First, want to thank you all for who you are and what you are doing. It is very much appreciated out here. So Thanks. Also, I know I"m late on the chain, but I can't quite clean this myself so need some help.
Problem: my girlfriend contracted the "trojan-spy.html.smitfraud.c" trojan. I did a bit of research on this and other forums and was able to delete "wp.exe" from her computer and get back desktop control. However, HijackThis says it's still on the system. The problem also is that our home page is still hijacked and when we attempt to change it we get "Access Blocked" and the url "res://bhoass.dll/HTTP_Blocked.htm". This also occurs when trying to access Windows Update and other sites like MSN Hotmail, etc. (but not innocuous sites like Disney or games). Ane then there's that pesky popup search for casinos that pops up every time we are blocked access to a site.And this "Security iGuard" keeps coming back after removal.
I'm not computer trained but can usually hold my own. I run in stealth continually and have two-three layers of protection and have not been infected in over a year. I guess I forgot to proof hers up. My bad.
This is what I've run:
Ad-Aware Plus 1.05 (with recommendations from FAQ file)
AboutBuster (nothing found)
CWShredder (nothing found; however, SpyBot 1.3 does find CWs)
CleanUp!
KillBox
Spybot S&D (cleaned CWs and iGuard)
Norton Antivirus 2005 (updated definitions file)
SPSeHjFix (nothing found - see log)
HijackThis (see log)
I will include the log file for HiJackThis. I'd really appreciate your help on this and will keep an eye here for when you get to this thread.
Thanks in advance, and thanks again for all you're doing. It really is a help.
Chris/Zaliwa
P.S. This hijacking spyware and also the about hijacker seem so illegal. Is anything being done about these *bleeped* companies/people?
Logs:
SPSeHjFix
(4/19/05 11:21:41 AM) SPSeHjFix started v1.1.2
(4/19/05 11:21:41 AM) OS: WinXP (5.1.2600)
(4/19/05 11:21:41 AM) Language: english
(4/19/05 11:21:41 AM) Win-Path: C:\WINDOWS
(4/19/05 11:21:41 AM) System-Path: C:\WINDOWS\System32
(4/19/05 11:21:41 AM) Temp-Path: C:\DOCUME~1\Michelle\LOCALS~1\Temp\
(4/19/05 11:21:43 AM) Disinfection started
(4/19/05 11:21:43 AM) Bad-Dll(IEP): (not found)
(4/19/05 11:21:43 AM) Bad-Dll(IEP) in BHO: (not found)
(4/19/05 11:21:43 AM) UBF: 4 - UBB: 0 - UBR: 20
(4/19/05 11:21:43 AM) UBF: 4 - UBB: 0 - UBR: 20
(4/19/05 11:21:43 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
(4/19/05 11:21:45 AM) Stealth-String not found
(4/19/05 11:21:45 AM) Not infected->END
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:34 AM, on 19/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\Norton\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\Norton\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Michelle\My Documents\Anti-Spyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093895322311
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\Norton\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\Norton\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe