Options
Please Help... Smitfraud.c Trojan Spy
Hi Wonderful People at Short Media, 
I just found your website from google, and I cant believe that people do this because they enjoy it, I can understand the helping people part, but for me this is extreme torture :bawling: , and trust me when I say that I cant thank you enough
.... that said....
I am using someone elses computer, my aunt's and shes quite tempermental :bawling: .... somehow I managed to download this Smitfraud Trojan... its my first Trojan, at home I have never had this type of prob. and I followed some of the instructions given to other members on this site, it seems that none of the programs that are supposed to get removed are there and when I installed Hijackthis, the things that need to be fixed (according to the post Smitfraud Trojan - attempting to help) are not even there....
Dont know what to do
, maybe you all can help me....
I am in Israel... so my timing may be terrible, but am willing to wait all night for an answer considering i face certain death tomorrow morning.... :bawling:
Here is the log from Hiijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 05:46:19, on 20/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\HE-IL\MSNAPPAU.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\WINDOWS\תפריט התחלה\תוכניות\הפעלה\PALSTART.EXE
C:\PROGRAM FILES\WEBSECUREALERT\WEBSECUREALERT.EXE
C:\MY DOCUMENTS\הקבצים שלי שהתקבלו\SLAVE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX44.536\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.il/0SEHEIL/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shin1.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.walla.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://o.walla.co.il/?w=/@ie/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RA Server] C:\WINDOWS\Slave.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O4 - Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Startup: palstart.exe
O4 - Startup: WebSecureAlert.lnk = C:\Program Files\WebSecureAlert\WebSecureAlert.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.walla.co.il
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110/freehost/jonh/s1//q.chm::/file.exe
I dont know if any of this helps... bu the soonest reply would be amazing....
Thank You...
NJoyit (Joy)
I just found your website from google, and I cant believe that people do this because they enjoy it, I can understand the helping people part, but for me this is extreme torture :bawling: , and trust me when I say that I cant thank you enough
.... that said....I am using someone elses computer, my aunt's and shes quite tempermental :bawling: .... somehow I managed to download this Smitfraud Trojan... its my first Trojan, at home I have never had this type of prob. and I followed some of the instructions given to other members on this site, it seems that none of the programs that are supposed to get removed are there and when I installed Hijackthis, the things that need to be fixed (according to the post Smitfraud Trojan - attempting to help) are not even there....
Dont know what to do
, maybe you all can help me....I am in Israel... so my timing may be terrible, but am willing to wait all night for an answer considering i face certain death tomorrow morning.... :bawling:
Here is the log from Hiijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 05:46:19, on 20/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\HE-IL\MSNAPPAU.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\WINDOWS\תפריט התחלה\תוכניות\הפעלה\PALSTART.EXE
C:\PROGRAM FILES\WEBSECUREALERT\WEBSECUREALERT.EXE
C:\MY DOCUMENTS\הקבצים שלי שהתקבלו\SLAVE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX44.536\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.il/0SEHEIL/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shin1.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.walla.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://o.walla.co.il/?w=/@ie/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RA Server] C:\WINDOWS\Slave.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O4 - Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Startup: palstart.exe
O4 - Startup: WebSecureAlert.lnk = C:\Program Files\WebSecureAlert\WebSecureAlert.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.walla.co.il
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110/freehost/jonh/s1//q.chm::/file.exe
I dont know if any of this helps... bu the soonest reply would be amazing....
Thank You...
NJoyit (Joy)
0
Comments
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your in your next post along with a new hijackthis log.
I really appreciate you spending time on this...
Here is the info you requested...
Please let me know if you need more info...
Thank You
Ad-Aware SE Personal
Adobe Acrobat 5.0
AVG Free Edition
Blaze Media Pro
Chinese (Traditional) Language Support
DC Series 1
DivX User Guide
GamesGrid Gin
Hebrew Kazaa Lite 2.6
HijackThis 1.99.1
ICQ 4.1
Internet Update
Maddog Mirc 3.2
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft Windows Media Player 6.4
mIRC
MSN Messenger 7.0
MSN Toolbar
NetMeeting 3.01
ONLY-PERFECT-EXISTENCE
Paltalk Messenger
Paltalk Messenger Interop
Play65
PSGuard
SiS Multimedia V1.32
Skype 1.2
Sound'Em 1.0
Spybot - Search & Destroy 1.3
SpyCQ v1.6c
Terayon DOCSIS Modem
Trojan Remover 6.0.3
WebSecureAlert
WinRAR archiver
Logfile of HijackThis v1.99.1
Scan saved at 02:51:59, on 21/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\HE-IL\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\HOOKDUMP.EXE
C:\PROGRAM FILES\DC SERIES 1\CONSOLE\WATCH.EXE
C:\PROGRAM FILES\WEBSECUREALERT\WEBSECUREALERT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\RAR$EX02.366\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.il/0SEHEIL/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shin1.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.walla.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://o.walla.co.il/?w=/@ie/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O4 - Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Startup: palstart.exe
O4 - Startup: WebSecureAlert.lnk = C:\Program Files\WebSecureAlert\WebSecureAlert.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.walla.co.il
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110/freehost/jonh/s1//q.chm::/file.exe
Then I want you to fix some of those entries. Please do the following:
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
PSGuard
Exit Add/Remove Programs.
Make sure that you can VIEW ALL HIDDEN FILES.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110/freehost/jonh/s1//q.chm::/file.exe
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist)
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\SYSTEM\helper.exe
C:\WINDOWS\SYSTEM\intmon.exe
C:\WINDOWS\SYSTEM\intmonp.exe
C:\WINDOWS\SYSTEM\msmsgs.exe
C:\WINDOWS\SYSTEM\ole32vbs.exe
C:\WINDOWS\SYSTEM\msole32.exe
C:\WINDOWS\SYSTEM\shnlog.exe
C:\WINDOWS\SYSTEM\oleadm.dll
C:\WINDOWS\SYSTEM\hookdump.exe
C:\WINDOWS\SYSTEM\Log Files
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\Program Files\PSGuard
Reboot your computer to go back to normal mode.
Once you have rebooted please post a new hijackthis log.
Well I did all you said, only one bump in the road, file directory:
C:\WINDOWS\SYSTEM\oleadm.dll
It wont let me delete it, I get an error message in Hebrew that loosly translated says that," You cannot erase this file, it is a stored on windows operating system"
Sorry about the bad translation....
I still have a blue screen though...
Please let me know if there is somthing else I can do.
Thank You so much for your time....
Njoyit
Logfile of HijackThis v1.99.1
Scan saved at 04:05:06, on 22/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\HE-IL\MSNAPPAU.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\PROGRAM FILES\DC SERIES 1\CONSOLE\WATCH.EXE
C:\WINDOWS\תפריט התחלה\תוכניות\הפעלה\PALSTART.EXE
C:\PROGRAM FILES\WEBSECUREALERT\WEBSECUREALERT.EXE
C:\WINDOWS\שולחן עבודה\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.il/0SEHEIL/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shin1.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.walla.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://o.walla.co.il/?w=/@ie/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Startup: palstart.exe
O4 - Startup: WebSecureAlert.lnk = C:\Program Files\WebSecureAlert\WebSecureAlert.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.walla.co.il
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
Open HijackThis, press the Open Misc. Tools section button, and press Delete a file on reboot ... , select the file, press Open and Yes to confirm.
Delete this file:
C:\WINDOWS\SYSTEM\oleadm.dll
Are you still having problems?
And I still have the same blue screen.... but the computer isnt slower then usual or anything on the bright side...
Just freezes a little more then usual...
http://www.downloads.subratam.org/KillBox.zip
Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\SYSTEM\oleadm.dll
Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.
Your computer will reboot.
===============
Download the following reg file to your desktop by right clicking on the link, and selecting save as.
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button. Then reboot your computer.
==============
Once you have rebooted please run this online virus scan.
Panda Virus Scan
There may be files that the virus scan will not remove. Please include that information in your next post.
Reboot once more and post a new hijackthis log and the info from your virus scan.
Let me know, I really appreciate how fast you have been in your replies... I wish you knew how much...
Njoyit
Incident Status Location
Adware:Adware/Gator No disinfected C:\PROGRAM FILES\WEBSECUREALERT\WEBSECUREALERT.EXE
Adware:Adware/Gator No disinfected C:\PROGRAM FILES\WEBSECUREALERT\WSAHELPER.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\תפריט התחלה\תוכניות\הפעלה\WebSecureAlert.lnk
Adware:Adware/Gator No disinfected C:\Program Files\WebSecureAlert
Adware:Adware/KeenValue No disinfected Windows Registry
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Possible Virus. No disinfected C:\WINDOWS\TEMP\ae3261\setup.zip[aircdll.dll]
Possible Virus. No disinfected C:\WINDOWS\TEMP\tmp21C1.TMP
Adware:Adware/Gator No disinfected C:\WINDOWS\תפריט התחלה\תוכניות\הפעלה\WebSecureAlert.lnk
Adware:Adware/Gator No disinfected C:\WINDOWS\תפריט התחלה\תוכניות\WebSecureAlert\WebSecureAlert.lnk
Adware:Adware/Gator No disinfected C:\WINDOWS\תפריט התחלה\תוכניות\WebSecureAlert\WebSecureAlert Website.lnk
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\nlntdrch\pelpallj\jhaljlhp.exe
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\nlntdrch\nfdpltlnfr\bnanjpnlt.exe
Adware:Adware/Gator No disinfected C:\Program Files\WebSecureAlert\WSAHelper.dll
Adware:Adware/Gator No disinfected C:\Program Files\WebSecureAlert\WebSecureAlert.exe
Possible Virus. No disinfected C:\Walla_Maddog_3.2\Scripts\aircdll.dll
Virus:Bck/IRCFlood.V Disinfected C:\Walla_Maddog_3.2\Scripts\stdio.dll
Logfile of HijackThis v1.99.1
Scan saved at 06:27:10, on 24/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\HE-IL\MSNAPPAU.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\PROGRAM FILES\DC SERIES 1\CONSOLE\WATCH.EXE
C:\WINDOWS\תפריט התחלה\תוכניות\הפעלה\PALSTART.EXE
C:\PROGRAM FILES\WEBSECUREALERT\WEBSECUREALERT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\שולחן עבודה\SMITFRAUD\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shin1.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.walla.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://o.walla.co.il/?w=/@ie/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Startup: palstart.exe
O4 - Startup: WebSecureAlert.lnk = C:\Program Files\WebSecureAlert\WebSecureAlert.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.walla.co.il
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
C:\WINDOWS\SYSTEM\wp.bmp
C:\WINDOWS\uninstIU.exe
===================
Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/
===================
Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your in your next post.
thank you AGAIN
I had another problem with my puter and thinking i didnt get another reply here posed a new thread in emergency problems... so i dont want to over lap you guys and I really appreciate all the help you all have given me...
If there is anything else i will check both threads....
ty
Njoyit
Ad-Aware SE Personal
Adobe Acrobat 5.0
AVG Free Edition
Blaze Media Pro
Chinese (Traditional) Language Support
CleanUp!
DC Series 1
DivX User Guide
GamesGrid Gin
Hebrew Kazaa Lite 2.6
HijackThis 1.99.1
ICQ 4.1
Internet Update
Maddog Mirc 3.2
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft Windows Media Player 6.4
mIRC
MSN Messenger 7.0
MSN Toolbar
NetMeeting 3.01
ONLY-PERFECT-EXISTENCE
Paltalk Messenger
Paltalk Messenger Interop
Play65
SiS Multimedia V1.32
Skype 1.2
Sound'Em 1.0
Spybot - Search & Destroy 1.3
SpyCQ v1.6c
Terayon DOCSIS Modem
Trojan Remover 6.0.3
WebSecureAlert
WinRAR archiver
דLogfile of HijackThis v1.99.1
Scan saved at 23:25:34, on 16/07/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PALTALK MESSENGER\PALTALK8.EXE
C:\WINDOWS\שולחן עבודה\SMITFRAUD\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shin1.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.walla.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://o.walla.co.il/?w=/@ie/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\HE-IL\MSNTB.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.walla.co.il
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware