Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan-spy.html.smitfraud.c [RESOLVED]


  • This topic is locked This topic is locked

#1
psycho b

psycho b

    Member

  • Member
  • PipPip
  • 18 posts
Hello, i need some help PLEASE

ok, first of all i must say im completely dumb when it comes to computers so I'm a bit frustrated about this whole infection thing; i decided to restart my whole system with the cd's that came with the computer a few days ago, because something was clearly going on with it and my anti virus was not detecting it; anyway, after the whole reformat thing or whatever its called, my computer once again was infected with all sorts of stuff, i installed sunbelt's counterspy and have trend micro's pc-cillin 9 running, and even tho many of the stuff was gone with these two, i still had this blue screen on my desktop that said:

A fatal error in IE has ocurred at 0028:C00IIE36 in VXD VMM (01) + 00010E36
Error was caused by Trojan-spy.html.smitfraud.c
- System can not function in normal mode. Please check your security settings
- Scan your PC with any available antivirus/antispyware
remover program to fix the problem

all the tabs in desktop properties were gone except for "configuration" and "screensaver", i couldn't open internet explorer, a window kept popping up saying it had to close because it had encountered a fatal error, and when trying 2 shut down the computer windows kept popping up saying that mediacc couldnt close... i dont even know what that is. Pc-cillin would keep saying i needed 2 do an emergency bock because i was being attacked by spyware and windows kept saying there was spyware activity going on in my comp. Since i REALLY dont want to go through the whole reformatting thing everytime i get a virus, i would REALLY appreciate it you guys would help me.

I used Cleanup!, Ad-aware SE, CWShredder, Spybot S&D, Panda Active Scan, TDS 3, Counterspy and Pc-Cillin 9 to scan and clean whatever it found in my computer. Active Scan did find some stuff that could not be removed, but i didn't save the results, if you guys need them tell me and i'll run it again.

So now I think my computer is clean because i can open explorer, i can change the desktop image and pc-cillin has stopped saying im being attacked, but i dont know for sure it its clean and i was hoping you guys could tell me so that i can finally go and download windows sp2. what makes me think its still not completely disinfected is that Counterspy keeps saying different url's are being changed in internet explorer while im not using it, im using firefox; also, i only got three tabs in desktop properties, and maybe im just crazy but i remember there being more than 3 tabs... but im not sure about this; so anyway, here's my hijackthis log (in the "you must read this before posting... it said i shouldn't run highjackthis from a zip file, that i should save it on a separate folder... when i downloaded it i didnt get an "option" to save it anywhere, so i just opened it directly from the downloads window, is this how its supossed 2 be done??), PLEASE, if anyone could check it and tell me whether my comp is clean or not i would REALLY REALLY REALLY appreciate it, thanks for your time :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 01:21:31 a.m., on 17/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\WINDOWS\system32\ipue.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\system32\appmr.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\PSYCHO [bleep]\ESCRITORIO\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\apjna.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\apjna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\apjna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\apjna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\apjna.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eqbmk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F21F6E0C-1EDE-F47F-D2F6-395EC4263EAF} - C:\WINDOWS\winpn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
O4 - HKLM\..\Run: [PSGuard] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appmr.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
  • 0

Advertisements


#2
TomNJ

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Hello My Name is Tom and I am reviewing your log. As soon as someone checks my fix I will post it here.
  • 0

#3
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ooo greatness, thankyou so much for ur time :tazz:
  • 0

#4
TomNJ

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Also you need to run HiJackThis from its own folder (c:\hjt) that way backups can be found if needed.
  • 0

#5
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok, i installed sp1a and heres the new hijackthis log

:tazz:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:11 p.m., on 19/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pcxme.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pcxme.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pcxme.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pcxme.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pcxme.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pcxme.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F21F6E0C-1EDE-F47F-D2F6-395EC4263EAF} - C:\WINDOWS\winpn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [PSGuard] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
  • 0

#6
TomNJ

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck
  • 0

#7
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
whoa! the kapersky online scan is taking FOREVER haha ill be right back with the logs :tazz:
  • 0

#8
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
finally done, kapersky took sooo long and my comp is running pretty slow haha, but anyways, i followed all ur instructions and here are the logs, thanks for everything tom :tazz:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Monday, June 20, 2005 17:22:10
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/06/2005
Kaspersky Anti-Virus database records: 127039
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 26526
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 2343 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\oleadm.dll Infected: Trojan.Win32.Agent.eq
C:\WINDOWS\qbpcub.dat Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\sdkrv32.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\uninstIU.exe Infected: Trojan.Win32.Agent.eo
C:\WINDOWS\winpn32.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\Recycled\Q166352.exe Infected: Trojan-Downloader.Win32.Small.ayb

Scan process completed.

and the hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 05:23:14 p.m., on 20/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F21F6E0C-1EDE-F47F-D2F6-395EC4263EAF} - C:\WINDOWS\winpn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [PSGuard] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
  • 0

#9
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
O.o i have a question, automatic update downloaded windows xp service pack 2, but i read that if theres malware in the computer i shouldnt download it coz it might cause problems.... me guessing my computer is definitely not clean yet, and automatic updates saying im ready for it.... does it mean i should install it? or just wait til were done with this whole removal thing???

:tazz:
  • 0

#10
TomNJ

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Just wait until your log is clean
  • 0

Advertisements


#11
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok then, what should i do next?
  • 0

#12
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hey tom,

well my computer's running reaaaally slow now, what should i do next???

Natalia :tazz:
  • 0

#13
TomNJ

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F21F6E0C-1EDE-F47F-D2F6-395EC4263EAF} - C:\WINDOWS\winpn32.dll
O9 - Extra button: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB1B4B81-1216-4217-AD15-A982E16B5A1B} - (no file) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab


Click on Fix Checked when finished and exit HijackThis.


[*]Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\lbgum.dll/sp.html#28129
C:\WINDOWS\winpn32.dll
C:\bridge-c10.cab

Exit Explorer, and reboot as normal afterwards.


Post back a fresh HijackThis log and we will take another look.
  • 0

#14
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hey tom,

i followed ur instructions, did the hijackthis fix checked thing, and rebooted into safe mode but i couldnt find any of the files/folders you asked me to delete through windows explorer:

C:\WINDOWS\system32\lbgum.dll/sp.html#28129
C:\WINDOWS\winpn32.dll
C:\bridge-c10.cab

i did find a C:\WINDOWS\system32\lbgum.dll but i didnt delete it because it was missing the sp.html#28129, and there was no folder with lbgum.dll to find it inside.... but anyways, heres the hijackthislog

Logfile of HijackThis v1.99.1
Scan saved at 01:32:34 p.m., on 22/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\appay.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe
C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\Archivos de programa\HijackThis\HijackThis.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lbgum.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...nger&Country=00
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {C72A4586-4D25-38C9-9B49-C0A7147CE676} - C:\WINDOWS\javazm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-mx\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-mx\msnappau.exe"
O4 - HKLM\..\Run: [PSGuard] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Archivos de programa\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appay.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

thanks for your help so far :tazz:

Natalia

Edited by psycho b, 22 June 2005 - 12:39 PM.

  • 0

#15
psycho b

psycho b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
oh, forgot 2 say, i WAS able 2 view all hidden files and folders, so those you asked me to delete just weren't there...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP