current problem - smithfraud.c, past problem - adaware...
Hello Everybody,
I'm relieved to have found people that can actually guide me to getting my computer running normally.
Now... My computer is plagued with pop-ups, pop-unders, and other stuff I'm not knowledgeable of. When the background of the desktop got the trojan-spy.html.smithfraud.c on it, I searched on google and found this forum...
I understand that running AdAware and Spybot S&D is recommended before HJT.
My only reservation is that AdAware has caused my computers to crash. I guess certain files that show up are not meant to be deleted. I'm afraid that this one will crash and I won't be able to use the internet to come here for further help. (Not to mention that my wife will be upset, to put it nicely, that I'm running AdAware again...)
Could somebody guide me through the first two programs?
Thank you,
Joey
I'm relieved to have found people that can actually guide me to getting my computer running normally.
Now... My computer is plagued with pop-ups, pop-unders, and other stuff I'm not knowledgeable of. When the background of the desktop got the trojan-spy.html.smithfraud.c on it, I searched on google and found this forum...
I understand that running AdAware and Spybot S&D is recommended before HJT.
My only reservation is that AdAware has caused my computers to crash. I guess certain files that show up are not meant to be deleted. I'm afraid that this one will crash and I won't be able to use the internet to come here for further help. (Not to mention that my wife will be upset, to put it nicely, that I'm running AdAware again...)
Could somebody guide me through the first two programs?
Thank you,
Joey
0
This discussion has been closed.
Comments
First thing you'll need to do is to make sure your hidden files and folders are visible\accessable.
Open explorer>click on Tools>Folder options>click view> then check the show hidden files and folders box/uncheck the hide extensions box>click apply then ok.
Post your log when finished.
I'm using Windows 2000 and IE 6.0.2800.1106.
When I click on Tools, I get an "Internet Options". I don't see a "Folder Options" anywhere. I don't get anything when I search through the "Help" Menu.
Is there another way?
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:42 PM, on 4/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\winnt\system32\mgtwyo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\wp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\winnt\system32\packager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [mgtwyo] c:\winnt\system32\mgtwyo.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/tgp/html.chm::/html.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Security IGuard
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/tgp/html.chm::/html.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\wp.exe
C:\html.mHT
C:\WINNT\Pynix.dll
C:\Program Files\Security iGuard
Reboot your computer to go back to normal mode.
Please run at least two of these online scans.
Make sure they are set to clean automatically:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/licence.php
http://housecall.trendmicro.com/housecall/start_corp.asp
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log.
I totally understand that this is a very long post, so I thank anyone who will help me in advance. I posted a blow-by-blow listing of what happened in order to give a better picture of what my computer and I did.
Now without further adieu...
I tried to closely follow Buckeye_Sam's instructions.
1) Security IGuard was not in the Add/Remove Programs in the Control Panel.
2) I followed the instructions about showing the hidden files.
3) I closed all IE windows, ran HJT, checked the 5 files that were suggested, and fixed them.
4) When I rebooted in Safe Mode:
a) deleted wp.exe, but there was also an "aspnet_wp.exe" (did not delete)
b) "html.mHT" did not appear when I searched for that file
c) deleted "WINNT/Pynix.dll", but that file search also brought up "Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp" (did not delete)
d) looked in "Program Files" folder and could not find "Security IGuard" folder
5) I ran PandaSoftware's ActiveScan and got this log: (Some of these files were deleted by Bit Defender.)
Adware:Adware/Twain-Tech - No disinfected - C:\winnt\system32\mgtwyo.exe
Adware:Adware/Transponder - No disinfected - C:\WINNT\dlmax.dll
Adware:Adware/Twain-Tech - No disinfected - c:\winnt\system32\mgtwyo.exe
Spyware:Spyware/BetterInet - No disinfected - Windows Registry
Adware:Adware/ISearch - No disinfected - C:\WINNT\deskbar.ini
Adware:Adware/Twain-Tech - No disinfected - C:\DOCUME~1\Pinkney\LOCALS~1\Temp\THI*.tmp
Adware:Adware/SuperSpider - No disinfected - C:\WINNT\msxmidi.exe
Adware:Adware/Transponder - No disinfected - C:\WINNT\dlmax.dll
Adware:Adware/IGuard - No disinfected - C:\WINNT\system32\wldr.dll
Adware:Adware/Startpage.FA - No disinfected - C:\WINDOWS\SYSTEM32\notepad.com
Adware:Adware/Startpage.FA - No disinfected - C:\WINDOWS\notepad.com
Virus:Trj/Delprot.A - Disinfected - C:\WINNT\system32\drivers\delprot.sys
Adware:Adware/IGuard - No disinfected - C:\WINNT\system32\wldr.dll
Adware:Adware/Twain-Tech - No disinfected - C:\WINNT\system32\mgtwyo.exe
Adware:Adware/ISearch - No disinfected - C:\WINNT\system32\patch.exe
Adware:Adware/Transponder - No disinfected - C:\WINNT\inf\Pynix.inf
Adware:Adware/Transponder - No disinfected - C:\WINNT\inf\dlmax.inf
Adware:Adware/Transponder - No disinfected - C:\WINNT\dlmax.dll
Virus:Trj/Downloader.VE - Disinfected - C:\WINNT\msxmidi.exe
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab[Pynix.inf]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab[Pynix.dll]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab[spike.exe]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\Pynix.inf
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\Pynix.dll
Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.cab[farmmext.inf]
Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.cab[farmmext.exe]
Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.cab[farmmext.ini]
Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.inf
Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.exe
Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.ini
Spyware:Spyware/BetterInet - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\bho_prob.exe
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab[dlmax.inf]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab[dlmax.dll]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab[spike.exe]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.inf
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.dll
Adware:Adware/ISearch - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\B167755543\build3.exe
Adware:Adware/MyWebSearch - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\WToolsB.dll
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab[dlmax.inf]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab[dlmax.dll]
Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab[spike.exe]
Virus:Trj/JS.Loop - Disinfected - C:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs
Possible Virus. - No disinfected - C:\Program Files\Activ E-Book 4.22\AEBRCKEY.EXE
Virus:Trj/Imiserv.D - Disinfected - C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp
Adware:Adware/Transponder - No disinfected - C:\Program Files\Hijackthis\backups\backup-20050424-161122-573.dll
Adware:Adware/ISearch - No disinfected - C:\Program Files\Hijackthis\backups\backup-20050424-161122-771.inf
Virus:Trj/DeskChanger.A - Disinfected - C:\Recycled\Dc1.exe
Adware:Adware/Transponder - No disinfected - C:\Recycled\Dc2.dll
6) I ran Bit Defender and thses files could not be deleted:
a) C:\WINNT\system32\thun32.dll
b) C:\WINNT\system32\mgtwyo.exe
7) I ran House Call, but my wife closed it thinking it was a po-up. I got a glimpse of it and it looked like it said "0 files found". She ended up restarting the computer before I could run it again...
8) Here is the HJT log after the restart:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:53 AM, on 4/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\winnt\system32\mgtwyo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\winnt\system32\calc.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [mgtwyo] c:\winnt\system32\mgtwyo.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Thanks again,
Joey
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O4 - HKLM\..\Run: [mgtwyo] c:\winnt\system32\mgtwyo.exe
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
c:\winnt\system32\mgtwyo.exe
C:\WINNT\dlmax.dll
Delete temp files
Navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\WINNT\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Reboot your computer to go back to normal mode.
Please follow these instructions to run Adware.
Reboot and post a new hijackthis log and we'll see what's left.
You are a gentleman and a scholar.
Anyway, while waiting for further instructions about what to do next, I did a little investigating. These pop-ups were getting on my last nerve. I watched one closely and noticed that the IE window started off with "xadj.offeroptimizer.com..." before launching the, I'm assuming, paid advertisement.
A little google research brought me to a spot where a person was having the exact same problem. The thread has various people who were successful with Webroot's Spy Sweeper. I ran it.
It not only cleaned a ton of stuff off the computer and got my desktop back to normal (sans the "Security Warning" about smithfraud.c) but it stopped those forsaken pop-ups. I think it also deleted the two files you told me to look out for also...
(Back to our regularly scheduled program.)
1) I ran HJT and could not find the 2 files that were to be fixed.
2) In Safe Mode:
a) I still could not find the 2 files to be deleted.
b) I deleted all of the contents of the "C:\WINNT\Temp" folder.
c) I did not have the "Prefetch" folder.
d) I opened the "Temp" folder with the %temp% command and deleted all of its contents. (Why did it have 133 items in after I previously deleted the files above in step "b"? Are these two different folders?)
3) After rebooting in Normal Mode:
a) I prayed that Ad-Aware would not cause my computer to crash like every other time I used it.
b) Downloaded, set up, and ran Ad-Aware.
c) Deleted the files.
4) After rebooting again:
a) I saw that my computer didn't crash or ask for any missing files!
b) I did this for about 60 seconds ==> :headbange
5) This is the resulting HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:04:07 PM, on 4/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
I haven't seen ONE pop-up in about the last 7 or 8 hours!
I gratiously await further instructions.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
A very happy man cuz of Buckeye_Sam
He's a gentleman and a scholar plus da man
All I had to do was trust da plan
My screen isn't stopped up
with all those nasty pop-ups
I don't have to hop up
and right-click/close what popped up
He even got rid of stuff I didn't know I had
It turns out my computer had it really bad
So now that that's gone like last years fad
How do I get the desktop back to blue before my wife gets mad?
Thank you for suffering through those three stanzas.
I got another question. I have a yahoo account that I think is infected with something. When I log on to it, I notice a bunch of messages that were returned undeliverable that I didn't send in the first place. I haven't opened it in a couple of months. I felt like it was using my internet connection to send stuff to other people.
Is that possible?
How to I clean it so it doesn't do that?
Yahoo accounts don't get infected. Computers get infected. Do you access this account through their site, or do you have pop access so you can read your email in Outlook?
I go on yahoo.com to open it. It's a free account, so do I have pop3 access?
Thank you so much.
You can close this thread and move 'er out.