Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-spy.html.smitfraud.c

Started by V.Srinivasa rao , May 15 2005 03:08 AM

  • Please log in to reply

#1
V.Srinivasa rao
Posted 15 May 2005 - 03:08 AM

V.Srinivasa rao

    Member

  • Member
  • PipPip
  • 17 posts
My computer is infected with trojan-spy.html.smitfraud.c spyware for the last 2 days.After booting the message on the blue screen shows the system is infected with the trojan-spy.html.smitfraud.c spyware.This also shows the sytem cannot run in normal node and asks to check the sytem's security settings.The message also shows that the fatal error has occured at 0028:C0011E36 in VXD VMM(01) +00010E36.The message also showing me to check with any spyware to fix the problem.

I tried to download some spyware remover,but after running observed it could not fully remove all the infections.And the system continues to show the above message after booting up.In between the messages show that internet explorer is infected and windows to be re loaded.When tried to re load by using the windows 98 dump from d drive it is not starting.Also iam not able to change my display settings.

Please help to cure the problem.After seeing the geeks to go i ran the hijack this and the log report is enclosed below.

Logfile of HijackThis v1.99.1
Scan saved at 1:42:32 PM, on 5/15/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM32\USBN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\POWERZIP\POWERZIP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lab-wire.com/user15/index.php
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {39C71C41-C3FE-11D9-9FCF-44451A6D0193} - C:\WINDOWS\SYSTEM\AOAJ.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c171 -w
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {403A1C80-C3FE-11D9-9FCF-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {403A1C80-C3FE-11D9-9FCF-444553540000} - (no file) (HKCU)
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolba...ect_regular.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.gururagha...er/tdserver.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O18 - Filter: text/html - {39C71C40-C3FE-11D9-9FCF-44457521A408} - C:\WINDOWS\SYSTEM\AOAJ.DLL
O18 - Filter: text/plain - {39C71C40-C3FE-11D9-9FCF-44457521A408} - C:\WINDOWS\SYSTEM\AOAJ.DLL

Please help to get rid of the problem

Regards

V.Srinivasa rao
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 15 May 2005 - 02:30 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please download CleanUp!and install it.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lab-wire.com/user15/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {39C71C41-C3FE-11D9-9FCF-44451A6D0193} - C:\WINDOWS\SYSTEM\AOAJ.DLL (file missing)
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c171 -w
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {403A1C80-C3FE-11D9-9FCF-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {403A1C80-C3FE-11D9-9FCF-444553540000} - (no file) (HKCU)
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolba...ect_regular.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.gururagha...er/tdserver.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O18 - Filter: text/html - {39C71C40-C3FE-11D9-9FCF-44457521A408} - C:\WINDOWS\SYSTEM\AOAJ.DLL
O18 - Filter: text/plain - {39C71C40-C3FE-11D9-9FCF-44457521A408} - C:\WINDOWS\SYSTEM\AOAJ.DLL

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\SYSTEM32\USBN.EXE
gclib.exe <<<Probably found in C:\Windows or C:\Windows\System32
C:\WINDOWS\SYSTEM\atiupdpl.exe
C:\WP.EXE

Now click Start, All Programs, CleanUP!. Click the "CleanUP!" button and when asked to logoff click NO. Now reboot normally and post a new hijack this log.

-=jonnyrotten=- :tazz:
  • 0

#3
V.Srinivasa rao
Posted 17 May 2005 - 12:05 PM

V.Srinivasa rao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Dear sir,

I have exactly done as per your instructions and my new hijack log is as below.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:13 PM, on 5/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\HJT\HIJACKTHIS.EXE

F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab

Still after booting my screen shows that iam infected with trojan-spy .........


Please reply
  • 0

#4
-=jonnyrotten=-
Posted 17 May 2005 - 12:31 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Just hang in there with me ok? I usually see this infection on WinXP computers and you are using Win98, so I'm checking to see if there is a special fix for this.

-=jonnyrotten=- :tazz:
  • 0

#5
-=jonnyrotten=-
Posted 17 May 2005 - 03:10 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok, the regular fix will work, are you ready? Here we go...

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Please copy all of the Killbox file paths below and paste them into Notepad.

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System\wldr.dll
C:\Windows\System\helper.exe
C:\Windows\System\intmonp.exe
C:\Windows\System\msmsgs.exe
C:\Windows\System\ole32vbs.exe
C:\Windows\system\msole32.exe

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System\wldr.dll
C:\Windows\System\helper.exe
C:\Windows\System\intmonp.exe
C:\Windows\System\msmsgs.exe
C:\Windows\System\ole32vbs.exe
C:\Windows\system\msole32.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Open Notepad. Copy EVERYTHING in the box below and paste it into a new notepad file. Change the 'Save As Type' to "All Files" and save it as fix.reg on your desktop. Make sure there is NO blank line above REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-


Locate fix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right Click HERE and go to Save As in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Reboot your computer

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

-=jonnyrotten=- :tazz:
  • 0

#6
V.Srinivasa rao
Posted 22 May 2005 - 03:13 AM

V.Srinivasa rao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Dear sir,

Thanks a lot.At least i got rid of the security message that my system is infected with trojan------, by following your reply.As informed i ran ACTIVE SCAN but as it was taking too long time i stopped it in between and hence i could not add the active scan log.Any way please find below latest hyjack this log.

Earlier i downloaded free AVG antivirus and later un installed it.But after rebooting now the screen shows it could not find some file in C:\program files\grysoft\AVG----- and asking me to press any key to continue (The message is referring to system.ini file.)

Please let me know what antivirus files and spyware programs , fire walls to be down loaded so that to avoid the recurrence of the trojan---- etc will be avoided..Whether all the programs down loaded while following your instructions need to be removed or kept as it is.

Please reply.

Thanking you

V.Srinivasa rao
  • 0

#7
-=jonnyrotten=-
Posted 22 May 2005 - 12:54 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please post the Hijack This log so we can make sure that you are clean. ;)

-=jonnyrotten=- :tazz:
  • 0

#8
V.Srinivasa rao
Posted 23 May 2005 - 02:54 AM

V.Srinivasa rao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Dear Sir,

Iam extremely sorry not to have posted the hijack this log.Please find attached the log here.By this time i have installed avg free from internet again to avoid seeing the error messages while bootin up.

Logfile of HijackThis v1.99.1
Scan saved at 2:25:07 PM, on 5/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HJT\HIJACKTHIS.EXE

F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Regards

V.Srinivasa rao
  • 0

#9
-=jonnyrotten=-
Posted 23 May 2005 - 12:19 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Very nice, you look clean to me. Please visit my anti-malware page, you can find the link in my signature. Read up there on what to install to keep yourself safe, and how to stay that way. Let me know if you have anymore questions. Avg is a very good antivirus program, by the way :tazz:

-=jonnyrotten=- ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP