Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help me remove Smitfraud... [CLOSED]


  • This topic is locked This topic is locked

#16
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey Grey,

I searched and did not find wp.bmp or any of the .html files you mentioned. I downloaded the reg file and added it to the registry. I rebooted. I still have no icons, I cannot access desktop settings by right clicking the desktop or via control panel. Some programs will now start by clicking start -> all programs -> (program). I started Ewido in normal mode (didn't run it.). I started Spybot and was able to update definitions, but I didn't run it. I tried to open Internet Explorer, nothing happened. I tried to open Control Panel, nothing happened. There is something (a msg box?) that flashes sporadically on the desktop. It's so fast that I cannot make out anything on it. It's bigger than the typical msg/error box. It seems to be about 4 in. X 3 in. After I tried to open IE and CP, about 1 to 2 mins later a "red X" info box opened up with the following:

"Cannot find the file '(null)' (or one of it's components). Make sure the path and filename are correct and that all required libraries are available."

After that, pruter locks up...only task mgr will open. Any other ideas? I REALLY DON"T WANT to do a format/reinstall. Thanks for the help!
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If you can, update those antispyware programs and Ewido...then run them in Safe Mode and remove what they find. See if they find anything.
  • 0

#18
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey Grey,

I'm still here. Just been working alot lately and haven't had time to get back down there yet. I'll be going by there monday morning and I'll post the results shortly after. Thanks for hanging in there with me. :tazz:
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. I will be here in the evening (after work).
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Topic re-opened per user's request.
  • 0

#22
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey man,

I finally made it back down here. I'm updating and scanning right this second. I'll post the results shortly! Thanks!
  • 0

#23
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK...I'm in safe mode. I updated and ran Ewido. Here is the report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:22:28 AM, 10/8/2005
+ Report-Checksum: 10C6DFF5

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup


::Report End


Spybot found updates but they will not download. I keep getting a "checksum" error. It has finished scanning and found nothing. This is where I stand:

Still no icons on desktop. In normal mode, I have to bring up task mgr and "run" programs that way most of the time. Sometimes, after a reboot into normal mode, I can navigate via the Start button. But that doesn't last long. The button quits responding and I have to do the Ctl Alt Del to get it the puter to do anything. Where do we go from here? Thanks again for all the help!
  • 0

#24
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
For Spybot, try choosing another download location (you should see a button for it on top, choose it and select a different location...then update).

Try running the smitRem tool again in Safe Mode.

Boot back to normal mode and give me the smitfiles.txt log and also a new HijackThis log.
  • 0

#25
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK...I was finally able to get Spybot to update. It ran fine and found nothing.

Ran Smitrem in Safe mode. Here is the log:

smitRem log file
version 2.3

by noahdfear

The current date is: Sat 10/08/2005
The current time is: 10:23:55.62

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:

Here is the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:53 AM, on 10/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\CA\iGateway\iGateway.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\CA\SCANEN~1\InoDist.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
D:\IBM\unishared\unirpc\unirpcd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
D:\IBM\UV\bin\uvservice.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
D:\IBM\UV\bin\uvdlockd.exe
D:\IBM\UV\bin\tl_service.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122405885562
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AAB5DCD-1C87-4BE6-817C-4E45A168FD5A}: NameServer = 209.225.8.42,67.97.48.9
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iGateway - Unknown owner - C:\Program Files\CA\iGateway\iGateway.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Uni RPC Service (unirpc) - IBM Corporation - D:\IBM\unishared\unirpc\unirpcd.exe
O23 - Service: UniVerse Resource Service (universe) - IBM Corporation - D:\IBM\UV\bin\uvservice.exe
O23 - Service: UniVerse Telnet Service (uvtelnet) - IBM Corporation - D:\IBM\UV\bin\tl_service.exe

There you go. I'm having to go back and forth between safe and normal because Internet Explorer will not work in normal mode. Thanks!
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, we'll have to go with the Windows repair and see if that will bring back your desktop icons and menu. Please visit this site and follow the directions there.
  • 0

#27
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok..I'll try that next. But, doing those step won't wipe out the existing network settings will it? I can't let that happen because I don't have the time to set everything back up. Thanks again for all the assistance!
  • 0

#28
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
This shouldn't wipe out any of your network settings or data, unless the corrupted files are associated with files used by your network...

If you want to double check, then ask this in the Windows forum..."will doing a Windows 2000 repair delete any of my existing network settings?"...then continue if it doesn't.
  • 0

#29
XLTodd

XLTodd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm going to try and get back down there this Saturday, 10-15. I took your suggestion and posted that question about network settings at MS...I'm awaiting a reply. If the current network settings will not be affected, I will proceed with your instructions. Thanks again for all the assistance and your patience! :tazz:
  • 0

#30
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem XLTodd. Tell me how it went.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP