Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-spy.html.smitfraud.c

Started by Alex K , Apr 23 2005 06:36 PM

  • Please log in to reply

#16
don77
Posted 09 May 2005 - 06:22 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry about that Alex my bad,

Please open notpad and copy the following to notepad and save as files to delete,

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


Then follow the rest of the instructions above please
  • 0

Advertisements

#17
Alex K
Posted 16 May 2005 - 04:16 AM

Alex K

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi there,

I downloaded killbox, pasted the given file paths into it , deleted them, ran the shredder...

so far so good. What am I suppose to do now? I'm glad everything worked out this time. Unfortunately I still can't download certain programs, I could download the 'cleaner' but could NOT download "spybot" for example. So where do I go from here? Shall I try to download from a different computer and save to disk or is it possible to tackle the problem from my own?

My wall paper is still gone, the back ground is just black and I still can't seem to set up a wall paper, ist that normal? ( I'm asking because "missing wallpaper causes psychological damage" :tazz: )

Thanks man.
  • 0

#18
don77
Posted 16 May 2005 - 05:05 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Post back a fresh HJT log please,

See if you can download silent runners.

Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

If you can't download from your computer could you download it onto a floppy from another computer
  • 0

#19
Alex K
Posted 16 May 2005 - 06:24 PM

Alex K

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Don,

worked out great, thanks. Here is the log:




"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Windows Registry Repair Pro" = "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4" ["3B Software, Inc."]
"Windows Service Drivers" = "mswin32.exe" [null data]
"Compaq Service Drivrs" = "copq.exe" [null data]
"Compd Service Drivrs" = "codq.exe" [null data]
"ssgrate.exe" = "C:\WINDOWS\System32\system.exe" [null data]
"WindowsFY" = "C:\!Submit\wp.exe" [null data]
"Windows Processe Manager" = "mspn32.exe" [null data]
"gcasServ" = "gcasServ.exe" [file not found]
"f00pRXKti" = "tibbk32.exe" [null data]
"E6TaskPanel" = ""C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart" ["EarthLink, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NetOnHold" = "C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe" ["Thought Communications, Inc."]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"Local Security Authority Service" = "C:\WINDOWS\System32\Isass.exe" [null data]
"Windows Service Drivers" = "mswin32.exe" [null data]
"Compaq Service Drivrs" = "copq.exe" [null data]
"Outpost Firewall" = "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice" ["Agnitum"]
"Compd Service Drivrs" = "codq.exe" [null data]
"FastStart" = "C:\WINDOWS\system32\svcnut.exe home" [null data]
"Windows Processe Manager" = "mspn32.exe" [null data]
"find" = "C:\WINDOWS\System32\find.exe" [MS]
"System CSRSS Patch" = "scrtkfg.exe" [null data]
"gcasServ" = "gcasServ.exe" [file not found]
"AutoLoaderuw0J1JbfdOLa" = ""C:\WINDOWS\System32\typptdlg.exe" " [file not found]
"u3rf37e" = "typptdlg.exe" [file not found]
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}\(Default) = "EarthLink Popup Blocker"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]
{87766247-311C-43B4-8499-3D5FEC94A183}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll" [null data]
{8DA5457F-A8AA-4CCF-A842-70E6FD274094}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" ["Agnitum Ltd."]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\wp.bmp"


Startup items in "jay" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
wps.dll ["Sygate Technologies, Inc."], 01 - 15, 31
%SystemRoot%\system32\mswsock.dll [MS], 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 19 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{339BB23F-A864-48C0-A59F-29EA915965EC}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Toolbar\toolbar.dll" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{D7F30B62-8269-41AF-9539-B2697FA7D77E}"
-> {CLSID}\(Default) = "EarthLink Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{D7F30B62-8269-41AF-9539-B2697FA7D77E}"
-> {CLSID}\(Default) = "EarthLink Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{32A5FA41-6C30-4DAC-876A-A41FF2FCC832}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

WinTools for IE service, WinToolsSvc, "C:\Program Files\Common Files\WinTools\WToolsS.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#20
don77
Posted 16 May 2005 - 08:39 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Are you able to post a HJT log ?
That would be very helpful,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP