smitfraud trojan

Unknown
edited May 2005 in Spyware & Virus Removal
Please help with smitfraud removal, HJT below Thank You


Logfile of HijackThis v1.99.1
Scan saved at 10:16:27 AM, on 9/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\msole32.exe
C:\WINNT\popuper.exe
C:\WINNT\system32\intmonp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\wp.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\pcuser\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cofc.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O1 - Hosts: 66.46.167.2 Domino1
O1 - Hosts: 66.46.167.2 as400.JABesner
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {45FA3E86-74D9-5ACB-E2A9-54664EDBE2F4} - http://216.118.71.185/1/rdgUS1828.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    Security IGuard


    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
    O1 - Hosts: 66.46.167.2 Domino1
    O1 - Hosts: 66.46.167.2 as400.JABesner
    O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe


    Reboot your computer into Safe Mode

    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\wp.exe
    C:\WINDOWS\SYSTEM\Loader.dll
    C:\Program Files\Security iGuard


    Reboot your computer to go back to normal mode and post a new log.
  • malc525
    edited April 2005
    I followed all the steps. Here's my new log. I'm still having problems with popups though. Thanks for all the help.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:01:28 AM, on 9/29/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\msole32.exe
    C:\WINNT\popuper.exe
    C:\WINNT\system32\intmonp.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Documents and Settings\pcuser\Desktop\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cofc.edu/
    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\system32\msmsgs.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {45FA3E86-74D9-5ACB-E2A9-54664EDBE2F4} - http://216.118.71.185/1/rdgUS1828.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

    Run Hijackthis and fix this line:

    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe


    *IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

    Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

    msole32.exe
    popuper.exe
    intmonp.exe

    Exit Task Manager.

    *Click Here to download Killbox by Option^Explicit.
    *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
    *In the killbox program, select the Delete on Reboot option.
    *In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

    C:\wp.exe
    C:\wp.bmp
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\WINDOWS\System32\wldr.dll
    C:\Windows\System32\helper.exe
    C:\Windows\System32\intmonp.exe
    C:\Windows\System32\msmsgs.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe

    Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

    While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

    Make sure you can view hidden files.

    Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

    FOLDERS to delete (in bold) if found:

    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Windows\System32\Log Files <-WILL be there!
    C:\Program Files\Security IGuard

    Reboot into normal mode.

    *Download and install Registrar Lite version 2.00
    *Double click the purple Registrar Lite icon on your desktop.
    *Copy the line below and paste it into the "Address" field (located at the top) of the program:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

    *Click the "Go" button.
    *It will take you into the "Policies" folder.
    *Locate the "System" folder (in the right panel)
    *If found, right-click on the System folder and go to Delete
    *Be very careful that you only delete the System folder that is inside the Policies folder.

    Reboot your computer again.


    Run this online virus scan: ActiveScan - Save the results from the scan and post them in your next reply!

    Post a new HiJackThis log.
  • malc525
    edited May 2005
    Thank You so much. I followedIts much better but still gettin mesenger service errors "Registry to Alert" though much more seldom now. Here are the new active scan and hijack this logs. Again Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 7:40:05 AM, on 10/6/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\msole32.exe
    C:\WINNT\popuper.exe
    C:\WINNT\system32\intmonp.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\pcuser\Desktop\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cofc.edu/
    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {45FA3E86-74D9-5ACB-E2A9-54664EDBE2F4} - http://216.118.71.185/1/rdgUS1828.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

    Incident Status Location

    Adware:Adware/Popuper No disinfected C:\WINNT\system32\msole32.exe
    Adware:Adware/Popuper No disinfected C:\WINNT\system32\intmonp.exe
    Virus:Trj/Downloader.CAE Disinfected Operating system
    Adware:Adware/SaveNow No disinfected Windows Registry
    Adware:Adware/Gator No disinfected C:\DOCUME~1\pcuser\LOCALS~1\Temp\bundle.inf
    Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
    Adware:Adware/KeenValue No disinfected C:\DOCUME~1\pcuser\LOCALS~1\Temp\updatedupdaterinstall.exe
    Spyware:Spyware/Altnet No disinfected C:\DOCUME~1\pcuser\LOCALS~1\Temp\asmfiles.cab
    Adware:Adware/ExactSearch No disinfected Windows Registry
    Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
    Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
    Adware:Adware/Popuper No disinfected C:\WINNT\system32\intmonp.exe
    Adware:Adware/Virmaid No disinfected C:\WINNT\system32\perfcii.ini
    Spyware:Spyware/Altnet No disinfected C:\Documents and Settings\pcuser\Local Settings\Temp\asmfiles.cab[asm.exe]
    Adware:Adware/Popuper No disinfected C:\Online Pharmacy.url
    Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    Adware:Adware/PortalScan No disinfected C:\Program Files\Windows Media Player\wmplayer.exe
    Spyware:Spyware/BetterInet No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp\data2.dat
    Adware:Adware/Popuper No disinfected C:\WINNT\system32\intmonp.exe
    Adware:Adware/Popuper No disinfected C:\WINNT\system32\msole32.exe
    Virus:Trojan Horse Disinfected C:\WINNT\system32\O
    Virus:Trj/Downloader.CAH Disinfected C:\WINNT\system32\ole32vbs.exe
    Adware:Adware/P2PNetworking No disinfected C:\WINNT\system32\P2P Networking v124.cpl
    Adware:Adware/Virmaid No disinfected C:\WINNT\system32\perfcii.ini
    Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Make sure that you can VIEW ALL HIDDEN FILES.

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FD7B9EFA-2AF4-4CAC-8C62-3C78BDAD0C36} - (no file) (HKCU)


    Reboot your computer into SAFE MODE

    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\wp.exe
    C:\wp.bmp
    C:\WINNT\sites.ini
    C:\WINNT\popuper.exe
    C:\WINNT\System32\wldr.dll
    C:\WINNT\System32\helper.exe
    C:\WINNT\System32\intmonp.exe
    C:\WINNT\system32\perfcii.ini
    C:\WINNT\System32\msmsgs.exe
    C:\WINNT\System32\ole32vbs.exe
    C:\WINNT\system32\msole32.exe
    C:\WINNT\System32\Log Files
    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Program Files\Security IGuard
    C:\Program Files\MyWay



    Reboot your computer to go back to normal mode and post a new hijackthis log.
  • malc525
    edited May 2005
    Here's the new log.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:52:59 PM, on 10/6/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\pcuser\Desktop\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cofc.edu/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {45FA3E86-74D9-5ACB-E2A9-54664EDBE2F4} - http://216.118.71.185/1/rdgUS1828.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Your log looks clean to me. Are you still having problems?
  • malc525
    edited May 2005
    No more popups but still the Messenger service errors. It always says something about reg-scanner.com. But runnin much better now. Thanks for everything. I give up on the remaining problems.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Don't give up! That error is caused by a virus that can be removed.

    Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.

    http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5

    Let me know what AVG finds.
  • champro247
    edited May 2005
    hey guys

    i got the smitfraud trojan and the blue screen quite a while ago but ahd no idea what to do. i found this today and am hoping that maybe some might be able to save me here. Im using a friends computer bc at this point i cannot even get online.
    im not sure if thats bc of the virues but my computer is running horrible.

    please if you can help me out it would be greatly appreciated.

    champro247

    buyearm@yahoo.com
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    champro247 - Please start your own thread.
  • champro247
    edited May 2005
    Buckeye_Sam wrote:
    champro247 - Please start your own thread.

    im sorry i know this is probably a pain for you but i do not know how to start my own thread
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Check out this link for info and directions.

    http://www.short-media.com/forum/showthread.php?t=30401
This discussion has been closed.