Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

joke.smitfraudoid please help. urgent


  • This topic is locked This topic is locked

#1
antarez

antarez

    New Member

  • Member
  • Pip
  • 6 posts
hey .. i guess i'm not the only one with this problem.

JOKE.SMITFRAUDOID, fatal error in IE has occured at ..... Error caused by Trojan-Spy.Html.Smitfraud ...

please help asap.. in urgent need of recovery

here's my log file

Logfile of HijackThis v1.99.1
Scan saved at 9:47:21 AM, on 4/19/2005
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Antarez Studio Inc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sg8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tp.edu.sg:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tp.edu.sg;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\system32\jzqoeed.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Client Shedule] C:\WINDOWS\system32\qmgrdcan.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [tssU39l] docackup.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ffmuaea] c:\windows\uabtwou.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\system32\wisvccz.exe
O4 - HKCU\..\Run: [xwtimnq] c:\windows\xwdbuib.exe
O4 - HKCU\..\Run: [oryflss] c:\windows\xwdbuib.exe
O4 - HKCU\..\Run: [oqsksxf] c:\windows\xwdbuib.exe
O4 - HKCU\..\Run: [cB38RVJEh] dmilsapi.exe
O4 - HKCU\..\Run: [idurqrf] c:\windows\xwdbuib.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: YzDock.lnk = D:\FQ's File\Installers\Yz Dock\yz_dck0083\YzDock.exe
O4 - Global Startup: PhotoCAL Startup.lnk = D:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://sg8l.hpwis.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.iga...GOLauncher6.cab
O21 - SSODL: Access Shedule - {11AC24F2-FFEE-4FC9-BF1E-505770421CB1} - C:\WINDOWS\system32\duseaqsp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

thanks guys .. urgent.. needs comp for work . thanks
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Lets do this in two steps.

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)

O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\system32\jzqoeed.exe

O4 - HKLM\..\Run: [Client Shedule] C:\WINDOWS\system32\qmgrdcan.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [tssU39l] docackup.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\Run: [ffmuaea] c:\windows\uabtwou.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\system32\wisvccz.exe
O4 - HKCU\..\Run: [xwtimnq] c:\windows\xwdbuib.exe
O4 - HKCU\..\Run: [oryflss] c:\windows\xwdbuib.exe
O4 - HKCU\..\Run: [oqsksxf] c:\windows\xwdbuib.exe
O4 - HKCU\..\Run: [cB38RVJEh] dmilsapi.exe
O4 - HKCU\..\Run: [idurqrf] c:\windows\xwdbuib.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll

O9 - Extra button: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A7EDA623-4B7E-4EE2-A334-3C3EAC849D0E} - C:\WINDOWS\system32\wldr.dll (HKCU)

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab

O21 - SSODL: Access Shedule - {11AC24F2-FFEE-4FC9-BF1E-505770421CB1} - C:\WINDOWS\system32\duseaqsp.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Reboot into safe mode and delete:
C:\Program Files\CxtPls <= entire folder
C:\WINDOWS\zeta.exe
C:\Program Files\BullsEye Network <= entire folder

Post a new HijackTHis log when you are done, so we can start step 2.

Regards,

Pieter
  • 0

#3
antarez

antarez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
thanks man for the help.. okay here's what happened after i did wat u said.

some of the files ain't there in the hackthis log anymore.. i believe i cleared itout when i scanned for some spywares earlier.. bullseye network folder isn't there too.

but anyway here's my new log



Logfile of HijackThis v1.99.1
Scan saved at 11:17:59 PM, on 4/19/2005
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Antarez Studio Inc\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sg8l.hpwis.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tp.edu.sg:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tp.edu.sg;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Client Shedule] C:\WINDOWS\system32\qmgrdcan.exe
O4 - HKLM\..\Run: [tssU39l] docackup.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [SpySubtractInst_0] regsvr32 /s "c:\Program Files\interMute\SpySubtract\ssengine.dll"
O4 - HKLM\..\RunOnce: [SpySubtractInst_1] regsvr32 /s "c:\Program Files\interMute\SpySubtract\sshook.dll"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [agdskjr] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [lcbsffd] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [mrlsurd] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [lmuoxom] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [tbueofu] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [qhlfahv] c:\windows\winsoql.exe
O4 - Startup: YzDock.lnk = D:\FQ's File\Installers\Yz Dock\yz_dck0083\YzDock.exe
O4 - Global Startup: PhotoCAL Startup.lnk = D:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://sg8l.hpwis.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.iga...GOLauncher6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


thanks sooo much .. u're a BIG HELP!!! i wish i could buy u a drink :tazz:
okie.. all set for step 2!
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Sorry it took so long. I had to eat or I would have fainted. :tazz:

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

Security iGuard.exe if it is running

Exit Task Manager.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log.

Regards,

Pieter
  • 0

#5
antarez

antarez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
i did everything except active scan cos my laptop doesn't have internet access at the moment... but here's my log file...


Logfile of HijackThis v1.99.1
Scan saved at 10:37:22 AM, on 4/20/2005
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
D:\FQ's File\Installers\Yz Dock\yz_dck0083\YzDock.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Antarez Studio Inc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sg8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tp.edu.sg:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tp.edu.sg;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [tssU39l] docackup.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [agdskjr] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [lcbsffd] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [mrlsurd] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [lmuoxom] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [tbueofu] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [qhlfahv] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [jrvchhx] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [trbklwe] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [bpmijne] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [dwmdrwa] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [mfmrvcn] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [dvgndfa] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [oeokhkv] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [yheqdan] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [dalbhge] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [udwujky] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [wqdkktp] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [bewgikx] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [hbgcrsn] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [fldanxt] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [aewpgua] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [otjrptp] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [gpxyoyp] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [tirqkak] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [yrfyjym] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [akmppvn] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [gixhngq] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [mdyharu] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [pqmbgls] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [wygjjkt] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [dvdbinp] c:\windows\irasyrd.exe
O4 - HKCU\..\Run: [dixgtyr] c:\windows\irasyrd.exe
O4 - HKCU\..\Run: [gtlpagg] c:\windows\irasyrd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: YzDock.lnk = D:\FQ's File\Installers\Yz Dock\yz_dck0083\YzDock.exe
O4 - Global Startup: PhotoCAL Startup.lnk = D:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://sg8l.hpwis.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DD85FDB7-9363-4873-B50C-CC46F3E4B704} (IGOLauncher6 Control) - http://vitalsign.iga...GOLauncher6.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


thanks a million so far...
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
OK. This is definitely not a CWS infection that is up to any good. :tazz:

First, make sure you can view hidden files: http://www.xtra.co.n...1916458,00.html


Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O4 - HKLM\..\Run: [tssU39l] docackup.exe

O4 - HKCU\..\Run: [agdskjr] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [lcbsffd] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [mrlsurd] c:\windows\gtpuuwu.exe
O4 - HKCU\..\Run: [lmuoxom] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [tbueofu] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [qhlfahv] c:\windows\winsoql.exe
O4 - HKCU\..\Run: [jrvchhx] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [trbklwe] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [bpmijne] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [dwmdrwa] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [mfmrvcn] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [dvgndfa] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [oeokhkv] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [yheqdan] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [dalbhge] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [udwujky] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [wqdkktp] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [bewgikx] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [hbgcrsn] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [fldanxt] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [aewpgua] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [otjrptp] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [gpxyoyp] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [tirqkak] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [yrfyjym] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [akmppvn] c:\windows\ktnroda.exe
O4 - HKCU\..\Run: [gixhngq] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [mdyharu] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [pqmbgls] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [wygjjkt] c:\windows\opojmgf.exe
O4 - HKCU\..\Run: [dvdbinp] c:\windows\irasyrd.exe
O4 - HKCU\..\Run: [dixgtyr] c:\windows\irasyrd.exe
O4 - HKCU\..\Run: [gtlpagg] c:\windows\irasyrd.exe

Reboot into safe mode and delete:
c:\windows\irasyrd.exe
c:\windows\opojmgf.exe
c:\windows\ktnroda.exe
c:\windows\gtpuuwu.exe

Do a Find Files for files containing the text w-find and let me know if any are found.
Post that together with a new HijackThis log.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP