[JeremyBowen]

Wallpaper is blue w/error:
A fatal error has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Trojan-Spy.HTML.Smitfraud.c

Ran Ad Aware and Spybot. Downloaded Ewido anti virus progam, scaned repaired and saved log. Ran Hijack This and saved log for viewng. Now need help to finish please. Here is my Hijack log and Ewido log.

Logfile of HijackThis v1.99.1
Scan saved at 3:33:27 AM, on 5/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {923CB126-0F94-2E64-E1DD-56C0CE965B9F} - C:\WINDOWS\system32\hdugpmnr.dll (file missing)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Haru] C:\Documents and Settings\Administrator\Application Data\otcs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{63308A98-D0A8-4E8F-9D8E-E619554257C8}: NameServer = 204.127.129.4 12.102.244.2
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:18:58 AM, 5/18/2005
+ Report-Checksum: F6F368B0

+ Date of database: 5/18/2005
+ Version of scan engine: v3.0

+ Duration: 21 min
+ Scanned Files: 48774
+ Speed: 37.27 Files/Second
+ Infected files: 27
+ Removed files: 27
+ Files put in quarantine: 27
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\wp.exe -> Trojan.Agent.ct -> Cleaned with backup
C:\WINDOWS\SYSTEM32\rpcxnav.exe -> Backdoor.Agobot.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP1076 -> Backdoor.Rbot -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msn7.exe -> Backdoor.SdBot -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wldr.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\WINDOWS\SYSTEM32\lpzxcz324534xct.exe -> Trojan.LowZones.y -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nеtdde.exe -> Spyware.PurityScan.bj -> Cleaned with backup
C:\WINDOWS\loadclean.exe -> TrojanDownloader.Small.vn -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jd -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\rs.exe -> Spyware.PurityScan.w -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frBC41\istsvc.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\61QLMBU7\istsvc[1].exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@Windows-Registry-Repair-SE[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jared\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jared\Cookies\jared@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cheri\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cheri\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\backup-20050511-003125-505.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\Downloads\GutterballSetup-dm[1].exe -> Spyware.Trymedia.a -> Cleaned with backup


::Report End

Edited by JeremyBowen, 18 May 2005 - 04:35 AM.

[Advertisements]

Welcome JeremyBowen to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:

Security IGuard
Virtual Maid
Search Maid

Press ‘delete this item’.
Press ‘back’

***

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
C:\Documents and Settings\Administrator\Application Data\otcs.exe

Exit HijackThis.

***

Click Here to download Killbox by Option^Explicit.
Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
In the killbox program, select the Delete on Reboot option.
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
C:\Documents and Settings\Administrator\Application Data\otcs.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {923CB126-0F94-2E64-E1DD-56C0CE965B9F} - C:\WINDOWS\system32\hdugpmnr.dll (file missing)

O4 - HKCU\..\Run: [Haru] C:\Documents and Settings\Administrator\Application Data\otcs.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab

Click on Fix Checked when finished and exit HijackThis.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Winnt\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard

Reboot into normal mode.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico

***

Download CleanUp!.
If that doesn’t work, use this link.
Don't run the program, we'll do that later.

Go to options
Select ‘custom’
Put a check to:
[list]* empty recycle bins
* delete prefetch files
* CleanUp! All users.[list]
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan!

***

Post back here in this topic using the button ‘add reply’:
The results from the AV scan and a fresh log using HijackThis.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 09 June 2005 - 03:24 PM.

[g2i2r4]

Welcome JeremyBowen to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:

Security IGuard
Virtual Maid
Search Maid

Press ‘delete this item’.
Press ‘back’

***

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
C:\Documents and Settings\Administrator\Application Data\otcs.exe

Exit HijackThis.

***

Click Here to download Killbox by Option^Explicit.
Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
In the killbox program, select the Delete on Reboot option.
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
C:\Documents and Settings\Administrator\Application Data\otcs.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {923CB126-0F94-2E64-E1DD-56C0CE965B9F} - C:\WINDOWS\system32\hdugpmnr.dll (file missing)

O4 - HKCU\..\Run: [Haru] C:\Documents and Settings\Administrator\Application Data\otcs.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab

Click on Fix Checked when finished and exit HijackThis.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Winnt\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard

Reboot into normal mode.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico

***

Download CleanUp!.
If that doesn’t work, use this link.
Don't run the program, we'll do that later.

Go to options
Select ‘custom’
Put a check to:
[list]* empty recycle bins
* delete prefetch files
* CleanUp! All users.[list]
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan!

***

Post back here in this topic using the button ‘add reply’:
The results from the AV scan and a fresh log using HijackThis.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 09 June 2005 - 03:24 PM.