I just recently (a couple of hours ago actually) got various Malware downloaded onto my computer which originally kept forcing a pop-up on me, as well as a IE bluescreen error which said my computer was infected by a Trojan file (which I found to belong to the Smitfraud group).
This was very very terrifying for that I kept panicking and shaking. My pulse was also racing quite fast and thought I had hyper-tension... anyways...
In the Processes menu in the Taskbar, there were numerous processes which I never saw before and I tried to End them but could not since they kept coming back.
I first used Ad-Aware to see if it could remove the problems but it did not. I then used a program call XoftSpy and it provided me the location of these .exe processes and applications. I deleted them and IE bluescreen stopped appearing.
However, afterwards, I kept getting a Windows Explorer error and everytime I pressed on Don't Send, a new one would come up. Also during this time, I was able to access various applications such as Internet Explorer since it would freeze on me and close while the WIndows Explorer error box was present.
I then changed the date on the clock which was actually wrong and the Windows Explorer error stopped.
I thought I fixed the problems but not entirely I think. I have lost control of my Desktop and my icons do not appear. I have kept the Desktop option of hinding the icons but now when I right click and go to "Arrange Icons by", none of the options come up for me.
Moreover, there are only two tabs when I right-click to go to Display Properties.
I've downloaded, installed and ran almost all the programs as per the instructions here: http://www.geekstogo..._Log-t2852.html
I ran Spybot, CWShredder, evidio security suite and TDS-3, Ad-Aware. But none were successful in fixing the problem.
Apparently, as I'm told there is a registry problem which I agree with.
Running XoftSpy again, it showed Malware Registry Keys and Values. But I cannot delete these files since I don't how to.
The files XoftSpy located were various SmitFraud (Trojan-Spy.HTML.Smitfraud.c ), CWS.Homepage, W32/Goabot.CG types. And they were located in various Softwar/Microsoft folders.
Some of the locations matched up with what HijackThis found but the others were found. Here are where they basically are if it helps:
W32/Goabot.CG
-Software\Microsoft\Code Store Database\Distribution Units\
SmitFraud
-CLSID\VMHOMEPAGE
-VMHOMEPAGE
-Software\Microsoft\Internet Explorer\
-Software\Microsoft\Windows\Current Version
CWHomepage
-found on HijackThis Log
So I am asking for your great help in helping fix and end this problem
Here is my Hijack This log which is followed by the ewido security suite log:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:36 AM, on 09/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: C:\WINDOWS\system32\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\adsldpbc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3F38.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsi] C:\WINDOWS\System32\lsi.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Play - {34F16BC0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\play.lnk
O9 - Extra button: Stop - {3D5A6FA0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\stop.lnk
O9 - Extra button: Previous - {49C350E0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\prev.lnk
O9 - Extra button: Next - {59611E60-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\next.lnk
O9 - Extra button: Minimize/Restore Winamp - {86227B80-FF8F-11D4-B08F-90A456C10100} - C:\PROGRA~1\WINAMP~1\Links\minmax.lnk
O9 - Extra button: Pause - {8D2B7B00-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\pause.lnk
O9 - Extra button: Open/Close Winamp - {A144BE80-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\start.lnk
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle2.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
And here is the ewido log, I didn't know whether to delete the files ewido found...
:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:02:06 AM, 09/06/2005
+ Report-Checksum: 4626C5B
+ Date of database: 09/06/2005
+ Version of scan engine: v3.0
+ Duration: 39 min
+ Scanned Files: 72569
+ Speed: 30.82 Files/Second
+ Infected files: 41
+ Removed files: 41
+ Files put in quarantine: 41
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS.bak -> Trojan.Qhost.av -> Cleaned with backup
C:\WINDOWS\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\WINDOWS\q4188362_disk.dll -> TrojanDownloader.Delf.pa -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\open.exe -> Backdoor.Haxdoor -> Cleaned with backup
C:\Documents and Settings\jhess\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jhess\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users.WINDOWS\Application Data\Pribi\Pribi.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mark\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022447.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022435.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022495.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022498.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022500.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022504.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022511.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022512.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022545.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022548.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022556.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022560.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022561.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022572.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022606.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022609.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022617.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022621.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022622.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022633.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022667.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022670.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022678.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022682.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022683.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022694.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022744.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022747.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022755.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022759.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022760.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022771.exe -> Spyware.OnFlow -> Cleaned with backup
::Report End
Thanks in advance for any and all help. I'll be checking in daily and report my status