Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan-spy.html.smitfraud.c Help [CLOSED]


  • This topic is locked This topic is locked

#1
nathan1314

nathan1314

    New Member

  • Member
  • Pip
  • 4 posts
I followed the instructions ron was explaining in this thread http://www.geekstogo...tml.smitfraud.c

If you can help, i have deleted the wp.exe and cleaned the registry.

I downloaded and ran the AutoStart Viewer.

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for marie@MARIE01, 04-25-2005
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
C:\PVSW\BIN\BTRDRVR.SYS
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
Explorer.exe C:\WINDOWS\Nail.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Explorer.exe C:\WINDOWS\Nail.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SiS Windows KeyHook
C:\WINDOWS\System32\keyhook.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HTpatch
C:\WINDOWS\htpatch.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Realtime Monitor
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\siService.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
C:\Program Files\Messenger\msmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsFY
c:\wp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Woxw
C:\WINDOWS\System32\l?gonui.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workstation Engine.lnk
C:\PVSW\Bin\W3DBSMGR.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TrackerCL WS.lnk
C:\Tracker\TrackerCLWS\TrackerCLWS.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Brother XP spl Service\
C:\WINDOWS\System32\brsvc01a.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DCFS2K\
C:\WINDOWS\system32\drivers\dcfs2k.sys
HKLM\System\CurrentControlSet\Services\Dcfssvc\
C:\WINDOWS\system32\drivers\dcfssvc.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\InoRPC\
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
HKLM\System\CurrentControlSet\Services\InoRT\
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
HKLM\System\CurrentControlSet\Services\InoTask\
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
HKLM\System\CurrentControlSet\Services\INO_FLTR\
\??\C:\WINDOWS\System32\Drivers\ino_fltr.sys
HKLM\System\CurrentControlSet\Services\K56\
C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\LogWatch\
C:\WINDOWS\LogWatNT.exe
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Netlogon\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SoundMAX Agent Service (default)\
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Tones\
C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\UMWdf\
C:\WINDOWS\System32\wdfmgr.exe
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Please read this thread and give us a HijackThis log.
  • 0

#3
nathan1314

nathan1314

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
But is it possible to gain back access to the desktop options? they work in safe mode but not normal.

The computer is at my work so i need to run the hj tomorrow.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What do you mean? You mean the Display Settings when you right click on your Desktop and go to Properties?

Can you see icons on your desktop? We always want HijackThis to be run in Normal Mode if possible. If you can't, tell us the problem you are having and we'll try fixing that up first.
  • 0

#5
nathan1314

nathan1314

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
with this virus it takes away the options to change the background. I have removed the virus but i have yet to see anyone figure out how to get all the options back when you right click on the desktop and pick properties.

like i said im not infront of the computer right now until tomorrow (work), but i have searched all over the net about this virus and no one has figured out or explained how to restore all the options in the properties.

I just thought maybe someone knows, but i will run all the programs and get a hj report for tomorrow.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I'm not sure if you ran this fix here, but see if this will bring back those tabs:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Post me a followup on this tomorrow when you have time to run this through. Make sure to post the HijackThis log also.
  • 0

#7
al4444

al4444

    Member

  • Member
  • PipPip
  • 27 posts
greynight17- I ran into the same virus. I manged to rid the desktop of the wording put there and the blue background, however, like nathan, when I right click my desktop and click properties, only 2 tabs show- screen saver and settings. I couldn't get your link for Repair Desktop to work. I use netscape 7.1. Could you check that link and repost it?
Thank you............al
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi al4444 and welcome to GTG.

Please post in your own topic since this one is for nathan. I would be glad to help you out if you want. Sometimes it's not just the background that's the problem, there's also other junk that should be removed. So I recommend that you give us a log also.

If you want me to take a look at it, then you may PM me a link to your thread and I will take a look at it and work with you on that.

The link is perfectly ok, just need to read the directions carefully :tazz: I assume you just clicked on the link? Don't do that since some users may have their browser/system set to open up the file instead of downloading it. So right click on that link instead and then choose Save As. That should work. Follow the rest of the instructions there.

I still say that you should give us a HijackThis log for review. Why leave any junk behind and give it a chance to wreak havoc when we can help you clean it out for free?
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP