it's TWO days that I'm following you in this exciting forum.
Compliments to you all.
I decided to sign in and ask your help since that's my situation:
I've been infected by the smitfraud.c on thursday nite at 8PM.
I followed many instructions on the web, and I succeeded to "BLOCK" in a way this trojan/virus on my PC.
Now I dont have no bluescreen on My PC, and all the sw I downloaded find no other trojans or malwares, BUT I still have my IE catched by "quyicknavigate", I have a black backscreen - and not the normal blue - on the left part of thw screen when I use the "search" function of Explorer in WinXP, and I have the "hp" file.tmp back in my system32 directory!!!!! It's called hpAB91
Please, note that I already had a "hp".tmp file the day before yesterday, hp7B5A.tmp, but I succeeded to fix it...
I was very happy of myself... Here is what hijack showed me that nite:
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hp7B5A.tmp (file missing) - situation of May 13.
...but it didn't completely work for some reason, and now it was born again with slight different name as you can see from attached HJT log.
It would be so kind from you if you could help me understand what I can do to definitely solve the problem.
Attached : my HJT log.
Thank you so much for your reply and help.
vito71
Logfile of HijackThis v1.99.1
Scan saved at 21.02.26, on 14/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\Programmi\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\Dell\OpenManage\Client\Iap.exe
C:\Programmi\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\windows\system32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shnlog.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\PROGRA~1\TV4STU~1\MImpPRO\MIProHst.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ADSL\StarModem ADSL USB MODEM\dslmon.exe
C:\Programmi\Microsoft Office2000\Office\1040\msoffice.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\Microsoft Office2000\Office\WINWORD.EXE
C:\Programmi\File comuni\pestpatrol\ppRemoteService.exe
C:\Programmi\File comuni\pestpatrol\PPMCActiveDetection.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\pcavellino\Documenti\personal\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpAB91.tmp
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [MImpPro] C:\PROGRA~1\TV4STU~1\MImpPRO\MIProHst.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office2000\Office\OSA9.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.../kavwebscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DABA69B-845A-4BB0-8475-4AD1C6078E6C}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DABA69B-845A-4BB0-8475-4AD1C6078E6C}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Programmi\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Iap - Dell Inc - C:\Programmi\Dell\OpenManage\Client\Iap.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmi\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\windows\system32\PDFCreatorMessages.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Programmi\File comuni\pestpatrol\ppRemoteService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
P.S.: I can probably move from the Pc in a few minutes tonite. So please forgive me if eventually I cant reply immediately tonite when you should send me an answer. In this case see U tomorrow.
Thank You.
vito71