Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

another trojan-spy.html.smitfraud.c


  • This topic is locked This topic is locked

#1
kozmob

kozmob

    Member

  • Member
  • PipPip
  • 10 posts
I have the blue screen with the message “A fatal error in IE kas occured error caused by trojan-spy.html.smitfraud.c"

Based on advice in other threads I have run HijackThis. I didn' t check nor fix anything to fix because I don't recognize some of it.

I then ran activescan from pandasoftware. It found 30 infections and repaired 10, but then at end said it had deleted all.

I have attached logs from HJT and activescan.

thanks for any help; what to do next.
Kozmo

:tazz: HJT
Logfile of HijackThis v1.99.1
Scan saved at 7:39:40 AM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\+ Kozmo docs\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1;https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: PT Cancel Popups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT Filter Links - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Vie&w All Pics - file:///C:\Program Files\Picture Tools\ViewAllPics.htm
O8 - Extra context menu item: View A&ll Pics in New Win - file:///C:\Program Files\Picture Tools\ViewAllPicsOpen.htm
O9 - Extra button: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra 'Tools' menuitem: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra button: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra 'Tools' menuitem: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...ed/comctl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX Object) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150...etzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097543860221
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc....ader/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcaf...c/CDM/McCDM.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe




;) ACTIVESCAN
Incident Status Location

Virus:Trj/Downloader.DAI Disinfected C:\WINDOWS\SYSTEM32\msmsgs.exe
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe
Virus:Trj/Downloader.GW Disinfected C:\htloader.exe
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Preferred Customer\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOKVE5IT\prompt[1].htm
Virus:Trj/Relink.A Disinfected C:\Documents and Settings\Preferred Customer\Local Settings\Temp\Temporary Internet Files\Content.IE5\45A701EB\counter[1].htm
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Dating.url
Virus:Trj/Relink.A Disinfected C:\+ Kozmo docs\Pics sx\+ N-S sort\simonscans ruby_files\counter.htm
Virus:Trj/Relink.A Disinfected C:\+ Kozmo docs\Pics sx\+ N-S sort\simonscans ruby_files\counter(1).htm
Virus:Trj/Relink.A Disinfected C:\+ Kozmo docs\Pics sx\+ T-Z sort\tequila_files\counter.htm
Virus:Trj/Relink.A Disinfected C:\+ Kozmo docs\Pics sx\+ T-Z sort\tequila_files\counter(1).htm
Virus:Trj/Relink.A Disinfected C:\+ Kozmo docs\Pics sx\+ T-Z sort\ypn a_files\counter.htm
Virus:Trj/Relink.A Disinfected C:\+ Kozmo docs\Pics sx\+ T-Z sort\ypn a_files\counter(1).htm
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome kozmob to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


***

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box..

***

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
Security IGuard
Virtual Maid
Search Maid
Press ‘delete this item’.
Press ‘back’

***

* Please download the Killbox. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\uninstIU.exe
C:\Documents and Settings\Preferred Customer\Favorites\Black Jack Online.url
C:\Documents and Settings\Preferred Customer\Favorites\Online Gambling.url
C:\Documents and Settings\Preferred Customer\Favorites\Home Loan.url
C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy.url
C:\Documents and Settings\Preferred Customer\Favorites\Network Security.url
C:\Documents and Settings\Preferred Customer\Favorites\Online Dating.url


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard
C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\
C:\Documents and Settings\Preferred Customer\Favorites\Online Gambling\

***

Open HijackThis and scan.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150...etzip/RdxIE.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab[/

Click on Fix Checked when finished and exit HijackThis.


Reboot into normal mode.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico


***

Download CleanUp!.
If that doesn’t work, use this link.

Go to options
Select ‘custom’
Put a check to:* empty recycle bins
* delete prefetch files
* CleanUp! All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan!

***

Post back here in this topic using the button ‘add reply’:
The results from the AV scan and a fresh log using HijackThis.

Edited by g2i2r4, 11 June 2005 - 11:58 AM.

  • 0

#3
kozmob

kozmob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks. I followed the instructions but something is not cleal.

Your instructions included the following:

"While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard
C:\Documents and Settings\Preferred Customer\Favorites\Online Pharmacy\
C:\Documents and Settings\Preferred Customer\Favorites\Online Gambling\

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = "

and so forth.

BY booting into safe mode, HijackThis was no longer running. After I did the deletions in safe mode, I opened HJT but could not find a place to place the checks against the processes or whatever. In the meantime somewhere here my obvious problem (desktop not available) has been fixed. I'd like to continue with the fixing process though but can't figure out this step. - thanks / Kozmo
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm unsure about your question.
I think you have been looking in HijackThis to find Windows Explorer. You won't find it there.
Go to start - Windows Explorer to remove folders. If I want you to use HijackThis, I mentioned it.

Was this an answer to your question?
  • 0

#5
kozmob

kozmob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
No. My confusion is within your post you suggested I
1. boot to safe mode
2. "Using Windows Explorer, delete the following ..."
3 "Close all programs leaving only HijackThis running..."
4. "Place a check against each of the following..."

BY booting into safe mode, HijackThis was no longer running. I did the deletions in safe mode with Windows Explorer, then I opened HJT but I could not find where to "Place a check against each of the following".

- thanks / Kozmo
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Ah, now I understand the confussion. I edited my advise a bit, I hope it's more clear now.
  • 0

#7
kozmob

kozmob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for all the help. I followed all of your instructions. On the last PandaOnline scan there were 2 infections found and just 1 was disinfected. Things seem to be working well though. A donation will be on the way and here's my clean HijackThis log. Thanks again / Kozmo :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:33 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\+ Kozmo docs\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1;https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: PT Cancel Popups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT Filter Links - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Vie&w All Pics - file:///C:\Program Files\Picture Tools\ViewAllPics.htm
O8 - Extra context menu item: View A&ll Pics in New Win - file:///C:\Program Files\Picture Tools\ViewAllPicsOpen.htm
O9 - Extra button: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra 'Tools' menuitem: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra button: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra 'Tools' menuitem: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...ed/comctl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX Object) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097543860221
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc....ader/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcaf...c/CDM/McCDM.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you post me the scanlog from Panda, so we can get ride of the one that got away?


Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot to save mode.

Use Windows Explorer to remove this folder:
C:\Program Files\PSGuard\

Reboot back to normal mode.

How are things now?
  • 0

#9
kozmob

kozmob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hmmm. That online gambling.url showed up again. Here's the Panda log:

Incident Status Location

Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/CWS No disinfected C:\Documents and Settings\Preferred Customer\Favorites\Online Gambling\Online Gambling.url

And here's the fresh Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 4:01:03 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\+ Kozmo docs\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1;https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: PT Cancel Popups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT Filter Links - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Vie&w All Pics - file:///C:\Program Files\Picture Tools\ViewAllPics.htm
O8 - Extra context menu item: View A&ll Pics in New Win - file:///C:\Program Files\Picture Tools\ViewAllPicsOpen.htm
O9 - Extra button: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra 'Tools' menuitem: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra button: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra 'Tools' menuitem: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...ed/comctl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX Object) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097543860221
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc....ader/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcaf...c/CDM/McCDM.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

Things seem to be working fine now.
Kozmo
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please hold, I've noticed something. I have to consult the Spyware Veteran on our next move.
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi kozmob,

Can you do a Find Files for wininet.dll ?

Let me know where the file is found.
One of the folders it is in should be C:\WINDOWS\system32\
I would like you to have that file scanned at:
http://virusscan.jotti.org/

Let us know the results of that scan as well.

Regards,
  • 0

#12
kozmob

kozmob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Found wininet.dll twice.

Here's the scan results from the one in System32:
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found nothing
Fortinet Found Nsag.A
Kaspersky Anti-Virus Found Virus.Win32.Nsag.a
NOD32 Found Win32/Oleloa.A
Norman Virus Control Found nothing
VBA32 Found nothing

and in ServicePackFiles/i386: Found nothing

Kozmo
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Excellent. Reboot your computer and make sure it doesn't connect to the internet.
Unplug it if necessary.

Then copy C:\WINDOWS\ServicePackFiles\i386\wininet.dll
and paste it into C:\WINDOWS\System32\wininet.dll

You will be prompted if you want to replace the one already present. You do.

I hope that works. Let me know.

Regards,
  • 0

#14
kozmob

kozmob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
As far as I know I did it. It wouldn't let me paste the file because it was supposedly being used by another process - I was unplugged and had shut down all programs. I was able to rename it - go figure - and then paste the new one in.

All seems to be a-ok. Thanks.

I assume I should now uninstall all these scanning programs; hoster, deldomains, cleanup, and hijackthis. Are there any I should keep and run regularly? I also have adaware and spybot installed and generally use them every few weeks.

Thanks / Kozmo
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi Kozmo,

Can you let me know exactly what procedure you followed?
Guessing:
1. renamed C:\WINDOWS\System32\wininet.dll to something else
2. copied C:\WINDOWS\ServicePackFiles\i386\wininet.dll into C:\WINDOWS\System32
3. Rebooted

Have the file wininet.dll that is now in your system32 folder scanned to make sure it's clean.

And post a new HijackThis log so we can clean out what's left.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP