Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud.c Virus..Help![RESOLVED]


  • This topic is locked This topic is locked

#1
marvy

marvy

    Member

  • Member
  • PipPip
  • 15 posts
Hi,

After I click on my username to log on to my PC I hear the startup sound BUT no desptop icons or taskbar ever comes up, so I use task manager to get around. As I use task manager to get on with my work I notice that Recycle Bin is missing from my destop list.

I tried to boot in safe mode BUT i can't. Same thing happens after I click on my log on name.

This happened after I run AVG Free edition scan and found 900+ infections which I removed BUT before I ran AVG i was able to start up normally except for the smitfraud blue background.

After I saw what happened I use task manager and removed AVG from my system, however there is a Dat file showing up in C folder called avg7qt(2)

Below is a log I took from hijackthis.

PLEASE HELP!!

Logfile of HijackThis v1.99.1
Scan saved at 3:29:34 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Software Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [zhkbjj] c:\windows\system32\zhkbjj.exe
O4 - HKLM\..\Run: [DDd7jnG] C:\WINDOWS\gbtmlpl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [kmoz] C:\PROGRA~1\COMMON~1\kmoz\kmozm.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PC Phoneline.lnk = C:\Program Files\PC Phoneline 1.0\PC Phoneline.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.righ...l/java/RntX.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by marvy, 12 May 2005 - 03:53 PM.

  • 0

Advertisements


#2
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Also, I can't pull up Windows Explorer nor IE...
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [zhkbjj] c:\windows\system32\zhkbjj.exe
O4 - HKLM\..\Run: [DDd7jnG] C:\WINDOWS\gbtmlpl.exe
O4 - HKCU\..\Run: [kmoz] C:\PROGRA~1\COMMON~1\kmoz\kmozm.exe


Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\BTGrab.dll
C:\WINDOWS\xmllib.dll
c:\windows\system32\zhkbjj.exe
C:\WINDOWS\gbtmlpl.exe
C:\PROGRA~1\COMMON~1\kmoz\


Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

To fix the wallpaper/background problem, right click on this link and choose Save As. Save that file somewhere. Now double click on that file you just saved and say Yes to add/merge it into the registry.
  • 0

#4
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi,

I can't go to My Computer->Tools/View->Folder Options->View tab from Task Manager...remember that Windows explorer doesn't work

Edited by marvy, 13 May 2005 - 10:47 AM.

  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That's ok. Continue with what you can do and post a followup log once you are done. See if you can go into Windows Explorer after doing all the fix I mentioned earlier.
  • 0

#6
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK. I did the above (without unhiding all files) Below is log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:08:25 PM, on 5/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Software Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=140.131.122.11:80;gopher=140.131.122.11:80;http=140.131.122.11:80;https=140.131.122.11:80;socks=140.131.122.11:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PC Phoneline.lnk = C:\Program Files\PC Phoneline 1.0\PC Phoneline.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.righ...l/java/RntX.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

---------------------------

I can't locate my Recycle Bin either from Task Manager......!!

Edited by marvy, 13 May 2005 - 01:08 PM.

  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [NvClipRsv] C:\WINDOWS\svchost.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\svchost.exe - make SURE that it's the file in the WINDOWS folder that you are deleting and no where else

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.


To fix the wallpaper/background problem, right click on this link and choose Save As. Save that file somewhere. Now double click on that file you just saved and say Yes to add/merge it into the registry.
  • 0

#8
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK..I found svchost.exe in the following locations..

C:\WINDOWS\SYSTEM32\DLLCASHE\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe

Please advise!

Edited by marvy, 13 May 2005 - 03:58 PM.

  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
DON'T do anything with that file in those two locations. Only delete if found in c:\windows\ and no where else.

OK, where is the mwav log?
  • 0

#10
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:21 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
F:\Software Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PC Phoneline.lnk = C:\Program Files\PC Phoneline 1.0\PC Phoneline.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.righ...l/java/RntX.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#12
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is MVWAV Log:

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "XXXToolbar Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BTGrab Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "powerscan Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "tsa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "kazaa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "morpheus Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ISearchTech.ISTdownloader Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "BTGrab Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BTGrab Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BTGrab Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winadvt.dll infected by "not-a-virus:AdWare.ToolBar.ToolBand.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\XMLLIBUI.exe infected by "Trojan.Win32.StartPage.yg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\a infected by "Trojan-Downloader.BAT.Ftp.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AcsProxy.dll infected by "not-a-virus:AdWare.ToolBar.FWN.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\PreInstaller_p1.exe infected by "Trojan-Downloader.Win32.Keenval.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Marvin\LOCALS~1\Temp\bb.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\btgrab.cab infected by "not-a-virus:AdWare.BiSpy.v" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.v" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\CC21.tmp infected by "Email-Worm.Win32.Plexus.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\CC7C9D.tmp infected by "Email-Worm.Win32.Plexus.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\CC7C9E.tmp infected by "Email-Worm.Win32.Plexus.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\cdt_bbi8016.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\Del7D1C.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.ir" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\Incredifind.exe infected by "Trojan-Downloader.Win32.Keenval.n" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\polall1b.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\targetsaver.exe infected by "Trojan-Downloader.Win32.TSUpdate.j" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\TMP7CEE.tmp infected by "not-a-virus:AdWare.WebSpecial.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\TMP7CEF.tmp infected by "not-a-virus:AdWare.WebSpecial.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Marvin\LOCALS~1\Temp\tsinstall_4_0_3_8_b17.exe infected by "Trojan-Downloader.Win32.TSUpdate.k" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-7d2c9337-62cc0b51.zip infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-7fd9548c-66c171e7.zip infected by "Trojan-Downloader.Java.OpenStream.c" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\logoeditor.jar-848dfb0-3c9f2cf2.zip tagged as not-a-virus:JavaClass.TuesDayToyAuto. No Action Taken.

File C:\Documents and Settings\Marvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6ecc4ec7-424d8de6.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\bb.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\btgrab.cab infected by "not-a-virus:AdWare.BiSpy.v" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.v" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\CC21.tmp infected by "Email-Worm.Win32.Plexus.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\CC7C9D.tmp infected by "Email-Worm.Win32.Plexus.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\CC7C9E.tmp infected by "Email-Worm.Win32.Plexus.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\cdt_bbi8016.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\Del7D1C.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.ir" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\Incredifind.exe infected by "Trojan-Downloader.Win32.Keenval.n" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\polall1b.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\targetsaver.exe infected by "Trojan-Downloader.Win32.TSUpdate.j" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\TMP7CEE.tmp infected by "not-a-virus:AdWare.WebSpecial.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\TMP7CEF.tmp infected by "not-a-virus:AdWare.WebSpecial.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Marvin\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe infected by "Trojan-Downloader.Win32.TSUpdate.k" Virus. Action Taken: No Action Taken.

File C:\Program Files\AnalogX\Proxy\proxy.exe tagged as not-a-virus:RiskWare.Proxy.AnalogX.414. No Action Taken.
File C:\Program Files\Common Files\kmoz\kmozp.exe infected by "not-a-virus:AdWare.Xupiter.m" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyEmoticons\VVSN_MYEM0841Inst.exe infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3D6E0882 infected by "Email-Worm.Win32.Zafi.d" Virus. Action Taken: No Action Taken.

File C:\Program Files\RealVNC\WinVNC\othread2.dll tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
File C:\Program Files\RealVNC\WinVNC\vnchooks.dll tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.

File C:\Program Files\SpyKiller\Backup\42246.88_20050509114406_FILEGBK.bkp tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
File C:\Program Files\SpyKiller\Backup\48126.39_20050331132206_FILEGBK.bkp tagged as not-a-virus:RiskWare.Monitor.Perflogger.a. No Action Taken.

File C:\Program Files\SpyKiller\Backup\48149.61_20050331132229_FILEGBK.bkp tagged as not-a-virus:RiskWare.Monitor.Perflogger.a. No Action Taken.
File C:\Program Files\SpyKiller\Backup\48161.48_20050331132241_FILEGBK.bkp tagged as not-a-virus:RiskWare.Monitor.Perflogger.a. No Action Taken.

File C:\Program Files\SpyKiller\Quarantine\9811510010411111110711546100108108 tagged as not-a-virus:RiskWare.Monitor.Perflogger.a. No Action Taken.
File C:\RECYCLER\S-1-5-21-2281650554-3486800440-1217822822-1007\Dc62\A0213758.exe infected by "Trojan.Win32.StartPage.yg" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2281650554-3486800440-1217822822-500\Dc1.exe infected by "Trojan.Win32.Agent.ct" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\a infected by "Trojan-Downloader.BAT.Ftp.j" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\AcsProxy.dll infected by "not-a-virus:AdWare.ToolBar.FWN.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho infected by "Trojan.Win32.Qhost.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\PreInstaller_p1.exe infected by "Trojan-Downloader.Win32.Keenval.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\winadvt.dll infected by "not-a-virus:AdWare.ToolBar.ToolBand.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\XMLLIBUI.exe infected by "Trojan.Win32.StartPage.yg" Virus. Action Taken: No Action Taken.

File F:\My Documents\zia38407 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\My Documents\New Downloads\pngplt_1.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\My Documents\New Downloads\setupreadplease2002_1_1_06.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\My Documents\New Downloads\BSINSTALL.exe infected by "not-a-virus:AdWare.SaveNow.e" Virus. Action Taken: No Action Taken.
File F:\My Documents\New Downloads\Swish\SetupSwish200.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\My Documents\Marvin's File\Wholesale\ilynk.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\Emails\Inbox\Email from Linda Grainger .msg infected by "Email-Worm.Win32.Tanatos.b" Virus. Action Taken: No Action Taken.
File F:\Emails\Inbox\Eager to see you.msg infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: No Action Taken.

File F:\Emails\Sent Items\RE Eager to see you.msg infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: No Action Taken.
File F:\eJay MP3 Station\runtime\OLEAUT_I.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP212\A0213714.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP212\A0214237.exe infected by "not-a-virus:AdWare.Lop" Virus. Action Taken: No Action Taken.

File F:\Software Downloads\VNC\vnc-3.3.7-x86_win32.exe tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
File F:\Software Downloads\BannerMakerPro\crack.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: No Action Taken.

File F:\Software Downloads\Radmin\radmin22.zip tagged as not-a-virus:RiskWare.RemoteAdmin.RAdmin.22. No Action Taken.

File F:\Software Downloads\HijackThis\backups\backup-20050513-135811-217.dll infected by "not-a-virus:AdWare.BiSpy.v" Virus. Action Taken: No Action Taken.

File F:\Software Downloads\HijackThis\backups\backup-20050513-135811-938.dll infected by "Trojan-Dropper.Win32.Small.yd" Virus. Action Taken: No Action Taken.
File F:\Spyware\SpyKillerSetup4.0.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File F:\Spyware\SpyKillerSetup.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File F:\Spyware\SpyKillerSetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Also..i notice that this log says "41 errors found"
  • 0

#13
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I have a clean blue wallpaper however NO destop icons nor taskbar.
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you run Ad-aware and Spybot yet? Get those two programs and update them (if there are any). Then run a full scan and delete the things found.

Uninstall SpyKiller from Add/Remove panel. SpyKiller - it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Delete these files/folders:

File C:\WINDOWS\System32\PreInstaller_p1.exe
File C:\WINDOWS\System32\unregister.exe
File C:\Program Files\Common Files\kmoz\
File C:\Program Files\MyEmoticons\VVSN_MYEM0841Inst.exe
File C:\RECYCLER\S-1-5-21-2281650554-3486800440-1217822822-1007\Dc62\A0213758.exe
File C:\RECYCLER\S-1-5-21-2281650554-3486800440-1217822822-500\Dc1.exe
File C:\WINDOWS\SYSTEM32\a
File C:\WINDOWS\SYSTEM32\AcsProxy.dll
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
File C:\WINDOWS\SYSTEM32\PreInstaller_p1.exe
File C:\WINDOWS\SYSTEM32\unregister.exe
File C:\WINDOWS\winadvt.dll
File C:\WINDOWS\XMLLIBUI.exe
File F:\My Documents\New Downloads\BSINSTALL.exe
File F:\Emails\Inbox\Email from Linda Grainger .msg
File F:\Emails\Inbox\Eager to see you.msg
File F:\Emails\Sent Items\RE Eager to see you.msg i
File F:\Software Downloads\BannerMakerPro\crack.zip
File F:\Software Downloads\HijackThis\backups\backup-20050513-135811-217.dll
File F:\Software Downloads\HijackThis\backups\backup-20050513-135811-938.dll
File F:\Spyware\SpyKillerSetup4.0.zip
File F:\Spyware\SpyKillerSetup.zip
C:\Program Files\SpyKiller\


Empty out everything in this folder:
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop. Now double click on it to run it. Say yes to add it to the registry.

Restart.

Any problems now?
  • 0

#15
marvy

marvy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi,

My destop is still missing :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP