Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help me remove Smitfraud... [CLOSED]


  • This topic is locked This topic is locked

#1
XLTodd

XLTodd

    Member

  • Member
  • PipPip
  • 15 posts
Hi all,

I have searched, researched, and tried several solutions that have been offered in numerous forums to try and get rid of trojan-spy.html.smitfraud.c, but I am still having problems. I applied the smitfraud-c registry fix found online and it got rid of the "blue screen", but the computer is still not running right. When I try to come up normal, I have no icons on the desktop and when right clicking does nothing. I have downloaded HiJackThis and I am attaching the log. I wasn't sure if I needed to run it in safe mode or not, so I did not. I am also attaching a copy of the current registry just in case it is needed. Thanks in advance for any and all assistance. This is a business server and I need to get it cleaned up as soon as possible. Thanks again, I will check back in a little while, but you can reach me via email if needed: xltodd98atyahoodotcom.

Here's the HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:03:39 AM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\iGateway\iGateway.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\COMMON~1\CA\SCANEN~1\InoDist.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
D:\IBM\unishared\unirpc\unirpcd.exe
D:\IBM\UV\bin\uvservice.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
D:\IBM\UV\bin\uvdlockd.exe
C:\WINNT\Explorer.EXE
D:\IBM\UV\bin\tl_service.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\CMD.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 altavista.com
O1 - Hosts: 69.50.173.4 www.altavista.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 google.com
O1 - Hosts: 69.50.173.4 www.google.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 msn.com
O1 - Hosts: 69.50.173.4 www.msn.com
O1 - Hosts: 69.50.173.4 yahoo.com
O1 - Hosts: 69.50.173.4 www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122405885562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AAB5DCD-1C87-4BE6-817C-4E45A168FD5A}: NameServer = 209.225.8.42,67.97.48.9
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iGateway - Unknown owner - C:\Program Files\CA\iGateway\iGateway.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Uni RPC Service (unirpc) - IBM Corporation - D:\IBM\unishared\unirpc\unirpcd.exe
O23 - Service: UniVerse Resource Service (universe) - IBM Corporation - D:\IBM\UV\bin\uvservice.exe
O23 - Service: UniVerse Telnet Service (uvtelnet) - IBM Corporation - D:\IBM\UV\bin\tl_service.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Try running these from the Task Manager->Command Prompt if you can since you can't access the desktop. Yes, HijackThis scan log should be in normal mode like you did here. Only the fix should be run in safe mode.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 altavista.com
O1 - Hosts: 69.50.173.4 www.altavista.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 google.com
O1 - Hosts: 69.50.173.4 www.google.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 msn.com
O1 - Hosts: 69.50.173.4 www.msn.com
O1 - Hosts: 69.50.173.4 yahoo.com
O1 - Hosts: 69.50.173.4 www.yahoo.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
  • 0

#3
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts

Welcome to GTG.

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?[/b]

This was the only entry found.  I told HJT to "fix it".

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

When opening Display from CP, I only have these tabs: Background, Screen Saver, Appearance, Settings.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

I rebooted back to normal, but everything was still the same.  IE will not open, so I rebooted back to safe mode to run the Panda scan.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.

View Post


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:50:20 AM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\HJT\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122405885562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AAB5DCD-1C87-4BE6-817C-4E45A168FD5A}: NameServer = 209.225.8.42,67.97.48.9
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iGateway - Unknown owner - C:\Program Files\CA\iGateway\iGateway.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Uni RPC Service (unirpc) - IBM Corporation - D:\IBM\unishared\unirpc\unirpcd.exe
O23 - Service: UniVerse Resource Service (universe) - IBM Corporation - D:\IBM\UV\bin\uvservice.exe
O23 - Service: UniVerse Telnet Service (uvtelnet) - IBM Corporation - D:\IBM\UV\bin\tl_service.exe

Smitfiles.txt:


smitRem log file
version 2.3

by noahdfear

The current date is: Sat 08/13/2005
The current time is: 9:52:15.23

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

param32.dll


~~~ Icons in System32 ~~~

Air Tickets
Big Tits
Blackjack
Britney Spears
Car Insurance
Cheap Cigarettes
Credit Card
Cruises
Currency Trading
MP3
Online Betting
Party Poker
Pharmacy
Phentermine
Remove Spyware
viagra


~~~ Windows directory ~~~



~~~ Drive root ~~~

wp.bmp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:



Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:12:04 AM, 8/13/2005
+ Report-Checksum: E6E5B6FF

+ Scan result:

C:\WINNT\system32\guninst.exe -> Spyware.Serpo : Cleaned with backup


::Report End




Panda Log:


Incident Status Location

Adware:adware/hotoffers No disinfected C:\WINNT\SYSTEM32\Online Casino.ico

END OF ALL LOG FILES.

Some more information: When I rebooted in normal mode, the desktop is still blank (no icons), and when I right click nothing happens for approx 1 min., then I get a red circle 'x' message box that states, "Cannot find the file '(null)'(or one of its components) make sure the path and filename are correct and that all required libraries are available."

While in normal mode, no programs will start. E.G. Internet Explorer, Control Panel, etc...

I forgot to add that because I am in Safe mode, my display is horrible, 16 colors, vga, and I cannot change it. This makes it hard to read some things. I did not see on the panda scan the option to autoclean, therefore, I don't know if it removed the one thing that it found (probably not). Thanks for the help...

Edited by XLTodd, 13 August 2005 - 10:03 AM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, delete this file if found:

C:\WINNT\SYSTEM32\Online Casino.ico

Go to your task manager, file->new task and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. See if that will find anything and repair IE.

Next boot into Safe Mode and run smitRem's RunThis.bat file again. Save the log. Restart and post that log here (if you can in Normal Mode).

Is the HijackThis log in Normal Mode.
  • 0

#5
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Grey,

It'll be sometime Monday before I can get back to the machine, but I will do as you instruct and post the log files. I can't remember if the last HJT log was run in normal mode or not. I think I can get HJT to run in normal mode. If so, I'll repost another log just to make sure. All other logs above were generated in safe mode. Thanks again for the assistance...X
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, try running smitRem again first. Then restart and post that log along with a new HijackThis log.
  • 0

#7
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey Grey,

I was finally able to get back down here. Here is the latest HJT log (normal mode):

Logfile of HijackThis v1.99.1
Scan saved at 7:27:50 AM, on 8/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\Program Files\CA\iGateway\iGateway.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\CA\SCANEN~1\InoDist.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
D:\IBM\unishared\unirpc\unirpcd.exe
D:\IBM\UV\bin\uvservice.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
D:\IBM\UV\bin\uvdlockd.exe
D:\IBM\UV\bin\tl_service.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\Dfssvc.exe
D:\IBM\UV\bin\tl_server.exe
D:\IBM\UV\bin\tl_server.exe
D:\IBM\UV\bin\tl_server.exe
D:\IBM\UV\bin\tl_server.exe
C:\WINNT\system32\cmd.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122405885562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AAB5DCD-1C87-4BE6-817C-4E45A168FD5A}: NameServer = 209.225.8.42,67.97.48.9
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iGateway - Unknown owner - C:\Program Files\CA\iGateway\iGateway.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Uni RPC Service (unirpc) - IBM Corporation - D:\IBM\unishared\unirpc\unirpcd.exe
O23 - Service: UniVerse Resource Service (universe) - IBM Corporation - D:\IBM\UV\bin\uvservice.exe
O23 - Service: UniVerse Telnet Service (uvtelnet) - IBM Corporation - D:\IBM\UV\bin\tl_service.exe

I reran smitrem while in normal mode (had to use Task Mgr to open a cmd window), and it is still running the disk cleanup utility. May take a while. I will post that log when it finishes. Thanks again for the assistance..

X

Also, from a cmd window, I can see Online Casino.ico in the c:\winnt\system32 directory, but the pruter will not let me delete it. It doesn't like the space between Online and Casino for some reason. I've tried with and underscore, dash, and tilde between the two, but it says file cannot be found. What gives? Thanks...

Edited by XLTodd, 18 August 2005 - 07:24 AM.

  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Why are you running smitRem in Normal Mode? Please run it in Safe Mode and post it here (restart and post the log here).

You may just delete that Online Casino.ico file in Safe Mode. No need to do it in the command prompt. But if you still want to, you MUST include quotes between "c:\.....and the Online Casino.ico". That will delete it.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes there are many problems.

There are no icons on the desktop. And when I click start -> all programs -> <any program>, nothing starts and the computer locks up. By locking up, I mean trying to click on the start button again does not bring up start menu any longer. I'll get rid of the online casino ico file and rerun smitrem in safe mode, and repost the log here. Thanks again for your help!

Just got finished running smitrem and here is the log:

smitRem log file
version 2.3

by noahdfear

The current date is: Fri 08/19/2005
The current time is: 16:30:44.64

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:

There ya go...thanks!

Edited by XLTodd, 19 August 2005 - 03:33 PM.

  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
So it's locking up now? Did you run sfc /scannow like I mentioned earlier?

Boot into Safe Mode and run Ewido again. Save the log.

Reboot to Normal Mode and post the Ewido log along with a new HijackThis log.
  • 0

Advertisements


#11
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I apologize. I'm having to get the instructions from one site and go to the problem site. In doing so, I skipped the sfc /scannow step. I will do that the next time I can get down there which will be Thur. or Fri. I will also rerun Ewido in safe mode and HJT in normal mode and repost those logs if the sfc /scannow does not fix the problems. Also, I will be donating to you for your time once all of these issues are resolved. Thanks for your help and patience Greyknight!
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Just glad we could help :tazz:

Post back next week then. Try not to leave this topic opened for too long though. After 2 weeks or more, I start closing my inactive topics. You're good for another two weeks on this topic (if there's no replies at all) :)
  • 0

#13
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
My work schedule (12 hours from 7:00 a.m. to 7:00 p.m.)is prohibiting me from getting down there while the business is open, until midweek. Look for me to post any logs and the results of the sfc /scannow probably by Thursday. Thanks!
  • 0

#14
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok Grey,

I ran sfc /scannow, booted in safe mode and ran Ewido, then rebooted back to normal mode and reran HJT. Below are the logs. Pruter is in same state after running sfc /scannow. No icons on desktop. Right clicking on desktop does not bring up a context menu, and no programs will start by clicking start -> all programs -> (any program). Below are the logs. Ewido first, then HJT. Thank you.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:33:30 PM, 8/25/2005
+ Report-Checksum: B890428D

+ Scan result:

No infected objects found.


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 4:37:45 PM, on 8/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\CA\iGateway\iGateway.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\COMMON~1\CA\SCANEN~1\InoDist.exe
C:\WINNT\System32\snmp.exe
D:\IBM\unishared\unirpc\unirpcd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
D:\IBM\UV\bin\uvservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
D:\IBM\UV\bin\uvdlockd.exe
D:\IBM\UV\bin\tl_service.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\CMD.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122405885562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AAB5DCD-1C87-4BE6-817C-4E45A168FD5A}: NameServer = 209.225.8.42,67.97.48.9
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iGateway - Unknown owner - C:\Program Files\CA\iGateway\iGateway.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Uni RPC Service (unirpc) - IBM Corporation - D:\IBM\unishared\unirpc\unirpcd.exe
O23 - Service: UniVerse Resource Service (universe) - IBM Corporation - D:\IBM\UV\bin\uvservice.exe
O23 - Service: UniVerse Telnet Service (uvtelnet) - IBM Corporation - D:\IBM\UV\bin\tl_service.exe
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You must have removed it improperly to begin with.

Do a search for these files and delete them if found (most should be in c:\windows\ or just c: drive):

desktop.html
screen.html
windows.html
wp.bmp

If not found, then it's something else that's wrong. Right click on this link an choose Save As. Save it and then double click on the downloaded/saved file to run it. Choose Yes to add it to the registry.

Restart. Desktop back?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP