Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-spy.html.smitfraud.c - Zaliwa [RESOLVED]


  • This topic is locked This topic is locked

#16
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok. I copied each file path and pasted it into the Killbox field and followed the directions. We have a problem, Houston. On reboot, the background came up, but no desktop. That means, no icons, no taskbar, no nothing. Just the picture on the background. I was able to use the keyboard and do an alt-control-del and call up task manager and was able run HijackThis via the "New Task (run)" command, but when I tried to run "explorer" from under Windows (to get back the desktop), it says the file can't be found. So I'm very limited in my actions. The Windows Start key on the keyboard also doesn't call up the menu. I can run the anti-spyware programs I put into their own folder under "My Documents" but haven't checked out the rest of the computer. I've rebooted just to see if it was a glitch and no go. So I think we deleted something we shouldn't have? Anyway, HELP! :tazz:

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:56 AM, on 23/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\Norton\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\Norton\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Michelle\My Documents\Anti-Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll (file missing)
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093895322311
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\Norton\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\Norton\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
No, we did not delete anything that "we shouldn't have" - the only thing we removed were infected items that ActiveScan found. I'll be right back!
  • 0

#18
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok, sorry. :tazz: I'll go grab some coffee. ;)

Chris
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I don't know what would cause that. About the only thing we can do is use system restore to restore it back to when your computer was infected and start over.

Bring up Task Manager - click "New Task"
type:

restore

Then doubleclick on the icon named "rstrui.exe".

Then click "Restore my computer to an earlier time" click next and restore it back to before this happened.
  • 0

#20
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
It says it cannot find the file. I've tried a number of ways to find it. No go. What do you think about re-installing Windows? :tazz:
  • 0

#21
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ugh, I hate malware!! :tazz:

It's saying explorer is gone and you can't use system restore, so re-installing windows is probably going to be the only option.

We can certainly try fixing items in HiJackThis to see if it helps anything before doing that, it's up to you.
  • 0

#22
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hehehe. Yeh, I agree with your sentiments. And yes, that's exactly what's happening we explorer.exe and restore. But anyway, thanks for all your help so far. I do appreciate you standing by me. It's not a big deal re windows; I'll just overlay it and it should fill in the gaps. I've got to go out for a couple of hours, but let's do what you say and fix the items in HijackThis first. I'll do what you propose as soon as I get back. Thanks, Michelle. :tazz:

Later,
C.
  • 0

#23
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Sounds like a plan!

I will review the log and be back asap. :tazz:
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackthis. Place a check next to these items and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll (file missing)

O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll (file missing)

O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab

  • 0

#25
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey Michelle,

I ran HijackThis and checked the items and ran "Fix Checked". I'm going to re-do windows and will be back with a fresh HijackThis log when done.

Ciao bella,
C.
  • 0

Advertisements


#26
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey, Morning Michelle,

Well, I hate the way this resolved, but it seems it's resolved. I couldn't overlay Windows and get the desktop fixed. Neither did using the Repair function of Windows. Both times I still came up with a blank desktop except the wallpaper, no sign of 'explorer.exe', and only able to use Task Manager. So I conductied a totally new installation of Windows and now have everything back. I lost some files, but not major ones (i.e., forgot to back up Outlook Express folders/files) and I had previously saved my work. So it's like a fresh computer for the most part.

I ran SpybotS&D and nothing was found. I scanned with AVG and nothing was found. (I'm using AVG Free as the AV utility now.) I ran Ad-Aware Plus and nothing was found. I've got firewalls up and anti-spyware protection enabled. I also ran HijackThis and here's the log for it. Unless you see something that is stil there, I think we nailed this little sucker, albeit in a roundabout way. :tazz:

Thanks for your help and I'll await your analysis of the logfile.

Zal

==============================================================================

Logfile of HijackThis v1.99.1
Scan saved at 10:32:04 AM, on 24/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVGANT~1\avgamsvr.exe
C:\PROGRA~1\AVGANT~1\avgupsvc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Documents and Settings\Michelle.PEIGHBO\My Documents\Anti-Spyware\HijackThis.exe

O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1\avgupsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I'm also sorry that it has to be resolved by reformating ;) But, on the bright side, your system is definitely clean!

Congratulations your log is clean! :tazz:

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.

  • 0

#28
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey Michelle,

I actually didn't have to reformat although maybe I should have as I do that once a year anyway. But I just re-installed windows as a "clean installation". Like I said, I lost a few files, but only because I didn't back up everything before the desktop went missing. I'm going to save your recommendaitons and install some of them. I definitely don't want to have to go through this again! But like you said, at least it's clean. :tazz:

I sent you a little something. Sorry, I'd like to have done more, but still a starving student. ;)

Take care and keep the flag flying high.

Chris/Zal
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I received your donation! You didn't have to do that! That was very sweet of you, I appreciate that! Thank you :tazz:

If you have any other problems at all with your system, you know where to find me! ;)

Thanks again!
Michelle ;)
  • 0

#30
Zaliwa

Zaliwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey, it was worth it just for your sig tag. That alone gave me a different view on life. Besides, I like to reward good people who do good for others. Just don't ask what I'd like to do to malware scripters, though! ;)

Cheers, and hopefully I won't need your services again. If so, I'll look you up. Have a great summer.

Later,
Zal :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP