Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with Trojan-Spy.html.smitfraud.c


  • Please log in to reply

#1
Hoopstar

Hoopstar

    New Member

  • Member
  • Pip
  • 1 posts
Hi.. as topic says im infested with Trojan-Spy.html.smitfraud.c and i have been following the topic:Trojan_Spyhtmlsmitfraudc-t31812

I didnt find any of the following:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\LogFiles
C:\Program Files\Security IGuard

but i did manage to remove the BG.BMP and the other files you listed with Killbox:
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\system32\perfcii.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

I did not find any of the:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINNT\xmllib.dll (file missing)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab

in my log file for HiJackThis (dont know if its bad or good)

then i run the "the hoster" and the "DelDomains.inf" and the "CleanUp!" and last the active scanner "Activescan" and i did find a lot of [bleep] on my computer.

So now im posting a log file from HiJackThis and can you tell me if anything is as it should?

Logfile of HijackThis v1.99.1
Scan saved at 12:37:35, on 17-06-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\IEPA32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LINKSTS.EXE
C:\PROGRAMMER\AHEAD\INCD\INCD.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAMMER\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ATLXV32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAMMER\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\FISC\FLASH\FLSHSTAT.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMER\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SKRIVEBORD\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {40085E62-C8C2-5EB8-A6B0-0E40313EDEB3} - C:\WINDOWS\JAVAWR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Skan registreringsdatabase] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinFast_Gamma] rundll32.exe wfcpl.dll,DllLoadGammaRampSettings
O4 - HKLM\..\Run: [Linksts] Linksts.exe
O4 - HKLM\..\Run: [ADQuickAccess] D:\AFTERDRK\ADTRAY.EXE
O4 - HKLM\..\Run: [InCD] C:\Programmer\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AELaunch] AELaunch.exe
O4 - HKLM\..\Run: [Brasil] C:\WINDOWS\Brasil.pif
O4 - HKLM\..\Run: [Alevir] C:\WINDOWS\Alevir.exe
O4 - HKLM\..\Run: [cronos] C:\WINDOWS\marco!.scr
O4 - HKLM\..\Run: [MSVXD] C:\WINDOWS\MSVXD.EXE 1632
O4 - HKLM\..\Run: [instit] C:\WINDOWS\instit.bat
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmer\Fælles filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [webscan] C:\PROGRAMMER\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [ATLXV32.EXE] C:\WINDOWS\SYSTEM\ATLXV32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmer\Fælles filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [IEPA32.EXE] C:\WINDOWS\SYSTEM\IEPA32.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Programmer\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Programmer\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAMMER\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Startup: FlashPath Status.lnk = C:\FISC\FLASH\FLSHSTAT.exe
O4 - Startup: Logitech Desktop Messenger Agent.lnk = C:\Programmer\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAMMER\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAMMER\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAMMER\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab



dont know if its nessesary but ill post it anyway: here comes the Activescan log


Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\IEPA32.EXE
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\SE.DLL
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\ATLXV32.EXE
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\JAVAWR.DLL
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\SE.DLL
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\ATLXV32.EXE
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\IEPA32.EXE
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Foretrukne\Search the web.url
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\se.dll
Adware:Adware/Startpage.JY No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Virus:Trj/Downloader.CFJ Disinfected Operating system
Virus:Trj/Downloader.CVB Disinfected C:\WINDOWS\SYSTEM\nhaa.dll
Adware:Adware/BlueScreenWarningNo disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\fnpav.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\iepa32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\atlxv32.exe
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Online instant loan.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Foretrukne\Search the web.url
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\se.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\javawr.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ermegs.log
Virus:Trj/Downloader.DAK Disinfected C:\TEMP\ss_stopsign.exe

I hope you can help. thx Hoopstar...


P.S. I have removed the links in "C:\WINDOWS\Foretrukne\Sites about" just saw that after the scan.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP