Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan-spy.html.smitfraud.c


  • Please log in to reply

#16
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry about that Alex my bad,

Please open notpad and copy the following to notepad and save as files to delete,

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


Then follow the rest of the instructions above please
  • 0

Advertisements


#17
Alex K

Alex K

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi there,

I downloaded killbox, pasted the given file paths into it , deleted them, ran the shredder...

so far so good. What am I suppose to do now? I'm glad everything worked out this time. Unfortunately I still can't download certain programs, I could download the 'cleaner' but could NOT download "spybot" for example. So where do I go from here? Shall I try to download from a different computer and save to disk or is it possible to tackle the problem from my own?

My wall paper is still gone, the back ground is just black and I still can't seem to set up a wall paper, ist that normal? ( I'm asking because "missing wallpaper causes psychological damage" :tazz: )

Thanks man.
  • 0

#18
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Post back a fresh HJT log please,

See if you can download silent runners.

Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

If you can't download from your computer could you download it onto a floppy from another computer
  • 0

#19
Alex K

Alex K

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Don,

worked out great, thanks. Here is the log:




"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Windows Registry Repair Pro" = "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4" ["3B Software, Inc."]
"Windows Service Drivers" = "mswin32.exe" [null data]
"Compaq Service Drivrs" = "copq.exe" [null data]
"Compd Service Drivrs" = "codq.exe" [null data]
"ssgrate.exe" = "C:\WINDOWS\System32\system.exe" [null data]
"WindowsFY" = "C:\!Submit\wp.exe" [null data]
"Windows Processe Manager" = "mspn32.exe" [null data]
"gcasServ" = "gcasServ.exe" [file not found]
"f00pRXKti" = "tibbk32.exe" [null data]
"E6TaskPanel" = ""C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart" ["EarthLink, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NetOnHold" = "C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe" ["Thought Communications, Inc."]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"Local Security Authority Service" = "C:\WINDOWS\System32\Isass.exe" [null data]
"Windows Service Drivers" = "mswin32.exe" [null data]
"Compaq Service Drivrs" = "copq.exe" [null data]
"Outpost Firewall" = "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice" ["Agnitum"]
"Compd Service Drivrs" = "codq.exe" [null data]
"FastStart" = "C:\WINDOWS\system32\svcnut.exe home" [null data]
"Windows Processe Manager" = "mspn32.exe" [null data]
"find" = "C:\WINDOWS\System32\find.exe" [MS]
"System CSRSS Patch" = "scrtkfg.exe" [null data]
"gcasServ" = "gcasServ.exe" [file not found]
"AutoLoaderuw0J1JbfdOLa" = ""C:\WINDOWS\System32\typptdlg.exe" " [file not found]
"u3rf37e" = "typptdlg.exe" [file not found]
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}\(Default) = "EarthLink Popup Blocker"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]
{87766247-311C-43B4-8499-3D5FEC94A183}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll" [null data]
{8DA5457F-A8AA-4CCF-A842-70E6FD274094}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" ["Agnitum Ltd."]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\wp.bmp"


Startup items in "jay" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
wps.dll ["Sygate Technologies, Inc."], 01 - 15, 31
%SystemRoot%\system32\mswsock.dll [MS], 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 19 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{339BB23F-A864-48C0-A59F-29EA915965EC}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Toolbar\toolbar.dll" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{D7F30B62-8269-41AF-9539-B2697FA7D77E}"
-> {CLSID}\(Default) = "EarthLink Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{D7F30B62-8269-41AF-9539-B2697FA7D77E}"
-> {CLSID}\(Default) = "EarthLink Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{32A5FA41-6C30-4DAC-876A-A41FF2FCC832}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

WinTools for IE service, WinToolsSvc, "C:\Program Files\Common Files\WinTools\WToolsS.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#20
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Are you able to post a HJT log ?
That would be very helpful,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP