Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.smitfraud.c (resolved)


  • This topic is locked This topic is locked

#16
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Again,

Have you installed SP2?

The HJT logs have now changed from SP1 on 5th June to SP2 on 7th June.

Please uninstall SP2 and DO NOT install any other updates/programs unless instructed to do so.

Once you have uninstalled SP2 please carry out and submit a new HJT scan
  • 0

Advertisements


#17
jzjzjzt

jzjzjzt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Sorry, I must have downloaded it thinking it was a normal windows security update.

Have uninstalled, and here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:17:33, on 07/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
F:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.ox.ac.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB909F2F-F124-45A3-9922-A396C51CE058}: Domain = ox.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB909F2F-F124-45A3-9922-A396C51CE058}: NameServer = 163.1.2.1,129.67.1.180,129.67.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = balliol.ox.ac.uk,ox.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = balliol.ox.ac.uk,ox.ac.uk
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

Also, here's my panda activescan results from this morning:


Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Online Pharmacy
Adware:Adware/IGuard No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Home Loan.url
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Insurance\Boat Insurance.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Start Menu\Online Casino.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Insurance\Term Life Insurance.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Insurance\Boat Insurance.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Insurance\Dental Insurance.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Insurance\Workers Compensation.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Need Money.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Tom Douglas\Favorites\Home Loan.url

Thanks
  • 0

#18
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi JZ,

Loking at your log, it appears tyhat your infection has gone, there are a few tweeks that we can still do, that would speed up bootup time, by disabling several programs that can all be accessed via start/programs. Let me know if you want them.

We will however clear out those dubious entries in your favorites

Ensure pc set to show hidden files, using windows explorer navigate to

C:\Documents and Settings\Tom Douglas\Favorites\ folder

Delete all of the following

Online Pharmacy
Home Loan.url
Boat Insurance.url
Online Casino.url
Insurance\Term Life Insurance.url
Insurance\Boat Insurance.url
Insurance\Dental Insurance.url
Insurance\Workers Compensation.url
Need Money.url
Home Loan.url


Let me know if you have any other issues
  • 0

#19
jzjzjzt

jzjzjzt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi usetobe,

Great. Have deleted those files (except two which i couldn't find) plus a whole lot of other crap that had got into my favourites.

Yes, I would be keen to do those tweaks.

Also, is it a problem to have ewido, adaware, spybot and sophos on my machine all at once?

Thanks,

jzjzjzt
  • 0

#20
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Again,

Here are the tweeks of things to check in HJT

Reboot into safe mode, rescan with HJT, check following entries:

O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe" <--Related to the Wacom Penabled driver on Acer Tablet PCs. Appears to do nothing

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <<--System Tray access to Apple's "Quick Time" viewer from version 5 onwards

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe <<--Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <<--Application Scheduler installed along with RealOne Player. Runs independently of RealOne Player, to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. If it can't be disabled try deleting or renaming realsched.exe and then delete the entry in the registry

Ensure no windows open except HJT and click fix checked.

It's no problem running antispyware simultaneously, just don't run two antivirus or two firewalls together.

After you have decided on the optional above.......
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is [b]not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#21
jzjzjzt

jzjzjzt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi usetobe,

Thanks very much for all of your help. This is a brilliant service,

jzjzjzt
  • 0

#22
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Jz,

You're welcome, happy to be of assistance to you, hopefully we won't see you again, but you know where we are if you need us.

As this topic is resolved it will be closed.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP