Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitfraud.c virus and possibly other malware?[CLOSED]


  • This topic is locked This topic is locked

#1
Sudhama

Sudhama

    New Member

  • Member
  • Pip
  • 4 posts
Symptoms include slowed performance, the reseting of my homepage, pop-ups, and the reseting of my background to their crappy blue .bmp image.

Logfile of HijackThis v1.99.1
Scan saved at 3:47:05 PM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\System32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\System32\cmd32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Quentin Taminhart\Desktop\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\System32\devldr32.exe
c:\wp.exe
C:\windows\System32\intfsdffdsronsad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\Downloaded Program Files\kavss.exe
C:\Documents and Settings\Quentin Taminhart\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B7FCD601-FF45-486B-B501-1A734C0782E7} - C:\windows\System32\oof.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ControlPanel] C:\windows\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WashAndGo - Cleanup of old Backupfiles] C:\Program Files\WashAndGo\checker.exe /check
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Quentin Taminhart\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {0810860B-4125-49AF-9DE5-BF9066ADD426} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0810860B-4125-49AF-9DE5-BF9066ADD426} - (no file) (HKCU)
O9 - Extra button: Help - {21ED844F-1F1C-4F07-8185-B290A10F2867} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C58640D5-F791-495A-BA06-A401FBF10DA9} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {C660AD09-B004-4610-969C-916C3ABF1027} - http://www.comcastsupport.com (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093565119373
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C597CC6-E7B1-4F01-A5F1-3BDE6C2BC180}: NameServer = 68.87.66.196,68.87.64.196
O18 - Filter: text/html - {27E89C33-65E2-428A-8388-97E2D758BE81} - C:\windows\System32\oof.dll
O18 - Filter: text/plain - {27E89C33-65E2-428A-8388-97E2D758BE81} - C:\windows\System32\oof.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Trend Micro Housecall found:
TROJ_SMALL.ANQ - C:\Documents and Settings\Quentin Taminhart\1.dat
TROJ_DELF.QP - C:\Documents and Settings\Quentin Taminhart\3.dat
TROJ_STARTPAG.AZ - C:\Documents and Settings\Quentin Taminhart\4.dat
TROJ_AGENT.SN - C:\Documents and Settings\Quentin Taminhart\6.dat
TROJ_STRTPAGE.DD - C:\WINDOWS\system32.oof.dll
TROJ_AGENT.SN - C:\WINDOWS\system32\wldr.dll
TROJ_AGENT.JA - C:\wp.exe

Thanks!
  • 0

Advertisements


#2
Sudhama

Sudhama

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Still dealing with this, I know you guys are busy, but just giving my thread a bump. Thanks.
  • 0

#3
Sudhama

Sudhama

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here's the result of my Panda Scan:

Incident Status Location Operating system
Virus:Trj/Downloader.BNN Disinfected
Adware:Adware/CWS.Aboutblank No disinfected C:\windows\System32\coj.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\windows\gator*.log
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/CWS No disinfected C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\windows\smdat32a.sys
Adware:Adware/WildTangent No disinfected C:\Program Files\WILDTANGENT
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Quentin Taminhart\Desktop\uu.u
Adware:Adware/CWS.Aboutblank No disinfected C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry
Adware:Adware/IGuard No disinfected C:\windows\System32\wldr.dll
Adware:Adware/Dloader No disinfected C:\windows\System32\intronsad.exe
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Virus:Trj/ClassLoader.A Disinfected C:\Documents and Settings\Quentin Taminhart\.jpi_cache\file\1.0\Count.class-42fad49f-3618aa5d.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Quentin Taminhart\.jpi_cache\file\1.0\Dummy.class-1012b178-15ad7dc1.class
Virus:Trj/Downloader.BWL Disinfected C:\Documents and Settings\Quentin Taminhart\1.dat
Virus:Trj/Downloader.BTV Disinfected C:\Documents and Settings\Quentin Taminhart\3.dat
Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Quentin Taminhart\4.dat
Virus:Trj/Downloader.CBY Disinfected C:\Documents and Settings\Quentin Taminhart\6.dat
Virus:Trj/Downloader.BBA Disinfected C:\Documents and Settings\Quentin Taminhart\7.dat
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Quentin Taminhart\Desktop\cc.c
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Quentin Taminhart\Desktop\uu.u
Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Quentin Taminhart\Local Settings\Temp\sp.html
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Quentin Taminhart\Local Settings\Temporary Internet Files\Content.IE5\OB73Y4HT\pageid=55765205[1].htm
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme_u.log
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\coj.dll
Adware:Adware/Dloader No disinfected C:\WINDOWS\system32\intronsad.exe
Virus:Trj/Downloader.BWL Disinfected C:\WINDOWS\system32\izxxzdsafsafczxcr.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll

Edited by Sudhama, 05 May 2005 - 11:48 AM.

  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Sudhama

Please read through the instructions before you start (you may want to print this out).

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run CWShredder to fix your CWS problem.

[*]Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {B7FCD601-FF45-486B-B501-1A734C0782E7} - C:\windows\System32\oof.dll
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ControlPanel] C:\windows\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0810860B-4125-49AF-9DE5-BF9066ADD426} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0810860B-4125-49AF-9DE5-BF9066ADD426} - (no file) (HKCU)
O9 - Extra button: Help - {21ED844F-1F1C-4F07-8185-B290A10F2867} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C58640D5-F791-495A-BA06-A401FBF10DA9} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {C660AD09-B004-4610-969C-916C3ABF1027} - http://www.comcastsupport.com (file missing) (HKCU)
O18 - Filter: text/html - {27E89C33-65E2-428A-8388-97E2D758BE81} - C:\windows\System32\oof.dll
O18 - Filter: text/plain - {27E89C33-65E2-428A-8388-97E2D758BE81} - C:\windows\System32\oof.dll

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Support.com\<--Delete the whole folder
Exit Explorer.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\windows\System32\coj.dll
Adware:Adware/SaveNow No disinfected Windows Registry
C:\windows\gator*.log
C:\Program Files\Common Files\Totem Shared
C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
C:\windows\smdat32a.sys
C:\Program Files\WILDTANGENT
C:\Documents and Settings\Quentin Taminhart\Desktop\uu.u
C:\DOCUME~1\QUENTI~1\LOCALS~1\Temp\sp.html
C:\windows\System32\wldr.dll
C:\windows\System32\intronsad.exe
C:\Documents and Settings\Quentin Taminhart\.jpi_cache\file\1.0\Count.class-42fad49f-3618aa5d.class
C:\Documents and Settings\Quentin Taminhart\.jpi_cache\file\1.0\Dummy.class-1012b178-15ad7dc1.class
C:\Documents and Settings\Quentin Taminhart\1.dat
C:\Documents and Settings\Quentin Taminhart\3.dat
C:\Documents and Settings\Quentin Taminhart\4.dat
C:\Documents and Settings\Quentin Taminhart\6.dat
C:\Documents and Settings\Quentin Taminhart\7.dat
C:\Documents and Settings\Quentin Taminhart\Desktop\cc.c
C:\Documents and Settings\Quentin Taminhart\Desktop\uu.u
C:\Documents and Settings\Quentin Taminhart\Local Settings\Temp\sp.html
C:\Documents and Settings\Quentin Taminhart\Local Settings\Temporary Internet Files\Content.IE5\OB73Y4HT\pageid=55765205[1].htm
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\GatorUninstaller_cme_u.log
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\coj.dll
C:\WINDOWS\system32\intronsad.exe
C:\WINDOWS\system32\izxxzdsafsafczxcr.exe
C:\WINDOWS\system32\wldr.dll
C:\Documents and Settings\Quentin Taminhart\1.dat
C:\Documents and Settings\Quentin Taminhart\3.dat
C:\Documents and Settings\Quentin Taminhart\4.dat
C:\Documents and Settings\Quentin Taminhart\6.dat
C:\WINDOWS\system32.oof.dll
C:\WINDOWS\system32\wldr.dll
C:\windows\System32\intfsdffdsronsad.exe
C:\windows\System32\oof.dll
C:\windows\System32\cmd32.exe
C:\wp.exe

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
Sudhama

Sudhama

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hey thanks for getting back to me. HJT and Panda to follow.....

Logfile of HijackThis v1.99.1
Scan saved at 6:43:39 PM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\System32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Documents and Settings\Quentin Taminhart\Desktop\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\oodag.exe
C:\windows\System32\devldr32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Semagic\LiveJournalU.exe
C:\Program Files\Soulseek\slsk.exe
C:\windows\explorer.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Quentin Taminhart\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [WashAndGo - Cleanup of old Backupfiles] C:\Program Files\WashAndGo\checker.exe /check
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Quentin Taminhart\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093565119373
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C597CC6-E7B1-4F01-A5F1-3BDE6C2BC180}: NameServer = 68.87.66.196,68.87.64.196
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/WildTangent No disinfected c:\Program Files\Java\j2re1.4.2_03\bin\wtdmmpv.dll
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Quentin Taminhart\Local Settings\Temporary Internet Files\Content.IE5\OB73Y4HT\pageid=55765205[1].htm
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Sudhama

Please read through the instructions before you start (you may want to print this out).

Lets see if this will finds any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate tne run a full scan save the log when the scan has finnished.

Reboot into Safe Mode: Click here if you don't know how to do this.

Run ewido again save the log.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

Click on Fix Checked when finished and exit HijackThis.

C:\Program Files\Common Files\Totem Shared<--Delete the whole folder
c:\Program Files\Java\j2re1.4.2_03\bin\wtdmmpv.dll<--Delete this file

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP