Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help...Got Trojan-spy.html.smitfraud.c [CLOSED]

Started by ariel2000 , Jul 22 2005 11:29 AM

  • This topic is locked This topic is locked

#1
ariel2000
Posted 22 July 2005 - 11:29 AM

ariel2000

    New Member

  • Member
  • Pip
  • 5 posts
Hi. First time posting.

I have two laptops and one of them has Trojan-spy.html.smitfraud.c. I cannot surf the net with that laptop. I read the "You must read this before posting..." and tried to download Winsock2Fix and Cleanup. Winsock2Fix seemed to have loaded however, I still cannot surf the net. When I try to load Cleanup, it tries to install then states at the end of installation "The application failed to initialize properly...". Same goes with all the other tools that you have listed. Luckily, I was able to download and install hijackthis. So, here is the log file.

Logfile of HijackThis v1.99.1
Scan saved at 10:18:11 AM, on 7/22/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\WINNT\CIATOOL\bin\ciaagent.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\W2IFF.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\intel32.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.sbc.com/autoproxy.cgi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B0E8A-5C4A-4C26-AFF2-89869E850519} - C:\WINNT\System32\jdkj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [W2IFF] C:\Program Files\support\RLatest.exe \\itssnrmrs01\OSREPAIR\W2IFF\W2IFF.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SBCAssess] C:\Program Files\CompApps\SBCAssess\SBCAssess.exe 5
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\System32\intel32.exe
O4 - HKLM\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://myintranet.sbc.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://webvpn.sbc.c...oterisSetup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O18 - Filter: text/html - {2D56DBD0-78BD-48AE-AB95-C9EBDE88C934} - C:\WINNT\System32\jdkj.dll
O18 - Filter: text/plain - {2D56DBD0-78BD-48AE-AB95-C9EBDE88C934} - C:\WINNT\System32\jdkj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: CIAagent - SBC - C:\WINNT\CIATOOL\bin\ciaagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Please help! Thanks!
  • 0

Advertisements

#2
Trevuren
Posted 22 July 2005 - 11:46 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi ariel2000, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

You appear to have a variant of the About:Blank infection

1. Download CWShredder

If you are using anything other than Windows xp you may need a zip program.
Please download the evaluation version of Winzip.


2. Download SpSeHjfix.zip to the desktop.
  • Then right click on the desktop and select new >folder, name it spfix
  • Unzip SpSeHjfix.zip into the new folder.
3. Disconnect from the net and Close ALL OPEN PROGRAMS.
  • Run 'SpSeHjfix'. and click on "Start Disinfection".
  • When it's finished it will reboot your machine to finish the cleaning process.
  • The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

4. Once it is finished, run CWShredder - Hit The FIX button!

5. Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Regards,

Trevuren
  • 0

#3
ariel2000
Posted 22 July 2005 - 02:07 PM

ariel2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Trevuren,

I saw your reply right before I went to lunch. So, I downloaded CWShredder and SpSeHjfix.zip. When I followed the steps for SpSEHjfix, as soon as I clicked on "start disinfection", it gave me a pop up saying that the computer needs to restart so I let it restart then the same window came up so clicked on "start disinfection" and again in a split second, it asked me to restart. I restarted and went to lunch. When I logged back on, it didn't give me the same window but it had other errors (which I closed so I can't remember what they were now). I tried again to "start disinfection" but now, the computer doesn't seem to respond to it. I can close out the window but that's about it.

Here is the log from spsehjfix.



(7/22/05 11:24:42 AM) SPSeHjFix started v1.1.2
(7/22/05 11:24:42 AM) OS: Win2000 Service Pack 3 (5.0.2195)
(7/22/05 11:24:42 AM) Language: english
(7/22/05 11:24:42 AM) Win-Path: C:\WINNT
(7/22/05 11:24:42 AM) System-Path: C:\WINNT\System32
(7/22/05 11:24:42 AM) Temp-Path: C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\
(7/22/05 11:24:44 AM) Disinfection started
(7/22/05 11:24:44 AM) Bad-Dll(IEP): (not found)
(7/22/05 11:24:44 AM) Bad-Dll(IEP) in BHO: (not found)
(7/22/05 11:24:44 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\System32\jdkj.dll
(7/22/05 11:24:44 AM) Searchassistant Uninstaller - Keys Deleted
(7/22/05 11:24:44 AM) UBF: 6 - UBB: 2 - UBR: 19
(7/22/05 11:24:44 AM) FilterKey: HKCR\text/html (deleted)
(7/22/05 11:24:44 AM) FilterKey: HKCR\CLSID\{2D56DBD0-78BD-48AE-AB95-C9EBDE88C934} (deleted)
(7/22/05 11:24:44 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/22/05 11:24:44 AM) FilterKey: HKCR\text/plain (deleted)
(7/22/05 11:24:44 AM) FilterKey: HKCR\CLSID\{2D56DBD0-78BD-48AE-AB95-C9EBDE88C934} (error while deleting)
(7/22/05 11:24:44 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/22/05 11:24:44 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B0E8A-5C4A-4C26-AFF2-89869E850519} (deleted)
(7/22/05 11:24:44 AM) BHO-Key: HKCR\CLSID\{5C8B0E8A-5C4A-4C26-AFF2-89869E850519} (deleted)
(7/22/05 11:24:44 AM) UBF: 4 - UBB: 1 - UBR: 19
(7/22/05 11:24:44 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(7/22/05 11:24:44 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
(7/22/05 11:24:44 AM) Stealth-String not found
(7/22/05 11:24:44 AM) File added to delete: c:\winnt\system32\jdkj.dll
(7/22/05 11:24:44 AM) File added to delete: c:\docume~1\sbcebc\locals~1\temp\se.dll
(7/22/05 11:24:44 AM) Reboot


(7/22/05 11:26:30 AM) SPSeHjFix started v1.1.2
(7/22/05 11:26:30 AM) OS: Win2000 Service Pack 3 (5.0.2195)
(7/22/05 11:26:30 AM) Language: english
(7/22/05 11:26:30 AM) Win-Path: C:\WINNT
(7/22/05 11:26:30 AM) System-Path: C:\WINNT\System32
(7/22/05 11:26:30 AM) Temp-Path: C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\
(7/22/05 11:26:38 AM) Disinfection started
(7/22/05 11:26:38 AM) Bad-Dll(IEP): (not found)
(7/22/05 11:26:38 AM) Bad-Dll(IEP) in BHO: (not found)
(7/22/05 11:26:38 AM) UBF: 4 - UBB: 1 - UBR: 19
(7/22/05 11:26:38 AM) UBF: 4 - UBB: 1 - UBR: 19
(7/22/05 11:26:38 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(7/22/05 11:26:38 AM) Bad IE-pages: (none)
(7/22/05 11:26:38 AM) Stealth-String not found
(7/22/05 11:26:38 AM) File added to delete: c:\docume~1\sbcebc\locals~1\temp\se.dll
(7/22/05 11:26:38 AM) Reboot


(7/22/05 12:39:31 PM) SPSeHjFix started v1.1.2
(7/22/05 12:39:31 PM) OS: Win2000 Service Pack 3 (5.0.2195)
(7/22/05 12:39:31 PM) Language: english
(7/22/05 12:39:31 PM) Win-Path: C:\WINNT
(7/22/05 12:39:31 PM) System-Path: C:\WINNT\System32
(7/22/05 12:39:31 PM) Temp-Path: C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\
(7/22/05 12:39:49 PM) Disinfection started
(7/22/05 12:39:49 PM) Bad-Dll(IEP): (not found)
(7/22/05 12:39:49 PM) Bad-Dll(IEP) in BHO: (not found)
(7/22/05 12:39:49 PM) UBF: 4 - UBB: 1 - UBR: 18
(7/22/05 12:39:49 PM) UBF: 4 - UBB: 1 - UBR: 18
(7/22/05 12:39:49 PM) Bad IE-pages: (none)
(7/22/05 12:39:49 PM) Stealth-String not found
(7/22/05 12:39:49 PM) Not infected->END


(7/22/05 12:49:06 PM) SPSeHjFix started v1.1.2
(7/22/05 12:49:06 PM) OS: Win2000 Service Pack 3 (5.0.2195)
(7/22/05 12:49:06 PM) Language: english
(7/22/05 12:49:06 PM) Win-Path: C:\WINNT
(7/22/05 12:49:06 PM) System-Path: C:\WINNT\System32
(7/22/05 12:49:06 PM) Temp-Path: C:\DOCUME~1\SBCEBC\LOCALS~1\Temp\
(7/22/05 12:49:08 PM) Disinfection started
(7/22/05 12:49:08 PM) Bad-Dll(IEP): (not found)
(7/22/05 12:49:08 PM) Bad-Dll(IEP) in BHO: (not found)
(7/22/05 12:49:08 PM) UBF: 4 - UBB: 1 - UBR: 18
(7/22/05 12:49:08 PM) UBF: 4 - UBB: 1 - UBR: 18
(7/22/05 12:49:08 PM) Bad IE-pages: (none)
(7/22/05 12:49:08 PM) Stealth-String not found
(7/22/05 12:49:08 PM) Not infected->END
  • 0

#4
Trevuren
Posted 22 July 2005 - 02:57 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We sure got something.

Please post a new HJT log.

Thanks,

Trevuren
  • 0

#5
ariel2000
Posted 22 July 2005 - 06:31 PM

ariel2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Trevuren,

Thanks for your responses. Unfortunately, I've been in meetings all day and haven't been able to get back to troubleshooting this. I'm having problems with a work laptop which I will not be taking home. So when I'm back in the office on Monday, I'll post a new HJT log and go from there. Hopefully, you are able to help me on Monday.

Thanks and have a nice weekend. :tazz:
  • 0

#6
Trevuren
Posted 22 July 2005 - 06:56 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Enjoy


Trevuren
  • 0

#7
ariel2000
Posted 25 July 2005 - 09:40 AM

ariel2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Trevuren,

Good Morning. Hope you are there today. Here is the latest hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 8:35:24 AM, on 7/25/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\WINNT\CIATOOL\bin\ciaagent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\cmd.exe
C:\WINNT\ciatool\delay.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support\RLatest.exe
C:\W2IFF.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\intel32.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.sbc.com/autoproxy.cgi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [W2IFF] C:\Program Files\support\RLatest.exe \\itssnrmrs01\OSREPAIR\W2IFF\W2IFF.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SBCAssess] C:\Program Files\CompApps\SBCAssess\SBCAssess.exe 5
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\System32\intel32.exe
O4 - HKLM\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://myintranet.sbc.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://webvpn.sbc.c...oterisSetup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: CIAagent - SBC - C:\WINNT\CIATOOL\bin\ciaagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#8
Trevuren
Posted 25 July 2005 - 10:34 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
The following is just a partial fix to clean up some of the mess that still remains. I need a few questions answered before I can develop a final solution:

1. Do you know what this CIATOOL is? I can't get info on it

2. 023 Hibernation: Do you have your system in that state when not in use?

3. R Latest/ ....../ W2iFF.exe : I can't get any conclusive info on this either

============================================

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • We need to make sure all hidden files are showing so please:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • Please RUN HijackThis, click the SCAN button to produce a log.
    • Place a check mark beside each one of the following items:

      O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\System32\intel32.exe
      O4 - HKLM\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
      O4 - HKLM\..\RunServices: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
      O4 - HKCU\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
      O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
      O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://webvpn.sbc.c...oterisSetup.cab
      O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
      O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
    • Now with all the items selected, and all windows closed except for HJT, DELETE them by clicking the FIX checked button and EXIT the program.
  • Reboot Your System in Safe Mode

    How To Start To Safe Mode In Windows 2000
    • Turn the computer on
    • When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key.
    • The Windows 2000 Advanced Options Menu will appear.
    • Choose the Safe mode option. (it is usually the first item in the list).
    • Use the arrow keys to select it if it is not selected by default.
    • Press Enter. The computer will start in Safe mode.
    • When finished troubleshooting, close all programs and restart the computer as you normally would.
  • Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):

    C:\WINNT\System32\intel32.exe
    C:\WINNT\System32\outpostupdate.exe
    C:\WINNT\web<===Folder

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren
  • 0

#9
ariel2000
Posted 25 July 2005 - 04:13 PM

ariel2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Trevuren,

I've followed your instructions and below is the hjt log. The blue screen that states that I've affected by the trojan... is still there.

Regarding CIATOOL and W2iff, I believe they are my company's application. I have it on my other work lap top as well.

I do use power save mode but the "enable hiberate support" box is not checked.


Logfile of HijackThis v1.99.1
Scan saved at 3:05:55 PM, on 7/25/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\WINNT\CIATOOL\bin\ciaagent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\cmd.exe
C:\WINNT\ciatool\delay.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\W2IFF.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.sbc.com/autoproxy.cgi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [W2IFF] C:\Program Files\support\RLatest.exe \\itssnrmrs01\OSREPAIR\W2IFF\W2IFF.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SBCAssess] C:\Program Files\CompApps\SBCAssess\SBCAssess.exe 5
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [outpostupdate] C:\WINNT\System32\outpostupdate.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://myintranet.sbc.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pacbell.itservices.sbc.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: CIAagent - SBC - C:\WINNT\CIATOOL\bin\ciaagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#10
Trevuren
Posted 25 July 2005 - 05:59 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please try this for now:

To repair Internet Explorer on Windows 98, ME and 2000:

Go to Start > Run > copy and paste this in > OK > and choose repair IE

rundll32 setupwbv.dll,IE6Maintenance

...or go to your control panels add/remove programs and double click on Microsoft Internet Explorer 6 and Internet Tools > choose Repair IE.

2. If your screnn still carries the warning, please provide me with a detailed description of the message.

3. Post a fresh HJT log


Trevuren
  • 0

#11
Trevuren
Posted 12 August 2005 - 09:39 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP