Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan-spy.HTML.smitfraud.c trojan help [CLOSED]


  • This topic is locked This topic is locked

#1
Razor61

Razor61

    New Member

  • Member
  • Pip
  • 4 posts
Hi,
i have read other posts here about the same virus, but before i even found this site, i deleted the:-
wp.exe
wp.bmp
files myself using the Alt Ctrl Del then deleting them using Explorer.

This got rid of the blue warning screen (wp.bmp) but gave me a black screen instead. I cannot change my desktop back to anything, the tab to do so has disappeared. All i have is the screensaver tab and settings.

I dowbloaded the latest update for AVG 7 today, but the update is dated from yesterday :tazz: and it did not find any trace of the smitfraud trojan.
So i tried AdAware and this too found no trace.

I've seen what you have explained to others to do, but i was afraid to do this to mine just incase, because i have already deleted the wp.exe/bmp before i even came on this forum.

Any help on how to get the windows desktop settings back, and to GET RID of the virus would be appreciated.

Below is a log from HijackThis (new version)

Logfile of HijackThis v1.99.1
Scan saved at 19:10:53, on 20/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cehja.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Class - {E04CC740-6392-9599-BFA7-F8F8045618C9} - C:\WINDOWS\SYSTEM\WINLI32.DLL (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [IPFJ32.EXE] C:\WINDOWS\SYSTEM\IPFJ32.EXE
O4 - HKLM\..\Run: [WINLZ32.EXE] C:\WINDOWS\SYSTEM\WINLZ32.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [JAVAIG.EXE] C:\WINDOWS\JAVAIG.EXE
O4 - HKLM\..\RunServices: [SDKVT32.EXE] C:\WINDOWS\SDKVT32.EXE
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE
O4 - HKLM\..\RunServices: [NETSP32.EXE] C:\WINDOWS\NETSP32.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {95EEB189-0A0F-4513-B16B-B0C2E25C93EF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {95EEB189-0A0F-4513-B16B-B0C2E25C93EF} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wvx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {714A4D48-8200-4B2B-B60D-E49E0AAF3D68} (WebIE Control) - http://www.internetp.../ctrl/WebIE.ocx
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


Many thanks
Razor

Edited by Razor61, 20 April 2005 - 12:13 PM.

  • 0

Advertisements


#2
Razor61

Razor61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hmm, is my post invisible? :tazz:
Been waiting two days now for help, and have noticed others who have posted after me have had replies already.....

can anyone see this post? ;)
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Razor61, I saw your hijacking the other topic I was working on :tazz:

We are short on helpers here and try to reply to logs as fast as we can, but we can only do so much. So please be patient with us if we don't get up to you. We do look at back pages to see which older logs are unanswered, but there is just too much sometimes.

So if you still don't get a reply, I guess you may bump your message after 2 days of no response (but don't bump it earlier than that - it's crowded enough here LOL).

No need to do that now though. I'm at it and have subscribed to this thread.

Since it's been a week old, I want you to run a new HijackThis scan and post that log here. I will get to it shortly.
  • 0

#4
Razor61

Razor61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for getting back to me GreyKnight, much appreciated! ;)

I have done what others have had to do, re: delete Iguard, virtual Maid etc.
I never had the 'maids' on my system but i did have Iguard and deleted that.
I also, before i came on to here deleted the wp.exe and wp.bmp.
I then went through the guidelines that others were told to do (cause i was fed with waiting ;) , reference: Killbox and Reg Lite.
The system was then restarted (manually) and i couldnt log back in due to it wanting the system diskette etc. So i turned the PC off and did a clean reboot and i managed to get back in, and...... my desktop settings tab has re-appeared and so i can now change my desktop settings which i couldnt before :)

So, i reckon i have got rid of most of the smitfraud, but my PC just isnt working how it should do.....so something still isnt right.

Anymore help in fixing what i should do.....is much appreciated....i'm a one for fiddling with my PC to see if i can do it myself, and it usually ends up being thrown out the window :tazz:

Here is the latest Hijack log:-

Logfile of HijackThis v1.99.1
Scan saved at 15:47:33, on 28/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cehja.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Class - {E04CC740-6392-9599-BFA7-F8F8045618C9} - C:\WINDOWS\SYSTEM\WINLI32.DLL (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [IPFJ32.EXE] C:\WINDOWS\SYSTEM\IPFJ32.EXE
O4 - HKLM\..\Run: [WINLZ32.EXE] C:\WINDOWS\SYSTEM\WINLZ32.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [JAVAIG.EXE] C:\WINDOWS\JAVAIG.EXE
O4 - HKLM\..\RunServices: [SDKVT32.EXE] C:\WINDOWS\SDKVT32.EXE
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE
O4 - HKLM\..\RunServices: [NETSP32.EXE] C:\WINDOWS\NETSP32.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {95EEB189-0A0F-4513-B16B-B0C2E25C93EF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {95EEB189-0A0F-4513-B16B-B0C2E25C93EF} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wvx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {714A4D48-8200-4B2B-B60D-E49E0AAF3D68} (WebIE Control) - http://www.internetp.../ctrl/WebIE.ocx
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's fix the problem now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Download WinsockFix and unzip it. Then double-click on it to run it.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

New.Net
Security iGuard
ToPicks
webHancer


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cehja.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Class - {E04CC740-6392-9599-BFA7-F8F8045618C9} - C:\WINDOWS\SYSTEM\WINLI32.DLL (file missing)
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [IPFJ32.EXE] C:\WINDOWS\SYSTEM\IPFJ32.EXE
O4 - HKLM\..\Run: [WINLZ32.EXE] C:\WINDOWS\SYSTEM\WINLZ32.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [JAVAIG.EXE] C:\WINDOWS\JAVAIG.EXE
O4 - HKLM\..\RunServices: [SDKVT32.EXE] C:\WINDOWS\SDKVT32.EXE
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE
O4 - HKLM\..\RunServices: [NETSP32.EXE] C:\WINDOWS\NETSP32.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {95EEB189-0A0F-4513-B16B-B0C2E25C93EF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {95EEB189-0A0F-4513-B16B-B0C2E25C93EF} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {714A4D48-8200-4B2B-B60D-E49E0AAF3D68} (WebIE Control) - http://www.internetp.../ctrl/WebIE.ocx


Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system\cehja.dll
C:\WINDOWS\SYSTEM\WINLI32.DLL
C:\Program Files\ToPicks\
C:\WINDOWS\SYSTEM\IPFJ32.EXE
C:\WINDOWS\SYSTEM\WINLZ32.EXE
rundll32 C:\PROGRA~1\NEWDOT~1\
C:\Program Files\Security iGuard\
C:\WINDOWS\JAVAIG.EXE
C:\WINDOWS\SDKVT32.EXE
C:\WINDOWS\D3ES.EXE
C:\WINDOWS\NETSP32.EXE
C:\WP.EXE
c:\wp.bmp


Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP