current problem - smithfraud.c, past problem - adaware...

joey-pinkneyjoey-pinkney
edited April 2005 in Spyware & Virus Removal
Hello Everybody,

I'm relieved to have found people that can actually guide me to getting my computer running normally.

Now... My computer is plagued with pop-ups, pop-unders, and other stuff I'm not knowledgeable of. When the background of the desktop got the trojan-spy.html.smithfraud.c on it, I searched on google and found this forum...

I understand that running AdAware and Spybot S&D is recommended before HJT.

My only reservation is that AdAware has caused my computers to crash. I guess certain files that show up are not meant to be deleted. I'm afraid that this one will crash and I won't be able to use the internet to come here for further help. (Not to mention that my wife will be upset, to put it nicely, that I'm running AdAware again...)

Could somebody guide me through the first two programs?

Thank you,

Joey

Comments

  • Shadow2018Shadow2018 Northwest Missouri
    edited April 2005
    Adaware will not delete any necessary system files. If you can just skip those and post a hijack this log and we'll get you started on the right track to getting your computer running at optimum performance once again.

    First thing you'll need to do is to make sure your hidden files and folders are visible\accessable.
    Open explorer>click on Tools>Folder options>click view> then check the show hidden files and folders box/uncheck the hide extensions box>click apply then ok.

    Post your log when finished.
  • joey-pinkneyjoey-pinkney
    edited April 2005
    Thank you so much for helping me, Shadow2018. I can't figure out how to get to the hidden folder settings.

    I'm using Windows 2000 and IE 6.0.2800.1106.

    When I click on Tools, I get an "Internet Options". I don't see a "Folder Options" anywhere. I don't get anything when I search through the "Help" Menu.

    Is there another way?
  • Shadow2018Shadow2018 Northwest Missouri
    edited April 2005
    Sorry, I should have been more specific. Not internet explorer. Open up the my computer icon, this will open the explorer you need. Then follow those steps.
  • joey-pinkneyjoey-pinkney
    edited April 2005
    I just so happened to be tinkering around with IE and happened upon the Folder Options when you replied... :)

    Here is the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:42:42 PM, on 4/23/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\winnt\system32\mgtwyo.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\wp.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\winnt\system32\packager.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
    O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [mgtwyo] c:\winnt\system32\mgtwyo.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
    O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/tgp/html.chm::/html.exe
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    Security IGuard


    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/tgp/html.chm::/html.exe
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab



    Reboot your computer into Safe Mode

    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\wp.exe
    C:\html.mHT
    C:\WINNT\Pynix.dll
    C:\Program Files\Security iGuard



    Reboot your computer to go back to normal mode.


    Please run at least two of these online scans.
    Make sure they are set to clean automatically:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    http://www.bitdefender.com/scan/licence.php

    http://housecall.trendmicro.com/housecall/start_corp.asp

    There will be files that these scans will not remove. Please include that information in your next post.


    Reboot and post a new hijackthis log.
  • joey-pinkneyjoey-pinkney
    edited April 2005
    First off, I would like to sincerely thank shadow2018, Buckeye_Sam and the entire Short-Media staff. For once in my computer life, I think I will be rid of these pop-ups, pop-unders, etc., etc. Thanks for working with me.

    I totally understand that this is a very long post, so I thank anyone who will help me in advance. I posted a blow-by-blow listing of what happened in order to give a better picture of what my computer and I did.

    Now without further adieu...

    I tried to closely follow Buckeye_Sam's instructions.

    1) Security IGuard was not in the Add/Remove Programs in the Control Panel.

    2) I followed the instructions about showing the hidden files.

    3) I closed all IE windows, ran HJT, checked the 5 files that were suggested, and fixed them.

    4) When I rebooted in Safe Mode:

    a) deleted wp.exe, but there was also an "aspnet_wp.exe" (did not delete)
    b) "html.mHT" did not appear when I searched for that file
    c) deleted "WINNT/Pynix.dll", but that file search also brought up "Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp" (did not delete)
    d) looked in "Program Files" folder and could not find "Security IGuard" folder

    5) I ran PandaSoftware's ActiveScan and got this log: (Some of these files were deleted by Bit Defender.)

    Adware:Adware/Twain-Tech - No disinfected - C:\winnt\system32\mgtwyo.exe

    Adware:Adware/Transponder - No disinfected - C:\WINNT\dlmax.dll

    Adware:Adware/Twain-Tech - No disinfected - c:\winnt\system32\mgtwyo.exe

    Spyware:Spyware/BetterInet - No disinfected - Windows Registry

    Adware:Adware/ISearch - No disinfected - C:\WINNT\deskbar.ini

    Adware:Adware/Twain-Tech - No disinfected - C:\DOCUME~1\Pinkney\LOCALS~1\Temp\THI*.tmp

    Adware:Adware/SuperSpider - No disinfected - C:\WINNT\msxmidi.exe

    Adware:Adware/Transponder - No disinfected - C:\WINNT\dlmax.dll

    Adware:Adware/IGuard - No disinfected - C:\WINNT\system32\wldr.dll

    Adware:Adware/Startpage.FA - No disinfected - C:\WINDOWS\SYSTEM32\notepad.com

    Adware:Adware/Startpage.FA - No disinfected - C:\WINDOWS\notepad.com

    Virus:Trj/Delprot.A - Disinfected - C:\WINNT\system32\drivers\delprot.sys

    Adware:Adware/IGuard - No disinfected - C:\WINNT\system32\wldr.dll

    Adware:Adware/Twain-Tech - No disinfected - C:\WINNT\system32\mgtwyo.exe

    Adware:Adware/ISearch - No disinfected - C:\WINNT\system32\patch.exe

    Adware:Adware/Transponder - No disinfected - C:\WINNT\inf\Pynix.inf

    Adware:Adware/Transponder - No disinfected - C:\WINNT\inf\dlmax.inf

    Adware:Adware/Transponder - No disinfected - C:\WINNT\dlmax.dll

    Virus:Trj/Downloader.VE - Disinfected - C:\WINNT\msxmidi.exe

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab[Pynix.inf]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab[Pynix.dll]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\pynix.cab[spike.exe]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\Pynix.inf

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI199D.tmp\Pynix.dll

    Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.cab[farmmext.inf]

    Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.cab[farmmext.exe]

    Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.cab[farmmext.ini]

    Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.inf

    Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.exe

    Adware:Adware/IPInsight - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\THI570F.tmp\farmmext.ini

    Spyware:Spyware/BetterInet - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\bho_prob.exe

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab[dlmax.inf]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab[dlmax.dll]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.cab[spike.exe]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.inf

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\DrTemp\dlmax.dll

    Adware:Adware/ISearch - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\B167755543\build3.exe

    Adware:Adware/MyWebSearch - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temp\WToolsB.dll

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab[dlmax.inf]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab[dlmax.dll]

    Adware:Adware/Transponder - No disinfected - C:\Documents and Settings\Pinkney\Local Settings\Temporary Internet Files\Content.IE5\I9OJU1S5\dlmax[1].cab[spike.exe]

    Virus:Trj/JS.Loop - Disinfected - C:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs

    Possible Virus. - No disinfected - C:\Program Files\Activ E-Book 4.22\AEBRCKEY.EXE

    Virus:Trj/Imiserv.D - Disinfected - C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp

    Adware:Adware/Transponder - No disinfected - C:\Program Files\Hijackthis\backups\backup-20050424-161122-573.dll

    Adware:Adware/ISearch - No disinfected - C:\Program Files\Hijackthis\backups\backup-20050424-161122-771.inf


    Virus:Trj/DeskChanger.A - Disinfected - C:\Recycled\Dc1.exe

    Adware:Adware/Transponder - No disinfected - C:\Recycled\Dc2.dll

    6) I ran Bit Defender and thses files could not be deleted:

    a) C:\WINNT\system32\thun32.dll
    b) C:\WINNT\system32\mgtwyo.exe

    7) I ran House Call, but my wife closed it thinking it was a po-up. I got a glimpse of it and it looked like it said "0 files found". She ended up restarting the computer before I could run it again...

    8) Here is the HJT log after the restart:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:02:53 AM, on 4/25/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\winnt\system32\mgtwyo.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\winnt\system32\calc.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [mgtwyo] c:\winnt\system32\mgtwyo.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    Thanks again,

    Joey
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Thank you for the detailed response. It makes this much easier.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
    O4 - HKLM\..\Run: [mgtwyo] c:\winnt\system32\mgtwyo.exe


    Reboot your computer into Safe Mode

    Then delete these files or directories (Do not be concerned if they do not exist):

    c:\winnt\system32\mgtwyo.exe
    C:\WINNT\dlmax.dll


    Delete temp files

    Navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Navigate to the C:\WINNT\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the Recycle Bin.



    Reboot your computer to go back to normal mode.



    Please follow these instructions to run Adware.
    • Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
      1. Download Ad-Aware SE Personal 1.05:
      2. Install Ad-Aware SE Personal 1.05:
        • Double-click on aawsepersonal.exe to install the program.
        • Follow the default settings for installation.
        • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
      3. Update Ad-Aware SE Personal 1.05:
        • Double-click the Ad-Aware SE Personal icon on your desktop.
        • Click "Check for updates now" then click "Connect".
        • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
      4. Configure Ad-Aware SE Personal 1.05:
        • Click on the Gear button at the top of the window.
        • Click "General" on the left hand side to display the General Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Automatically save logfile"
            • "Automatically quarantine objects prior to removal"
            • "Safe Mode (always request confirmation)"
            • "Prompt to update outdated definitions" - change to 7 days from the default 14.
        • Click "Scanning" on the left hand side to display the Scan Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Scan within archives"
            • "Select drives & folders to scan" - select your hard drive(s).
            • "Scan active processes"
            • "Scan registry"
            • "Deep-scan registry"
            • "Scan my IE favorites for banned URLs"
            • "Scan my Hosts file"
        • Click "Advanced" on the left hand side to display the Advanced Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Move deleted files to Recycle Bin"
            • "Include additional object information"
            • "Include negligible objects information"
            • "Include environment information"
        • Click "Defaults" on the left hand side to display the Default Settings box.
          • Make sure these items have your preferred settings in them.:
            • "Default homepage"
            • "Default searchpage"
        • Click "Tweak" on the left hand side to display the Tweak Settings box.
          • Click the + (plus) sign next to the Log Files section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Include basic Ad-Aware settings in log file"
            • "Include additional Ad-Aware settings in log file"
            • "Include reference summary in log file"
            • "Include alternate data stream details in log file"
          • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Unload recognized processes & modules during scan"
            • "Scan registry for all users instead of current user only"
            • "Obtain command line of scanned processes"
          • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Always try to unload modules before deletion"
            • "During removal, unload Explorer and IE if necessary"
            • "Let Windows remove files in use at next reboot"
            • "Delete quarantined objects after restoring"
        • Once you are done with these settings, click "Proceed" to save them.
        • This will take you back to the main screen.
      5. Run Ad-Aware SE Personal 1.05:
        • Click the "Start" button.
        • Uncheck the "Search for negligible risk entries" entry.
        • Choose the "Use custom scanning options" scan mode.
        • Click the "Next" button.
        • Ad-Aware will begin to scan for malware residing on your computer.
        • Allow the scan to finish.
        • Right-click on any entry in the list and click "Select All" to select the whole list.
        • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

    Reboot and post a new hijackthis log and we'll see what's left.
  • joey-pinkneyjoey-pinkney
    edited April 2005
    Thanks Buckeye_Sam,

    You are a gentleman and a scholar.

    Anyway, while waiting for further instructions about what to do next, I did a little investigating. These pop-ups were getting on my last nerve. I watched one closely and noticed that the IE window started off with "xadj.offeroptimizer.com..." before launching the, I'm assuming, paid advertisement.

    A little google research brought me to a spot where a person was having the exact same problem. The thread has various people who were successful with Webroot's Spy Sweeper. I ran it.

    It not only cleaned a ton of stuff off the computer and got my desktop back to normal (sans the "Security Warning" about smithfraud.c) but it stopped those forsaken pop-ups. I think it also deleted the two files you told me to look out for also...

    (Back to our regularly scheduled program.)

    1) I ran HJT and could not find the 2 files that were to be fixed.

    2) In Safe Mode:

    a) I still could not find the 2 files to be deleted.
    b) I deleted all of the contents of the "C:\WINNT\Temp" folder.
    c) I did not have the "Prefetch" folder.
    d) I opened the "Temp" folder with the %temp% command and deleted all of its contents. (Why did it have 133 items in after I previously deleted the files above in step "b"? Are these two different folders?)

    3) After rebooting in Normal Mode:

    a) I prayed that Ad-Aware would not cause my computer to crash like every other time I used it. :grumble:
    b) Downloaded, set up, and ran Ad-Aware. :confused:
    c) Deleted the files. :(

    4) After rebooting again:

    a) I saw that my computer didn't crash or ask for any missing files!
    b) I did this for about 60 seconds ==> :headbange

    5) This is the resulting HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:04:07 PM, on 4/25/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
    O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\Program Files\PDFtypewriter\PDFtypewriterie.exe (file missing)
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    I haven't seen ONE pop-up in about the last 7 or 8 hours!

    I gratiously await further instructions.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Your log is clean!

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

      You can find instructions on how to enable and reenable system restore here:

      Managing Windows Millenium System Restore

      or

      Windows XP System Restore Guide

      Renable system restore with instructions from tutorial above

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.

    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.
  • joey-pinkneyjoey-pinkney
    edited April 2005
    I'm going to tell you what I am
    A very happy man cuz of Buckeye_Sam
    He's a gentleman and a scholar plus da man
    All I had to do was trust da plan

    My screen isn't stopped up
    with all those nasty pop-ups
    I don't have to hop up
    and right-click/close what popped up

    He even got rid of stuff I didn't know I had
    It turns out my computer had it really bad
    So now that that's gone like last years fad
    How do I get the desktop back to blue before my wife gets mad?

    Thank you for suffering through those three stanzas.

    I got another question. I have a yahoo account that I think is infected with something. When I log on to it, I notice a bunch of messages that were returned undeliverable that I didn't send in the first place. I haven't opened it in a couple of months. I felt like it was using my internet connection to send stuff to other people.

    Is that possible?

    How to I clean it so it doesn't do that?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Thanks for the rhyme. :clap:


    Yahoo accounts don't get infected. Computers get infected. Do you access this account through their site, or do you have pop access so you can read your email in Outlook?
  • joey-pinkneyjoey-pinkney
    edited April 2005
    You're welcome for the rhyme, it's the least I could do. :cheers:

    I go on yahoo.com to open it. It's a free account, so do I have pop3 access?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Not with the free account. As long as you are accessing it through the web then it sounds like Yahoo's problem to me.
  • joey-pinkneyjoey-pinkney
    edited April 2005
    Cool. I guess that means I can open it without get my computer dirty again, right?

    Thank you so much.

    You can close this thread and move 'er out.
This discussion has been closed.