last paragraph of yours is enough to keep me going! Thank you :tazz:

I'm going to go ahead and close this topic. If you have any other problems at all, you can PM me or another staff member and we'll re-open it for you!

Thanks again!
Michelle ;)

Edited by bananafanafo, 26 April 2005 - 01:42 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP