Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud c and PSguard [RESOLVED]


  • This topic is locked This topic is locked

#1
Sick_of_smitty

Sick_of_smitty

    Member

  • Member
  • PipPip
  • 10 posts
I have tried everything and can't get rid of Smitfraud.c. I have followed the recommendations of previous posts and ran Spybot, Ewido, Adaware, Panda (the freeware version) and did the add/remove programs. I also ran the SmitRem zip file, etc. My computer seems to be running ok and there is no indication of a problem (the message taking over the desktop screen and the references to infections on the quick launch bar are all gone) However, when I run Spybot it still finds 45 Smitfraud files. When I say FixSelectedProblems, it says it can't fix them and suggestes running on startup. When it runs on startup the same thing happens. See the Spybot log below. I have run these scans in normal mode and safe mode. Help!

Thanks.

Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:16:37 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wlnfilt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\uwdntcls.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [5] C:\documents and settings\heather\local settings\temp\5.exe
O4 - HKLM\..\Run: [h6PAlF3Vi] C:\documents and settings\heather\local settings\temp\h6PAlF3Vi.exe
O4 - HKLM\..\Run: [XJtOu] C:\documents and settings\heather\local settings\temp\XJtOu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C4] C:\documents and settings\hiro protagonist\local settings\temp\C4.exe
O4 - HKLM\..\Run: [x8RKKy] C:\documents and settings\heather\local settings\temp\x8RKKy.exe
O4 - HKLM\..\Run: [wNQ] C:\documents and settings\heather\local settings\temp\wNQ.exe
O4 - HKLM\..\Run: [osFO3nW] wlnfilt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBwERha7R] uwdntcls.exe
O4 - HKCU\..\Run: [Saug] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41CC16B4-2173-4D9E-894F-D51B96B74EF2} (SECAMERConfigCheck.ConfigCheck) - https://webapps.saio...ConfigCheck.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - https://webapps.saio...setup/setup.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F9BB339D-D40D-4853-8F4D-287A2323A35C} (ScanbuyUnivPlugin.ScannerReader) - https://www.scanclik...yUnivPlugin.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

Spybot Log
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.niger.ru\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.6o9.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webpidor.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vv7.al.57e.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\visitfriend.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\veryeasysearch.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\v-224.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u48.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u47.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u46.cx\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u45.cx\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracktraff.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracking.allposters.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trackhits.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\toprefsys.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\terra.hcworld.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\t34rulit.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s2.kav.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.tempx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.remove.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rf104.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\new.8ad.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\meetyourfriend.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\love-catalog.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greg-tut.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ga31.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\[bleep]-[bleep].org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ewizard.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\e-finder.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dl.ad-ware.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\datingforlove.org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crl.thawte.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bin.wordsx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adulthell.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\75tz.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-336809978-2161807218-2885428501-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\20x2p.com\*!=W=4


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-07-29 Includes\Dialer.sbi
2005-07-29 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-07-29 Includes\Malware.sbi
2005-07-22 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-07-29 Includes\Security.sbi
2005-07-29 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-07-29 Includes\Trojans.sbi

Edited by Sick_of_smitty, 30 July 2005 - 07:08 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

I don't know which part users don't understand. Please do NOT follow another user's fix.. I say this for a reason. Everyone's log will most likely not be exactly the same. Like in your case, you have some other problems here besides smitfraud (which you took care of). But you should really not do any of the fixing unless you are 100% sure you know it's right - in which case you probably don't since you are following someone else's fix. Sometimes you may make it worse by fixing it incorrectly.

I'm not posting this to reflect towards you only, but to everyone who's reading this. DON'T follow the fixes provided to other users. Create your own topic and we will be glad to assist you there.

Also, don't post any other logs unless we ask for them :tazz:

OK, let's get to the fixing part now ;)

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [5] C:\documents and settings\heather\local settings\temp\5.exe
O4 - HKLM\..\Run: [h6PAlF3Vi] C:\documents and settings\heather\local settings\temp\h6PAlF3Vi.exe
O4 - HKLM\..\Run: [XJtOu] C:\documents and settings\heather\local settings\temp\XJtOu.exe
O4 - HKLM\..\Run: [C4] C:\documents and settings\hiro protagonist\local settings\temp\C4.exe
O4 - HKLM\..\Run: [x8RKKy] C:\documents and settings\heather\local settings\temp\x8RKKy.exe
O4 - HKLM\..\Run: [wNQ] C:\documents and settings\heather\local settings\temp\wNQ.exe
O4 - HKLM\..\Run: [osFO3nW] wlnfilt.exe
O4 - HKCU\..\Run: [ZBwERha7R] uwdntcls.exe
O4 - HKCU\..\Run: [Saug] C:\WINDOWS\System32\??rss.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\wlnfilt.exe
C:\WINDOWS\System32\uwdntcls.exe


Do a search for ??rss.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
After I got back from the therapist who helped me cope with being publicly humiliated :tazz: , I ran through your steps. (Actually I understand what you are saying, I piss off the plumber by tring to fix the sink myself also). I found all the files you told me to look for and there were no additional rss.exe files to delete. Here is my new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:53 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41CC16B4-2173-4D9E-894F-D51B96B74EF2} (SECAMERConfigCheck.ConfigCheck) - https://webapps.saio...ConfigCheck.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - https://webapps.saio...setup/setup.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F9BB339D-D40D-4853-8F4D-287A2323A35C} (ScanbuyUnivPlugin.ScannerReader) - https://www.scanclik...yUnivPlugin.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

Edited by Sick_of_smitty, 31 July 2005 - 04:42 PM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yeah, I'm sorry I had to type that up. I didn't mean to direct it towards you only as I said above. But it just gets to me when users start fixing it and sometimes they make matters worse :tazz: Glad you understand :(

Well, I hope everything is going well on the therapy ;)

Let's at least make you happy by fixing up this problem here :)

We're almost done here:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

AutoUpdate

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\AutoUpdate\

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#5
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I am doing those steps on the infected PC right now. But to clarify, do you want me to run the second HJT (after fixing and deleting) in safe mode or not?
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Safe Mode is really not necessary, but it cuts back some problems that users may encounter sometimes. So run it all in safe mode (both fixing and deleting - exactly as I have it there :tazz:).
  • 0

#7
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
What do you think:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:18 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41CC16B4-2173-4D9E-894F-D51B96B74EF2} (SECAMERConfigCheck.ConfigCheck) - https://webapps.saio...ConfigCheck.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - https://webapps.saio...setup/setup.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F9BB339D-D40D-4853-8F4D-287A2323A35C} (ScanbuyUnivPlugin.ScannerReader) - https://www.scanclik...yUnivPlugin.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What I think is not important :tazz: What's important is that:

Your log is clean ;)

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
My log is clean ;) and my therapist says I am cured also :tazz: . Life is good! Thanks for all your help. Take care.
  • 0

#10
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Uh-Oh! I spoke too soon. I just ran spybot to make sure I was clean and it still finds the 45 Smitfraud-C. items. It also found PeopleonPage, AproposMedia, and Tango. It won't allow me to fix/delete the 45 Smitfraud items. The others fixed ok. What should I do?
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, do this:

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).
  • 0

#12
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK, Here are all the logs

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:35:31 AM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41CC16B4-2173-4D9E-894F-D51B96B74EF2} (SECAMERConfigCheck.ConfigCheck) - https://webapps.saio...ConfigCheck.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - https://webapps.saio...setup/setup.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F9BB339D-D40D-4853-8F4D-287A2323A35C} (ScanbuyUnivPlugin.ScannerReader) - https://www.scanclik...yUnivPlugin.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--------------------------------------------------------------------------------------------

Panda


Incident Status Location

Adware:adware/tvmedia No disinfected C:\DOCUMENTS AND SETTINGS\HEATHER\APPLICATION DATA\tvmcwrd.dll
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/gator No disinfected C:\GatorPatch.log
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/delfinmedia No disinfected C:\PROGRAM FILES\DelFin
Adware:adware/savenow No disinfected C:\PROGRAM FILES\VVSN
Spyware:spyware/istbar No disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware/p2pnetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\HEATHER\START MENU\PROGRAMS\AdDestroyer
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WINTOOLSSVC
Adware:adware/iedriver No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{120E090D-9136-4B78-8258-F0B44B4BD2AC}
Spyware:spyware/altnet No disinfected HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}
Adware:adware/alexa-toolbar No disinfected HKEY_CLASSES_ROOT\TypeLib\{eacaa5ce-99b3-470e-9629-8f9ef4c4b637}
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/StatBlaster No disinfected C:\Program Files\System\Misc\Aqua.exe
Adware:Adware/StatBlaster No disinfected C:\Program Files\System\Misc\lite.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Belt.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi2.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\O
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\O.BAT
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking v125.cpl
Adware:Adware/Alexa-Toolbar No disinfected C:\WINDOWS\system32\WinExplore.exe
--------------------------------------------------------------------------------------

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:32:17 PM, 7/31/2005
+ Report-Checksum: 1AC0E7E9

+ Scan result:

No infected objects found.


::Report End


------------------------------------------------------------------------------------------

Smitrem


smitRem log file
version 2.2

by noahdfear

The current date is: Sun 07/31/2005
The current time is: 21:45:16.34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I will be sending you a PM. Please read that first before doing the fixes below. I want you to run that tool that I will PM you in the fix below (in RED - second to last paragraph).

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WINTOOLSSVC]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{120E090D-9136-4B78-8258-F0B44B4BD2AC}]
[-HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}]
[-HKEY_CLASSES_ROOT\TypeLib\{eacaa5ce-99b3-470e-9629-8f9ef4c4b637}]


Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.


Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Uninstall these via Add/Remove panel if listed:

Gator
GAIN
AdDestroyer
DelFin
VVSN
P2P Networking


Delete these if they exist:

C:\DOCUMENTS AND SETTINGS\HEATHER\APPLICATION DATA\tvmcwrd.dll
C:\DOCUMENTS AND SETTINGS\HEATHER\START MENU\PROGRAMS\AdDestroyer
C:\GatorPatch.log
C:\Program Files\Aprps\
C:\PROGRAM FILES\COMMON FILES\Totem Shared
C:\PROGRAM FILES\DelFin
C:\Program Files\System\Misc\
C:\PROGRAM FILES\VVSN
C:\WINDOWS\Belt.ini
C:\WINDOWS\bsx32
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\bi2.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\sepsd.bin
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\cd_clint.dll
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
C:\WINDOWS\system32\O
C:\WINDOWS\system32\O.BAT
C:\WINDOWS\system32\P2P Networking\
C:\WINDOWS\system32\WinExplore.exe


Run that tool that I PMed you now.

Restart and run a new Panda scan. Post the log here. Any improvement now?
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Got your PM. Everything is clear there :tazz:

Please post the requested logs now if you are done with the previous fix I posted.
  • 0

#15
Sick_of_smitty

Sick_of_smitty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
The CWShredder came back all clear. I found most of the things you told me to delete. I left the P2P because I knwo what that is (Kazaa). Spybot still shows Smitfraud. Here is the Panda log:

Incident Status Location

Adware:adware/tvmedia No disinfected C:\DOCUMENTS AND SETTINGS\HEATHER\APPLICATION DATA\tvmknwrd.dll
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Adware:adware/gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:adware/sidesearch No disinfected C:\DOCUMENTS AND SETTINGS\HEATHER\APPLICATION DATA\Lycos
Adware:adware/p2pnetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking
Adware:adware/savenow No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Heather\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Heather\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/IPInsight No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc11.inf
Adware:Adware/SAHAgent No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc12.inf
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc13.inf
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc19
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc20.BAT
Adware:Adware/Alexa-Toolbar No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc21.exe
Adware:Adware/Apropos No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc4\ProxyStub.dll
Dialer:Dialer.XS No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc6\Update\DialerOffline.dll.010
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc7\Aqua.exe
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc7\lite.exe
Adware:Adware/IPInsight No disinfected C:\RECYCLER\S-1-5-21-336809978-2161807218-2885428501-1010\Dc9.ini
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking v125.cpl
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP