Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud-C Infection Won't Go Away!


  • Please log in to reply

#1
cartdave

cartdave

    New Member

  • Member
  • Pip
  • 6 posts
After finding your great website, for the last several months I've been able to clean my computer of malware, viruses, etc. by just following the "try this first page" and the great software you've recommended; however, Spybot recently identified a Smitfraud infection but none of the software and scans could get rid of it. I also downloaded smitrem.exe and ran it in safe mode, but Spybot reports that smitfraud-c is still present.

Here is my Highjack This log:
Logfile of HijackThis v1.99.1
Scan saved at 3:27:17 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Netscape\Navigator\Program\netscape.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\GeeksToGo\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = I'm listening, Lord....
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O15 - Trusted Zone: *.accountonline.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.andale.com
O15 - Trusted Zone: *.apawood.org
O15 - Trusted Zone: *.autoworld.com
O15 - Trusted Zone: *.bhccu.org
O15 - Trusted Zone: http://pmj.bmjjournals.com
O15 - Trusted Zone: http://www1.boatersworld.com
O15 - Trusted Zone: *.boatersworld.com
O15 - Trusted Zone: http://*.byyb.org
O15 - Trusted Zone: *.cabelas.com
O15 - Trusted Zone: *.caloriesperhour.com
O15 - Trusted Zone: *.car-stuff.com
O15 - Trusted Zone: *.cdc.gov
O15 - Trusted Zone: http://*.certainteed.com
O15 - Trusted Zone: *.circletrack.com
O15 - Trusted Zone: *.clean-power.com
O15 - Trusted Zone: *.corel.com
O15 - Trusted Zone: *.customernation.com
O15 - Trusted Zone: *.cwc.ca
O15 - Trusted Zone: *.dannyg.com
O15 - Trusted Zone: *.daytonwirewheels.com
O15 - Trusted Zone: *.diybanter.com
O15 - Trusted Zone: *.dlink.com
O15 - Trusted Zone: *.dpreview.com
O15 - Trusted Zone: *.ebay.co.uk
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.explore-architecture.com
O15 - Trusted Zone: *.treesearch.fs.fed.us
O15 - Trusted Zone: *.flyinmiata.com
O15 - Trusted Zone: *.gateway.com
O15 - Trusted Zone: http://www.geocities.com
O15 - Trusted Zone: *.geocities.com
O15 - Trusted Zone: *.gobinet.se
O15 - Trusted Zone: *.grantcounty.org
O15 - Trusted Zone: *.grisoft.com
O15 - Trusted Zone: *.grisoft.cz
O15 - Trusted Zone: *.halls.md
O15 - Trusted Zone: *.harborfreight.com
O15 - Trusted Zone: *.channing.harvard.edu
O15 - Trusted Zone: *.hedbergpubliclibrary.org
O15 - Trusted Zone: *.hellenbrand.com
O15 - Trusted Zone: *.hellenbrandwatercenter.com
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.historiclotusregister.co.uk
O15 - Trusted Zone: *.homedepot.com
O15 - Trusted Zone: *.fairpark.homestead.com
O15 - Trusted Zone: *.mcsccpix.homestead.com
O15 - Trusted Zone: http://powersports.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.iedls.com
O15 - Trusted Zone: *.infinitemarketplace.com
O15 - Trusted Zone: http://www.innerbody.com
O15 - Trusted Zone: *.intellicast.com
O15 - Trusted Zone: *.intersil.com
O15 - Trusted Zone: *.janesvilleclassifieds.com
O15 - Trusted Zone: *.jascoproducts.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.jcwhitney.com
O15 - Trusted Zone: *.kinyo.com
O15 - Trusted Zone: http://webpac.als.lib.wi.us
O15 - Trusted Zone: *.lotusclassiccars.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marineengine.com
O15 - Trusted Zone: *.mcmaster.com
O15 - Trusted Zone: http://www.mcsorley.net
O15 - Trusted Zone: *.menards.com
O15 - Trusted Zone: *.michigan.org
O15 - Trusted Zone: *.michigandnr.com
O15 - Trusted Zone: http://*.missvickie.com
O15 - Trusted Zone: *.motionindustries.com
O15 - Trusted Zone: http://by18fd.bay18.hotmail.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mvps.org
O15 - Trusted Zone: http://www.mwsint.com
O15 - Trusted Zone: *.mwsint.com
O15 - Trusted Zone: *.mylincolnelectric.com
O15 - Trusted Zone: *.mytopo.com
O15 - Trusted Zone: http://www.napaonline.com
O15 - Trusted Zone: *.napaonline.com
O15 - Trusted Zone: *.ncbi.nlm.nih.gov
O15 - Trusted Zone: *.nlm.nih.gov
O15 - Trusted Zone: http://*.not2fast.com
O15 - Trusted Zone: *.owenscorning.com
O15 - Trusted Zone: *.partsexpress.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pegasusautoracing.com
O15 - Trusted Zone: http://*.peltiertech.com
O15 - Trusted Zone: *.popularhotrodding.com
O15 - Trusted Zone: *.rockprairie.presbychurch.net
O15 - Trusted Zone: *.radioshack.com
O15 - Trusted Zone: *.reserveamerica.com
O15 - Trusted Zone: *.ridgidrepair.com
O15 - Trusted Zone: http://www.risingconcepts.com
O15 - Trusted Zone: http://*.rsracing.com
O15 - Trusted Zone: *.rst-v8.com
O15 - Trusted Zone: *.ryobitools.com
O15 - Trusted Zone: *.samaritanspurse.org
O15 - Trusted Zone: *.sears.com
O15 - Trusted Zone: *.securepaynet.com
O15 - Trusted Zone: *.securepaynet.net
O15 - Trusted Zone: *.secureserver.net
O15 - Trusted Zone: *.sitebuildingtools.com
O15 - Trusted Zone: http://www*.skf.com
O15 - Trusted Zone: *.skf.com
O15 - Trusted Zone: *.smallengineadvisor.com
O15 - Trusted Zone: *.socialsecurity.gov
O15 - Trusted Zone: *.speedtv.com
O15 - Trusted Zone: *.ssa.gov
O15 - Trusted Zone: *.dnr.state.mi.us
O15 - Trusted Zone: *.salestax.dor.state.wi.us
O15 - Trusted Zone: *.tamiya.com
O15 - Trusted Zone: *.ticon.net
O15 - Trusted Zone: *.timken.com
O15 - Trusted Zone: *.tinytears.cc
O15 - Trusted Zone: *.tinyurl.com
O15 - Trusted Zone: *.tirerack.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.triking.co.uk
O15 - Trusted Zone: *.turnpoint.net
O15 - Trusted Zone: *.unclebobsmusic.com
O15 - Trusted Zone: *.srs.fs.usda.gov
O15 - Trusted Zone: *.usps.com
O15 - Trusted Zone: *.vh.org
O15 - Trusted Zone: *.virtuallyignorant.com
O15 - Trusted Zone: *.walnecks.com
O15 - Trusted Zone: *.wastemanagement.com
O15 - Trusted Zone: http://www.watertownliving.com
O15 - Trusted Zone: http://www.wavjunky.com
O15 - Trusted Zone: *.winamp.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: *.windowsupdate.com
O15 - Trusted Zone: *.grp.yahoofs.com
O15 - Trusted IP range: http://216.83.181.196
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117251017214
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



I could sure use some help on this one!

Dave Grandeffo
  • 0

Advertisements


#2
retrac

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hey Dave Sorry about the wait !!!

Please be sure you have a Normal Startup enabled. Here is how you do it:Click the Start button
Click the Run button
Type the following in box provided-----> msconfig
Click OK
Click the "Normal Startup- load all device drivers and services"
Click Apply & Restart computer



Please post a NEW HijackThis log :)


Also have you fixed anything in HijackThis since you installed it ??

Thanks retrac :tazz:

Edited by retrac, 21 November 2005 - 09:09 PM.

  • 0

#3
cartdave

cartdave

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Retrac,
No big deal... at least my computer remained usable all this time. It does still slow down at times and the CPU usage goes to 100%! Anyway, here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:21:24 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\WINDOWS\system32\wuauclt.exe
C:\GeeksToGo\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = I'm listening, Lord....
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O15 - Trusted Zone: *.accountonline.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.andale.com
O15 - Trusted Zone: *.apawood.org
O15 - Trusted Zone: http://uk.ask.com
O15 - Trusted Zone: *.autoworld.com
O15 - Trusted Zone: http://www.avonmotorcycle.com
O15 - Trusted Zone: *.bhccu.org
O15 - Trusted Zone: http://www.bidca-racing.com
O15 - Trusted Zone: http://pmj.bmjjournals.com
O15 - Trusted Zone: http://www1.boatersworld.com
O15 - Trusted Zone: *.boatersworld.com
O15 - Trusted Zone: http://*.byyb.org
O15 - Trusted Zone: *.cabelas.com
O15 - Trusted Zone: *.caloriesperhour.com
O15 - Trusted Zone: *.car-stuff.com
O15 - Trusted Zone: *.cdc.gov
O15 - Trusted Zone: http://*.certainteed.com
O15 - Trusted Zone: *.circletrack.com
O15 - Trusted Zone: *.clean-power.com
O15 - Trusted Zone: *.corel.com
O15 - Trusted Zone: *.customernation.com
O15 - Trusted Zone: *.cwc.ca
O15 - Trusted Zone: *.dannyg.com
O15 - Trusted Zone: *.daytonwirewheels.com
O15 - Trusted Zone: *.defactowireless.com
O15 - Trusted Zone: *.diybanter.com
O15 - Trusted Zone: *.dlink.com
O15 - Trusted Zone: *.dpreview.com
O15 - Trusted Zone: *.ebay.co.uk
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.explore-architecture.com
O15 - Trusted Zone: *.treesearch.fs.fed.us
O15 - Trusted Zone: *.flyinmiata.com
O15 - Trusted Zone: http://www.newmonaco.fsnet.co.uk
O15 - Trusted Zone: *.gateway.com
O15 - Trusted Zone: http://www.geekstogo.com
O15 - Trusted Zone: http://*.geekstogo.com
O15 - Trusted Zone: http://www.geocities.com
O15 - Trusted Zone: *.geocities.com
O15 - Trusted Zone: *.gobinet.se
O15 - Trusted Zone: *.grantcounty.org
O15 - Trusted Zone: *.grisoft.com
O15 - Trusted Zone: *.grisoft.cz
O15 - Trusted Zone: *.halls.md
O15 - Trusted Zone: *.harborfreight.com
O15 - Trusted Zone: *.channing.harvard.edu
O15 - Trusted Zone: *.hedbergpubliclibrary.org
O15 - Trusted Zone: *.hellenbrand.com
O15 - Trusted Zone: *.hellenbrandwatercenter.com
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.historiclotusregister.co.uk
O15 - Trusted Zone: *.homedepot.com
O15 - Trusted Zone: *.fairpark.homestead.com
O15 - Trusted Zone: *.mcsccpix.homestead.com
O15 - Trusted Zone: http://powersports.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.iedls.com
O15 - Trusted Zone: *.infinitemarketplace.com
O15 - Trusted Zone: http://www.innerbody.com
O15 - Trusted Zone: *.intellicast.com
O15 - Trusted Zone: *.intersil.com
O15 - Trusted Zone: *.janesvilleclassifieds.com
O15 - Trusted Zone: *.jascoproducts.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.jcwhitney.com
O15 - Trusted Zone: *.kinyo.com
O15 - Trusted Zone: http://webpac.als.lib.wi.us
O15 - Trusted Zone: http://www.loralskynet.com
O15 - Trusted Zone: *.lotusclassiccars.com
O15 - Trusted Zone: http://homepage.mac.com
O15 - Trusted Zone: http://www.madisonchildrensmuseum.org
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marineengine.com
O15 - Trusted Zone: *.mcmaster.com
O15 - Trusted Zone: http://www.mcsorley.net
O15 - Trusted Zone: *.menards.com
O15 - Trusted Zone: *.meshsandbox.com
O15 - Trusted Zone: *.michigan.org
O15 - Trusted Zone: *.michigandnr.com
O15 - Trusted Zone: http://*.missvickie.com
O15 - Trusted Zone: *.motionindustries.com
O15 - Trusted Zone: http://by18fd.bay18.hotmail.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mvps.org
O15 - Trusted Zone: http://www.mwsint.com
O15 - Trusted Zone: *.mwsint.com
O15 - Trusted Zone: *.mylincolnelectric.com
O15 - Trusted Zone: *.mytopo.com
O15 - Trusted Zone: http://www.napaonline.com
O15 - Trusted Zone: *.napaonline.com
O15 - Trusted Zone: *.ncbi.nlm.nih.gov
O15 - Trusted Zone: *.nlm.nih.gov
O15 - Trusted Zone: http://*.not2fast.com
O15 - Trusted Zone: http://www.nrel.gov
O15 - Trusted Zone: *.nynphotoschool.com
O15 - Trusted Zone: *.orinocowireless.com
O15 - Trusted Zone: *.owenscorning.com
O15 - Trusted Zone: *.partsexpress.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pegasusautoracing.com
O15 - Trusted Zone: http://*.peltiertech.com
O15 - Trusted Zone: *.popularhotrodding.com
O15 - Trusted Zone: http://www.powersportspro.com
O15 - Trusted Zone: *.rockprairie.presbychurch.net
O15 - Trusted Zone: http://www.proxim.com
O15 - Trusted Zone: http://dsr.racer.net
O15 - Trusted Zone: http://www.radiologyinfo.org
O15 - Trusted Zone: *.radioshack.com
O15 - Trusted Zone: *.reserveamerica.com
O15 - Trusted Zone: *.ridgidrepair.com
O15 - Trusted Zone: http://www.risingconcepts.com
O15 - Trusted Zone: http://www.roxio.com
O15 - Trusted Zone: http://www.rqriley.com
O15 - Trusted Zone: http://*.rsracing.com
O15 - Trusted Zone: *.rst-v8.com
O15 - Trusted Zone: *.ryobitools.com
O15 - Trusted Zone: *.samaritanspurse.org
O15 - Trusted Zone: *.sears.com
O15 - Trusted Zone: http://*.seattlewireless.net
O15 - Trusted Zone: *.securepaynet.com
O15 - Trusted Zone: *.securepaynet.net
O15 - Trusted Zone: *.secureserver.net
O15 - Trusted Zone: *.sitebuildingtools.com
O15 - Trusted Zone: http://www*.skf.com
O15 - Trusted Zone: *.skf.com
O15 - Trusted Zone: *.smallengineadvisor.com
O15 - Trusted Zone: *.socialsecurity.gov
O15 - Trusted Zone: http://www.sonic.com
O15 - Trusted Zone: *.speedtv.com
O15 - Trusted Zone: *.ssa.gov
O15 - Trusted Zone: *.dnr.state.mi.us
O15 - Trusted Zone: *.salestax.dor.state.wi.us
O15 - Trusted Zone: http://*.stockcarracing.com
O15 - Trusted Zone: *.tamiya.com
O15 - Trusted Zone: *.ticon.net
O15 - Trusted Zone: *.timken.com
O15 - Trusted Zone: *.tinytears.cc
O15 - Trusted Zone: *.tinyurl.com
O15 - Trusted Zone: *.tirerack.com
O15 - Trusted Zone: http://www.treasureofeast.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.triking.co.uk
O15 - Trusted Zone: *.turnpoint.net
O15 - Trusted Zone: *.unclebobsmusic.com
O15 - Trusted Zone: *.srs.fs.usda.gov
O15 - Trusted Zone: *.usps.com
O15 - Trusted Zone: http://aiw1.uspto.gov
O15 - Trusted Zone: http://www.usr.com
O15 - Trusted Zone: *.vh.org
O15 - Trusted Zone: *.virtuallyignorant.com
O15 - Trusted Zone: *.walnecks.com
O15 - Trusted Zone: *.wastemanagement.com
O15 - Trusted Zone: http://www.watertownliving.com
O15 - Trusted Zone: http://www.wavjunky.com
O15 - Trusted Zone: http://radar.weather.gov
O15 - Trusted Zone: *.winamp.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: *.windowsupdate.com
O15 - Trusted Zone: *.wirelessconnections.net
O15 - Trusted Zone: *.grp.yahoofs.com
O15 - Trusted IP range: http://216.83.181.196
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117251017214
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


I haven't fixed anything in Hijack since I installed it. The reference to Smitfraud-c went away when I updated Spybot S&D tonight.

Thanks,
Dave
  • 0

#4
retrac

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hey Dave :)

Well you seem to add alot of websites to the Trusted Zones. Those seem to all be good sites but you dont have to let them be Trusted to use there sites, so I would recommend adding them in the HijackThis Fix below. (All the 015 - Trusted Zone)

Please open HiJackThis and scan. Check the boxes next to all the entries listed below.


R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsear...earch.php?qq=%1

Now close all windows and browsers other than HiJackThis, then click Fix Checked.



Well your computer does seem Clean.. Just to be sure:

Please run this online virus scan:
You will need to be using Microsoft Internet Explorer to do this scan : Link to ActiveScan
Click the "Scan Your PC" button in the middle of the page.
You will have to Allow the installation of Active X controls.
You will have to enter a valid e-mail address.
Then click "My Computer" when it asks what you want to scan.
Save the Report after scan finishes. (somewhere you can find it)


Copy the results of the ActiveScan and paste them here along with a new HiJackThis log






Also We can try and speed up the pc a lil. I see you know how to use msconfig :)So if you want you can go back in there and uncheck the things you had unchecked before if everything was working fine before.
You could prolly also Uncheck "SunJavaUpdateSched" and just check it for updates yourself By going Start> Control Panel> Java> Update Tab> Update Now
You could prolly also Uncheck "WinampAgent" this Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. You can uncheck this as long as you dont let other players associate your files to them. ( they usually ask before they do it )


And now if you dont use Microsoft Messenger ( i dont mean MSN Messenger ) then you can uninstall it cause it can slow down the computer a little bit.
HERE is how you uninstall it :
Click the Start button > Control Panel > Add/Remove Programs > Look on the left side CLick on the "Add/Remove Windows Components" button. Now scroll down to find Windows Messenger and uncheck it Now click Next. Thats It.
That will keep Microsoft Messenger from running at startup.


Also Did you buy Ewido Security Suite ?? If not it is only a trial version and after 2 weeks it will expire. Be sure to uninstall it AFTER the 2 week trial is up.



Copy the results of the ActiveScan and paste them here along with a new HiJackThis log

Thanks retrac :tazz:
  • 0

#5
cartdave

cartdave

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Retrac,
1.)Everything in my trusted zone needs to be there to be able to fully use the sites, so I'm going to leave them the way they are, as long as they aren't hurting anything in my computer.

2.)As far as msconfig goes, I didn't make any notes on what I had turned off, so I'm kinda' screwed there unless I can find the website that spelled out what could be unchecked. :woot:

3.)So far I haven't been able to submit my computer to the scan, since the active-x controls won't download even though I have gone into Tools>Internet Options>Security>Trusted Sites>Custom Level and enabled the active-x options. :woot:

4.)I did uninstall Ewido Security Suite on your recommendation. :tazz:

So, I'm stuck until we can figure out the active-x thing.

Dave

PS- I figured out the active-x problem in #3 so I'll be posting the Pandascan log as soon as I get the time to do it. :)


O.K., here we go: It's interesting that yesterday I ran the Panda activescan and it showed my computer to be clean. I ran it again today and it shows an infection!

Incident Status Location

Adware:adware/virmaid Not disinfected Windows Registry
Adware:adware/secure32 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts


Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:08 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe
C:\Program Files\Netscape\Navigator\Program\netscape.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\GeeksToGo\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = I'm listening, Lord....
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O15 - Trusted Zone: *.accountonline.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.andale.com
O15 - Trusted Zone: *.apawood.org
O15 - Trusted Zone: http://uk.ask.com
O15 - Trusted Zone: *.autoworld.com
O15 - Trusted Zone: http://www.avonmotorcycle.com
O15 - Trusted Zone: *.bhccu.org
O15 - Trusted Zone: http://www.bidca-racing.com
O15 - Trusted Zone: http://pmj.bmjjournals.com
O15 - Trusted Zone: http://www1.boatersworld.com
O15 - Trusted Zone: *.boatersworld.com
O15 - Trusted Zone: http://*.byyb.org
O15 - Trusted Zone: *.cabelas.com
O15 - Trusted Zone: *.caloriesperhour.com
O15 - Trusted Zone: *.car-stuff.com
O15 - Trusted Zone: *.cdc.gov
O15 - Trusted Zone: http://*.certainteed.com
O15 - Trusted Zone: *.circletrack.com
O15 - Trusted Zone: *.clean-power.com
O15 - Trusted Zone: *.corel.com
O15 - Trusted Zone: *.customernation.com
O15 - Trusted Zone: *.cwc.ca
O15 - Trusted Zone: *.dannyg.com
O15 - Trusted Zone: *.daytonwirewheels.com
O15 - Trusted Zone: *.defactowireless.com
O15 - Trusted Zone: *.diybanter.com
O15 - Trusted Zone: *.dlink.com
O15 - Trusted Zone: *.dpreview.com
O15 - Trusted Zone: *.ebay.co.uk
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.explore-architecture.com
O15 - Trusted Zone: *.treesearch.fs.fed.us
O15 - Trusted Zone: *.flyinmiata.com
O15 - Trusted Zone: http://www.newmonaco.fsnet.co.uk
O15 - Trusted Zone: *.gateway.com
O15 - Trusted Zone: http://www.geekstogo.com
O15 - Trusted Zone: http://*.geekstogo.com
O15 - Trusted Zone: http://www.geocities.com
O15 - Trusted Zone: *.geocities.com
O15 - Trusted Zone: *.gobinet.se
O15 - Trusted Zone: *.grantcounty.org
O15 - Trusted Zone: *.grisoft.com
O15 - Trusted Zone: *.grisoft.cz
O15 - Trusted Zone: *.halls.md
O15 - Trusted Zone: *.harborfreight.com
O15 - Trusted Zone: *.channing.harvard.edu
O15 - Trusted Zone: *.hedbergpubliclibrary.org
O15 - Trusted Zone: *.hellenbrand.com
O15 - Trusted Zone: *.hellenbrandwatercenter.com
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.historiclotusregister.co.uk
O15 - Trusted Zone: *.homedepot.com
O15 - Trusted Zone: *.fairpark.homestead.com
O15 - Trusted Zone: *.mcsccpix.homestead.com
O15 - Trusted Zone: http://powersports.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.iedls.com
O15 - Trusted Zone: *.infinitemarketplace.com
O15 - Trusted Zone: http://www.innerbody.com
O15 - Trusted Zone: *.intellicast.com
O15 - Trusted Zone: *.intersil.com
O15 - Trusted Zone: *.janesvilleclassifieds.com
O15 - Trusted Zone: *.jascoproducts.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.jcwhitney.com
O15 - Trusted Zone: *.kinyo.com
O15 - Trusted Zone: http://webpac.als.lib.wi.us
O15 - Trusted Zone: http://www.loralskynet.com
O15 - Trusted Zone: *.lotusclassiccars.com
O15 - Trusted Zone: http://homepage.mac.com
O15 - Trusted Zone: http://www.madisonchildrensmuseum.org
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marineengine.com
O15 - Trusted Zone: *.mcmaster.com
O15 - Trusted Zone: http://www.mcsorley.net
O15 - Trusted Zone: *.menards.com
O15 - Trusted Zone: *.meshsandbox.com
O15 - Trusted Zone: *.michigan.org
O15 - Trusted Zone: *.michigandnr.com
O15 - Trusted Zone: http://*.missvickie.com
O15 - Trusted Zone: *.motionindustries.com
O15 - Trusted Zone: http://by18fd.bay18.hotmail.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mvps.org
O15 - Trusted Zone: http://www.mwsint.com
O15 - Trusted Zone: *.mwsint.com
O15 - Trusted Zone: *.mylincolnelectric.com
O15 - Trusted Zone: *.mytopo.com
O15 - Trusted Zone: http://www.napaonline.com
O15 - Trusted Zone: *.napaonline.com
O15 - Trusted Zone: *.ncbi.nlm.nih.gov
O15 - Trusted Zone: *.nlm.nih.gov
O15 - Trusted Zone: http://*.not2fast.com
O15 - Trusted Zone: http://www.nrel.gov
O15 - Trusted Zone: *.nynphotoschool.com
O15 - Trusted Zone: *.orinocowireless.com
O15 - Trusted Zone: *.owenscorning.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.partsexpress.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pegasusautoracing.com
O15 - Trusted Zone: http://*.peltiertech.com
O15 - Trusted Zone: *.popularhotrodding.com
O15 - Trusted Zone: http://www.powersportspro.com
O15 - Trusted Zone: *.rockprairie.presbychurch.net
O15 - Trusted Zone: http://www.proxim.com
O15 - Trusted Zone: http://dsr.racer.net
O15 - Trusted Zone: http://www.radiologyinfo.org
O15 - Trusted Zone: *.radioshack.com
O15 - Trusted Zone: *.reserveamerica.com
O15 - Trusted Zone: *.ridgidrepair.com
O15 - Trusted Zone: http://www.risingconcepts.com
O15 - Trusted Zone: http://www.roxio.com
O15 - Trusted Zone: http://www.rqriley.com
O15 - Trusted Zone: http://*.rsracing.com
O15 - Trusted Zone: *.rst-v8.com
O15 - Trusted Zone: *.ryobitools.com
O15 - Trusted Zone: *.samaritanspurse.org
O15 - Trusted Zone: *.sears.com
O15 - Trusted Zone: http://*.seattlewireless.net
O15 - Trusted Zone: *.securepaynet.com
O15 - Trusted Zone: *.securepaynet.net
O15 - Trusted Zone: *.secureserver.net
O15 - Trusted Zone: *.sitebuildingtools.com
O15 - Trusted Zone: http://www*.skf.com
O15 - Trusted Zone: *.skf.com
O15 - Trusted Zone: *.smallengineadvisor.com
O15 - Trusted Zone: *.socialsecurity.gov
O15 - Trusted Zone: http://www.sonic.com
O15 - Trusted Zone: *.speedtv.com
O15 - Trusted Zone: *.ssa.gov
O15 - Trusted Zone: *.dnr.state.mi.us
O15 - Trusted Zone: *.salestax.dor.state.wi.us
O15 - Trusted Zone: http://*.stockcarracing.com
O15 - Trusted Zone: *.tamiya.com
O15 - Trusted Zone: *.ticon.net
O15 - Trusted Zone: *.timken.com
O15 - Trusted Zone: *.tinytears.cc
O15 - Trusted Zone: *.tinyurl.com
O15 - Trusted Zone: *.tirerack.com
O15 - Trusted Zone: http://www.treasureofeast.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.triking.co.uk
O15 - Trusted Zone: *.turnpoint.net
O15 - Trusted Zone: *.unclebobsmusic.com
O15 - Trusted Zone: *.srs.fs.usda.gov
O15 - Trusted Zone: *.usps.com
O15 - Trusted Zone: http://aiw1.uspto.gov
O15 - Trusted Zone: http://www.usr.com
O15 - Trusted Zone: *.vh.org
O15 - Trusted Zone: *.virtuallyignorant.com
O15 - Trusted Zone: *.walnecks.com
O15 - Trusted Zone: *.wastemanagement.com
O15 - Trusted Zone: http://www.watertownliving.com
O15 - Trusted Zone: http://www.wavjunky.com
O15 - Trusted Zone: http://radar.weather.gov
O15 - Trusted Zone: *.winamp.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: *.windowsupdate.com
O15 - Trusted Zone: *.wirelessconnections.net
O15 - Trusted Zone: *.grp.yahoofs.com
O15 - Trusted IP range: http://216.83.181.196
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117251017214
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

I guess I'd better purge the software I downloaded today!!! :) But I'll wait until I hear from you to do anything.

Thanks,
Dave

Edited by cartdave, 23 November 2005 - 11:14 PM.

  • 0

#6
retrac

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hey Dave :)

Well it seems you got most eveything done there :) I see you went back to msconfig and figured out which ones you had unchecked before :woot:
Also it appears you did UNinstall Microsoft's Windows Messenger ( If so then you can fix the entries below with HijackThis) :

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Now, I would like for you to navigate to C:\WINDOWS\system32\drivers\etc\hosts and write down the names of all the files in that folder, and post them here.


Lets try a different Online Scan :
Please run an on-line virus scan at TrendMicro Save the report from this scan and post it in your next reply.



Please make a NEW HijackThis log and post it in your next reply, along with the trendmicro scan report and the names of the files in your "hosts" folder.



Thanks retrac :tazz:
  • 0

#7
cartdave

cartdave

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi retrac,
The Trend Micro Housecall scan showed no threats detected; no viruses, no trojans or worms.

My hosts file is so long that it won't fit in the post! I download it from http://www.mvps.org/...p2002/hosts.htm and it's up to date. :)

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:33:37 PM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\GeeksToGo\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = I'm listening, Lord....
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe -r
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O15 - Trusted Zone: *.accountonline.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.andale.com
O15 - Trusted Zone: *.apawood.org
O15 - Trusted Zone: http://uk.ask.com
O15 - Trusted Zone: *.autoworld.com
O15 - Trusted Zone: http://www.avonmotorcycle.com
O15 - Trusted Zone: *.bhccu.org
O15 - Trusted Zone: http://www.bidca-racing.com
O15 - Trusted Zone: http://pmj.bmjjournals.com
O15 - Trusted Zone: http://www1.boatersworld.com
O15 - Trusted Zone: *.boatersworld.com
O15 - Trusted Zone: http://*.byyb.org
O15 - Trusted Zone: *.cabelas.com
O15 - Trusted Zone: *.caloriesperhour.com
O15 - Trusted Zone: *.car-stuff.com
O15 - Trusted Zone: *.cdc.gov
O15 - Trusted Zone: http://*.certainteed.com
O15 - Trusted Zone: *.circletrack.com
O15 - Trusted Zone: *.clean-power.com
O15 - Trusted Zone: *.corel.com
O15 - Trusted Zone: *.customernation.com
O15 - Trusted Zone: *.cwc.ca
O15 - Trusted Zone: *.dannyg.com
O15 - Trusted Zone: *.daytonwirewheels.com
O15 - Trusted Zone: *.defactowireless.com
O15 - Trusted Zone: *.diybanter.com
O15 - Trusted Zone: *.dlink.com
O15 - Trusted Zone: *.dpreview.com
O15 - Trusted Zone: *.ebay.co.uk
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.explore-architecture.com
O15 - Trusted Zone: *.treesearch.fs.fed.us
O15 - Trusted Zone: *.flyinmiata.com
O15 - Trusted Zone: http://www.newmonaco.fsnet.co.uk
O15 - Trusted Zone: *.gateway.com
O15 - Trusted Zone: http://www.geekstogo.com
O15 - Trusted Zone: http://*.geekstogo.com
O15 - Trusted Zone: http://www.geocities.com
O15 - Trusted Zone: *.geocities.com
O15 - Trusted Zone: *.gobinet.se
O15 - Trusted Zone: *.grantcounty.org
O15 - Trusted Zone: *.grisoft.com
O15 - Trusted Zone: *.grisoft.cz
O15 - Trusted Zone: *.halls.md
O15 - Trusted Zone: *.harborfreight.com
O15 - Trusted Zone: *.channing.harvard.edu
O15 - Trusted Zone: *.hedbergpubliclibrary.org
O15 - Trusted Zone: *.hellenbrand.com
O15 - Trusted Zone: *.hellenbrandwatercenter.com
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.historiclotusregister.co.uk
O15 - Trusted Zone: *.homedepot.com
O15 - Trusted Zone: *.fairpark.homestead.com
O15 - Trusted Zone: *.mcsccpix.homestead.com
O15 - Trusted Zone: http://powersports.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.iedls.com
O15 - Trusted Zone: *.infinitemarketplace.com
O15 - Trusted Zone: http://www.innerbody.com
O15 - Trusted Zone: *.intellicast.com
O15 - Trusted Zone: *.intersil.com
O15 - Trusted Zone: *.janesvilleclassifieds.com
O15 - Trusted Zone: *.jascoproducts.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.jcwhitney.com
O15 - Trusted Zone: *.kinyo.com
O15 - Trusted Zone: http://webpac.als.lib.wi.us
O15 - Trusted Zone: http://www.loralskynet.com
O15 - Trusted Zone: *.lotusclassiccars.com
O15 - Trusted Zone: http://homepage.mac.com
O15 - Trusted Zone: http://www.madisonchildrensmuseum.org
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marineengine.com
O15 - Trusted Zone: *.mcmaster.com
O15 - Trusted Zone: http://www.mcsorley.net
O15 - Trusted Zone: *.menards.com
O15 - Trusted Zone: *.meshsandbox.com
O15 - Trusted Zone: *.michigan.org
O15 - Trusted Zone: *.michigandnr.com
O15 - Trusted Zone: http://*.missvickie.com
O15 - Trusted Zone: *.motionindustries.com
O15 - Trusted Zone: http://by18fd.bay18.hotmail.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mvps.org
O15 - Trusted Zone: http://www.mwsint.com
O15 - Trusted Zone: *.mwsint.com
O15 - Trusted Zone: *.mylincolnelectric.com
O15 - Trusted Zone: *.mytopo.com
O15 - Trusted Zone: http://www.napaonline.com
O15 - Trusted Zone: *.napaonline.com
O15 - Trusted Zone: *.ncbi.nlm.nih.gov
O15 - Trusted Zone: *.nlm.nih.gov
O15 - Trusted Zone: http://*.not2fast.com
O15 - Trusted Zone: http://www.nrel.gov
O15 - Trusted Zone: *.nynphotoschool.com
O15 - Trusted Zone: *.orinocowireless.com
O15 - Trusted Zone: *.owenscorning.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.partsexpress.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pegasusautoracing.com
O15 - Trusted Zone: http://*.peltiertech.com
O15 - Trusted Zone: *.popularhotrodding.com
O15 - Trusted Zone: http://www.powersportspro.com
O15 - Trusted Zone: *.rockprairie.presbychurch.net
O15 - Trusted Zone: http://www.proxim.com
O15 - Trusted Zone: http://dsr.racer.net
O15 - Trusted Zone: http://www.radiologyinfo.org
O15 - Trusted Zone: *.radioshack.com
O15 - Trusted Zone: *.reserveamerica.com
O15 - Trusted Zone: *.ridgidrepair.com
O15 - Trusted Zone: http://www.risingconcepts.com
O15 - Trusted Zone: http://www.roxio.com
O15 - Trusted Zone: http://www.rqriley.com
O15 - Trusted Zone: http://*.rsracing.com
O15 - Trusted Zone: *.rst-v8.com
O15 - Trusted Zone: *.ryobitools.com
O15 - Trusted Zone: *.samaritanspurse.org
O15 - Trusted Zone: *.sears.com
O15 - Trusted Zone: http://*.seattlewireless.net
O15 - Trusted Zone: *.securepaynet.com
O15 - Trusted Zone: *.securepaynet.net
O15 - Trusted Zone: *.secureserver.net
O15 - Trusted Zone: *.sitebuildingtools.com
O15 - Trusted Zone: http://www*.skf.com
O15 - Trusted Zone: *.skf.com
O15 - Trusted Zone: *.smallengineadvisor.com
O15 - Trusted Zone: *.socialsecurity.gov
O15 - Trusted Zone: http://www.sonic.com
O15 - Trusted Zone: *.speedtv.com
O15 - Trusted Zone: *.ssa.gov
O15 - Trusted Zone: *.dnr.state.mi.us
O15 - Trusted Zone: *.salestax.dor.state.wi.us
O15 - Trusted Zone: http://*.stockcarracing.com
O15 - Trusted Zone: *.tamiya.com
O15 - Trusted Zone: *.ticon.net
O15 - Trusted Zone: *.timken.com
O15 - Trusted Zone: *.tinytears.cc
O15 - Trusted Zone: *.tinyurl.com
O15 - Trusted Zone: *.tirerack.com
O15 - Trusted Zone: http://www.treasureofeast.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.triking.co.uk
O15 - Trusted Zone: *.turnpoint.net
O15 - Trusted Zone: *.unclebobsmusic.com
O15 - Trusted Zone: *.srs.fs.usda.gov
O15 - Trusted Zone: *.usps.com
O15 - Trusted Zone: http://aiw1.uspto.gov
O15 - Trusted Zone: http://www.usr.com
O15 - Trusted Zone: *.vh.org
O15 - Trusted Zone: *.virtuallyignorant.com
O15 - Trusted Zone: *.walnecks.com
O15 - Trusted Zone: *.wastemanagement.com
O15 - Trusted Zone: http://www.watertownliving.com
O15 - Trusted Zone: http://www.wavjunky.com
O15 - Trusted Zone: http://radar.weather.gov
O15 - Trusted Zone: *.winamp.com
O15 - Trusted Zone: http://Download.windowsupdate.com
O15 - Trusted Zone: *.windowsupdate.com
O15 - Trusted Zone: *.wirelessconnections.net
O15 - Trusted Zone: *.grp.yahoofs.com
O15 - Trusted IP range: http://216.83.181.196
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117251017214
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe


So, there it is. What do you think? By the way, did you eat too much turkey yesterday? :tazz:

Thanks,
Dave

Edited by cartdave, 25 November 2005 - 03:15 PM.

  • 0

#8
retrac

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hey Dave :woot: Yes i did eat too much turkey Hehe :woot:


Well your log is clean :tazz: Are you having any trouble?? How is everything running ??


Actually i was just wondering What was the files in the "etc" folder..My bad.
I use mvps host file also :woot:


I want you to try something for me if you want .... Try using FireFox as your internet browser. You can download it from the link in my signature :P It will let you move all your Favorites from Internet Explorer over to FireFox. Try using this to go to those sites that you have to let be a Trusted Site. If it works for most/all the sites then remove them from your trusted site zone with HijackThis. ( i know for a fact that accountonline.com "citibank" requires you to use Microsoft Internet Explorer, but that is the only site Besides Windows update that i have to use Internet Explorer on ) FireFox is a safer Internet Browser.!

It appears you have SpywareBlaster....Am i correct ? If you dont download it from the link in my signature. Update it and Enable all protection :P


So is spybotS&D finding anything ?? That virmaid Is just leftover from one of the infections you had and is Useless without its Counter Parts :)
It is a little strange the secure32/Host thing that Panda found....... Im going to look into that :P

Go ahead and try the things above and let me know how it went and we can finish with the final steps of cleaning up your PC

Thanks retrac :)
  • 0

#9
cartdave

cartdave

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey retrac,
My computer seems to be running o.k. but I ran Spybot S&D and it said I had "Windows Active Desktop" and "Smitfraud-c"! It was able to remove the Windows active desktop but not Smitfraud. Basically, I'm right where I was when I first started this thread.... :)

Yes I have spyware blaster and it's up to date. I'm going to hold off on Firefox for a while. I've got IE set up pretty well for protection and updates, so I don't see any compelling reason to switch right now. :woot:

This Smitfraud thing has really got me bamboozled. :tazz: Any more thoughts? :)

Dave
  • 0

#10
retrac

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hi Dave :) we will get this, Dont get discouraged :)

First You should know that by putting a website on your trusted zone you are allowing that site to install whatever software it wants without your approval or even a notification whenever it wants.
Why is it you have to allow them to be trusted in order to use those sites. Im guessing you have set your security real high on everything but these sites. FireFox could eliminate the need for that :woot: Hehe Ok ill Give Up :tazz:


Next
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.



Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Do Not run it Yet
We will use this Program LATER



If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-awareSE and do a full scan. Remove all it finds.



Now start Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log In your next reply.
Let us know if any problems persist.



Thanks
retrac :woot:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP