[mstick]

Hi I have win2K and am infected with bagle.z and trojan-spy.html.smithfraud.c
I have run, adaware se, spybot S&D,CWShredder,Kaspersky,Trend Micro house call,TDS-3. I don't know what to do next.
Thanks Mark
tell what log to post next.

[Advertisements]

Need a HijackThis log if you need help.

Ron

[RKinner]

Need a HijackThis log if you need help.

Ron

[mstick]

Ron
I am trying to post my log, not sure if it made it. this messaging is new to me, not sure how to get directly to my thread?
any help would be great.
Thanks Mark

here is my log

Attached Files

•  hijackthis_4_22_05.txt   3.83KB   181 downloads

[mstick]

Sorry
I sent as attachment last time. here it is for sure.
also log of virus scan.


Logfile of HijackThis v1.99.1
Scan saved at 1:56:39 PM, on 4/22/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\AntiViral Toolkit Pro\avpcc.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\AntiViral Toolkit Pro\avpcc.exe
D:\WINNT\system32\cdplayer.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\AntiViral Toolkit Pro\avpm.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\HjT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi1.ebay.com...geName=MerchMax
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi1.ebay.com...geName=MerchMax
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] D:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVPCC] D:\Program Files\AntiViral Toolkit Pro\avpcc.exe /wait
O4 - HKLM\..\Run: [DeluxeCD] D:\WINNT\system32\cdplayer.exe -tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AVP Monitor.lnk = D:\Program Files\AntiViral Toolkit Pro\avpm.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O23 - Service: AVP Control Centre (AVPCC) - Kaspersky Labs. - D:\Program Files\AntiViral Toolkit Pro\avpcc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe



virus scan log

KAV Scan 04/20/2005 01:40:14 PM

Master Boot Record of HDD1 Entry #2 I/O error.
Master Boot Record of HDD1 Entry #2 I/O error.
C:\kaza folder\PowerDVD XP 4.0 Deluxe_swe.exe ZIP: unknown format.
C:\Downloads\3Com\3c905c-txm Hp 6470Z\3c90x1.exe LHA: unknown format.
C:\Downloads\3Com\3c905c-txm Hp 6470Z\3c90x1.exe LHA: unknown format.
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UPHEBALW\Antibagle-de-Z[1].exe corrupted.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected],][Date Mon, 31 Jan 2005 18:27:51 +0300]/html detected: Trojan-Spy.HTML.Smitfraud.c
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected],][Date Mon, 31 Jan 2005 18:27:51 +0300]/html disinfection failed: Trojan-Spy.HTML.Smitfraud.c
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Deleted Items.dbx disinfection failed: Trojan-Spy.HTML.Smitfraud.c
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Inbox.dbx/[From "WINTERS" <[email protected]>][Date Fri, 30 Apr 2004 10:55:51 -0600]/UNNAMED/Readme.exe detected: Email-Worm.Win32.Bagle.z
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Inbox.dbx/[From "WINTERS" <[email protected]>][Date Fri, 30 Apr 2004 10:55:51 -0600]/UNNAMED/Readme.exe disinfection failed: Email-Worm.Win32.Bagle.z
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Inbox.dbx/[From "WINTERS" <[email protected]>][Date Fri, 30 Apr 2004 10:55:51 -0600]/UNNAMED disinfection failed: Email-Worm.Win32.Bagle.z
D:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{01A4086A-F087-4C4C-8CE9-2556A0911A28}\Microsoft\Outlook Express\Inbox.dbx disinfection failed: Email-Worm.Win32.Bagle.z
D:\Program Files\AntiViral Toolkit Pro\Infected\Deleted Items.dbx/[From [email protected],][Date Mon, 31 Jan 2005 18:27:51 +0300]/html detected: Trojan-Spy.HTML.Smitfraud.c
D:\Program Files\AntiViral Toolkit Pro\Infected\Deleted Items.dbx/[From [email protected],][Date Mon, 31 Jan 2005 18:27:51 +0300]/html disinfection failed: Trojan-Spy.HTML.Smitfraud.c
D:\Program Files\AntiViral Toolkit Pro\Infected\Deleted Items.dbx disinfection failed: Trojan-Spy.HTML.Smitfraud.c
D:\Program Files\AntiViral Toolkit Pro\Infected\Inbox.dbx/[From "WINTERS" <[email protected]>][Date Fri, 30 Apr 2004 10:55:51 -0600]/UNNAMED/Readme.exe detected: Email-Worm.Win32.Bagle.z
D:\Program Files\AntiViral Toolkit Pro\Infected\Inbox.dbx/[From "WINTERS" <[email protected]>][Date Fri, 30 Apr 2004 10:55:51 -0600]/UNNAMED/Readme.exe disinfection failed: Email-Worm.Win32.Bagle.z
D:\Program Files\AntiViral Toolkit Pro\Infected\Inbox.dbx/[From "WINTERS" <[email protected]>][Date Fri, 30 Apr 2004 10:55:51 -0600]/UNNAMED disinfection failed: Email-Worm.Win32.Bagle.z
D:\Program Files\AntiViral Toolkit Pro\Infected\Inbox.dbx disinfection failed: Email-Worm.Win32.Bagle.z

Scan process complete.

Wednesday, April 20, 2005 1:40 PM
Wednesday, April 20, 2005 1:40 PM Antiviral Toolkit Pro started:
______________________________________________________________________

Scanned

Sector Objects : 5
Files : 58286
Folders : 1417
Archives : 2360
Packed : 252

Found

Viruses : 2
Virus bodies : 4
Disinfected : 0
Deleted : 0
Warnings : 0
Suspicious : 0
Corrupted : 1
I/O Errors : 2

Scan speed (Kb/sec) : 2455
Scan time : 24:55
______________________________________________________________________

Wednesday, April 20, 2005 2:05 PM Antiviral Toolkit Pro finished:

[RKinner]

Sorry about the misunderstanding. I did not see your attachment. Actually didn't even know this forum could do attachments. Only been on it a few days and still feeling my way around. Don't worry tho. I am a veteran of the spyware wars - just new to this forum.

Your log looks clean. The infections your other software reports are scattered around in various places and none are active. A lot of them are in your AntiViral Toolkit Pro's quarantine folder which it calls

D:\Program Files\AntiViral Toolkit Pro\Infected\Inbox.dbx

These can not be cleaned because ATP won't let anybody touch them. I'm sure there is a way to tell ATP that the files should be deleted. Can't tell you how because I have never used ATP but Norton does the same thing.

Others are in your Microsoft Outlook Express Deleted Items folder. Just empty the Deleted Items box and they should go away. While in Outlook Express be sure a delete any letters in your Inbox from Winters or Smith.Barney without opening or previewing them. They are spam/viruses. Empty your Deleted Items again.


Finally you have one item in your Internet Temp files that is infected. Quickest way to make sure it is gone is to just clean your Temp files. I like to use ccleaner from http://ccleaner.com. Install and run it and on the first page just uncheck everything but the two lines that have Temporary in them and then Run Cleaner. That's all you need. The rest of the stuff in ccleaner isn't really needed unless you are paranoid or have been visiting sites you don't want your significant other to know about.

Ron

[RKinner]

Forgot to ask. Does your desktop look OK? The Smitfraud puts up a fake message on the desktop and removes the ability to change the wallpaper to get rid of it.

Ron

[mstick]

thanks Ron,
I canot delete the files in outlook, as soon as I try virus alert pops up and access is denied there also, maybe if I turn off the Kaspersky monitor It would let me delete them. Would be nice to get rid of them so when I run a scan it would come back clean and not infected. As for the mail, I haven't a clue who sent me the virus don't know them.
thanks for the quick response and if you have any Idea on how to remove. I would love it, and thanks for fighting the battle you are the only one I have seen that even knows about SMITHFRAUD.C
Thanks Mark

[mstick]

Ron,
My desktop seems to be fine. I must have blasted this thing as soon as I got it, just would feel better knowing that it is gone completley.
Mark

[jnigelt]

to ron
"Forgot to ask. Does your desktop look OK? The Smitfraud puts up a fake message on the desktop and removes the ability to change the wallpaper to get rid of it.

Ron"

ron - how do you get rid of the message on the desktop & get the display function back?

[RKinner]

Start, Run, regedit, OK to bring up the regedit program.

find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)

Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.

Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK


Ron

[mstick]

Ron
do you know how to delete the deleted items in my mailbox in outlookexpress, my desktop is fine
Thanks Mark

[RKinner]

I think you would have to turn off your antivirus to do that.

On my way out the door. Will look into it next week.

Ron