Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Spy.HTML.Smitfraund.c HELP! please [RESOLVED]

Started by fortyozman , Jul 05 2005 01:59 AM

  • This topic is locked This topic is locked

#1
fortyozman
Posted 05 July 2005 - 01:59 AM

fortyozman

    New Member

  • Member
  • Pip
  • 6 posts
I have been infected with the Smithfraud.c trojan. Been trying to get rid of it all day. I think I have made some progress. I ran KAV and it got rid of a lot of things. I still have the blue screen. I have deleted the wp.bmp file also. Here is a copy of my HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:56:21 AM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLHOS~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL

Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/fl...fm?division=158
O2 - BHO: IE PopUp-Killer ; Neikeisoft -

{49E0E0F0-5C30-11D4-945D-000000000003} -

C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: ZToolbar Activator Class -

{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\pumba3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -

C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} -

C:\WINDOWS\pumba3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [SysService32] C:\WINDOWS\systask32l.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend

Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend

Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend

Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1108712909\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program

Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker]

C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: PalNetaware.lnk = D:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: Scrabble Online Registration.lnk =

C:\WINDOWS\Installer\MSI4F4.tmp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone

Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C}

- C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar -

{4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL

Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: Aces Up! by pogo -

http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo -

http://checkeredflag...lag/checkeredfl

ag-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://superbingo.po...ingo-ob-[bleep]

ets.cab
O16 - DPF: Jungle Gin by pogo -

http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: myMicros docViewer Applet -

http://portal.rubytu...m/docViewer.cab
O16 - DPF: mymicros.net Reporting Client -

http://portal.rubytu.../rpt/rptsel.cab
O16 - DPF: Pop Fu by pogo -

http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://squelchies.po...hies-ob-[bleep]

ets.cab
O16 - DPF: Texas Hold'em Poker by pogo -

http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo -

http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo -

http://game4.pogo.co...ep]-ob-assets.c

ab
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control

(14.0)) - http://www.ccrodinte...ls/LTOCX14N.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) -

http://ldmail01.ruby....com/iNotes.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio

Conferencing) -

http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj

Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN'

32-bit (Windowed) ActiveX Control v4.00) -

http://www.ccrodinte...rg/imw32o40.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide

ActiveX Control) -

http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless

Media Upload) -

http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO

Control v2.0) - http://www.ccrodinte...rg/prntpro2.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America

Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown

owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology

Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. -

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. -

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
fortyozman
Posted 05 July 2005 - 12:53 PM

fortyozman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I have been working on getting rid of this monster of a trojan and have a new Hijack This log. This is after I ran ad-aware and xoftcopy. Xoftcopy recognized the Smithfraud trojan. This is the first program I used that recognized it. I removed all that Xoftcopy found and here is the new Hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 2:45:09 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLServiceHost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/fl...fm?division=158
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/fl...fm?division=158
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [SysService32] C:\WINDOWS\systask32l.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108712909\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: PalNetaware.lnk = D:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: Scrabble Online Registration.lnk = C:\WINDOWS\Installer\MSI4F4.tmp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Aces Up! by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: myMicros docViewer Applet - http://portal.rubytu...m/docViewer.cab
O16 - DPF: mymicros.net Reporting Client - http://portal.rubytu.../rpt/rptsel.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinte...ls/LTOCX14N.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://ldmail01.ruby....com/iNotes.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.ccrodinte...rg/imw32o40.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinte...rg/prntpro2.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#3
Guest_usetobe_*
Posted 10 July 2005 - 07:48 AM

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#4
fortyozman
Posted 10 July 2005 - 11:04 PM

fortyozman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello,

Thanks for the reply, but I have gotten rid of the Smitfraud trojan, but have a new problem on my hands now. Its is a Win32.dialer.ce. It is giving me a real problem. Here is a new HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 1:02:55 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLHOS~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL

Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/fl...fm?division=158
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/fl...fm?division=158
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -

C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [SysService32] C:\WINDOWS\systask32l.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend

Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend

Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend

Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1108712909\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program

Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: PalNetaware.lnk = D:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: Scrabble Online Registration.lnk =

C:\WINDOWS\Installer\MSI4F4.tmp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone

Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C}

- C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar -

{4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL

Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: Aces Up! by pogo -

http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo -

http://checkeredflag...lag/checkeredfl

ag-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://superbingo.po...ingo-ob-[bleep]

ets.cab
O16 - DPF: Jungle Gin by pogo -

http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: myMicros docViewer Applet -

http://portal.rubytu...m/docViewer.cab
O16 - DPF: mymicros.net Reporting Client -

http://portal.rubytu.../rpt/rptsel.cab
O16 - DPF: Pop Fu by pogo -

http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://squelchies.po...hies-ob-[bleep]

ets.cab
O16 - DPF: Texas Hold'em Poker by pogo -

http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo -

http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo -

http://game4.pogo.co...ep]-ob-assets.c

ab
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control

(14.0)) - http://www.ccrodinte...ls/LTOCX14N.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) -

http://ldmail01.ruby....com/iNotes.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio

Conferencing) -

http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj

Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN'

32-bit (Windowed) ActiveX Control v4.00) -

http://www.ccrodinte...rg/imw32o40.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide

ActiveX Control) -

http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless

Media Upload) -

http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO

Control v2.0) - http://www.ccrodinte...rg/prntpro2.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America

Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown

owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology

Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. -

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. -

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#5
Guest_usetobe_*
Posted 11 July 2005 - 12:32 AM

Guest_usetobe_*
  • Guest
Hi Again,

You still have part of smitfraud present, so we will run through the full removal procedure to make sure nothing is lurking. You will find that you may not be able to find several of the requested things, but just continue on with the process.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [SysService32] C:\WINDOWS\systask32l.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Ensure no windows open except HJT and click fix checked.

Using windows explorer locate and delete the following files if found

C:\WINDOWS\systask32l.exe
C:\WINDOWS\web\related.htm

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#6
fortyozman
Posted 12 July 2005 - 12:09 AM

fortyozman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Alright, I have done everything in your last post and here are my logs. The Panda log is missing though. The wife jumped on my computer while I was at work and it was shut down when I got home. Let me know if I really need to post it and I will scan again.

Logfile of HijackThis v1.99.1
Scan saved at 2:04:21 AM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLHOS~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\110871~1\EE\AOLServiceHost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/fl...fm?division=158
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/fl...fm?division=158
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\WinCDG Pro 2\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108712909\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: PalNetaware.lnk = D:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: Scrabble Online Registration.lnk = C:\WINDOWS\Installer\MSI4F4.tmp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Aces Up! by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: myMicros docViewer Applet - http://portal.rubytu...m/docViewer.cab
O16 - DPF: mymicros.net Reporting Client - http://portal.rubytu.../rpt/rptsel.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.ccrodinte...ls/LTOCX14N.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://ldmail01.ruby....com/iNotes.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://www.ccrodinte...rg/imw32o40.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.ccrodinte...rg/prntpro2.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!
  • 0

#7
Guest_usetobe_*
Posted 12 July 2005 - 12:53 AM

Guest_usetobe_*
  • Guest
Yes please, i need to see panda scan log
  • 0

#8
fortyozman
Posted 12 July 2005 - 11:23 AM

fortyozman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I scanned again with panda and this is all that I got.



Your Opinion FAQs Help

Scan finishedScan report


System Files Messages

Scanned Yes 286137 455
Infected - 0 0
Suspicious - 0 0
Disinfected - 0 0

No viruses have been found. To keep your computer permanently protected against viruses, install the antivirus solution that best suits your needs.
While the scan is in progress you can...Find out about our home-user antivirus solutions.
Discover Panda's solutions for small businesses
See our range of corporate antivirus solutions
Recommend ActiveScan to your friends
In order to disinfect spyware you can…Buy the online antivirus ActiveScan Pro.
Discover the PANDA solutions for home users.
See our range of corporate antivirus solutions
Recommend ActiveScan to your friends
No viruses have been found!
  • 0

#9
Guest_usetobe_*
Posted 12 July 2005 - 11:33 AM

Guest_usetobe_*
  • Guest
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#10
fortyozman
Posted 12 July 2005 - 11:40 AM

fortyozman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks so much for all your help. I am going to try to stay clean this time.
  • 0

#11
Guest_usetobe_*
Posted 12 July 2005 - 12:04 PM

Guest_usetobe_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP