Spy-html smitfraud.c ( blue screen wont go away)

StevilousStevilous
edited April 2005 in Spyware & Virus Removal
Hey this is my new hijack log after i followed the instructions.
However, when i ran AdAware it hangs and does not finish the scan,(Adware says it found 64 critical objects butst thats as far as it goes)

my only choice was to cancel and end it. But when i ran spybot it worked perfectly.








Logfile of HijackThis v1.99.1
Scan saved at 4:01:33 PM, on 04/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\DR_S\DR_S.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\WINDOWS\SYSfit.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Juneann\Desktop\Hijck\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal

Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

-quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"

/nosplash /minimized
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program

Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper -

{DAF86D6F-3EB7-45DF-869D-118374C0C241} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{DAF86D6F-3EB7-45DF-869D-118374C0C241} - (no file) (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup

Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags

Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) -

http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl

Class) -

http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/e

s/filesharingctrl.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590}

(Project1.SBDownloader) -

http://www.spybouncer.com/downloader/downloader.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown

Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -

http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterC

abInstall.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec

Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton

Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    We'll fix your desktop later. But we have to remove your infection first.

    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    Security IGuard
    Virtual Maid
    Search Maid


    Please download CWShredder but don't run it yet.
    http://cwshredder.net/bin/CWSInstall.exe


    Download Ad-aware SE 1.05 from: http://www.majorgeeks.com/download506.html
    Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


    Make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\qgemr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\qgemr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = res://C:\WINDOWS\qgemr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\qgemr.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\qgemr.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\qgemr.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://www.searchforit.com/searchbar
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {2061BB23-DCA4-0D83-B4A7-56779D602DB2} -
    C:\WINDOWS\sysms32.dll
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [rasad] C:\WINDOWS\Config\rasad.exe
    O4 - HKLM\..\Run: [WhenUSearchWHSE] C:\PROGRA~1\WHENUS~1\whse.exe
    O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet
    Explorer\IEXPLORE.EXE
    O4 - HKLM\..\Run: [winda32.exe] C:\WINDOWS\winda32.exe
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security
    iGuard\Security iGuard.exe
    O4 - HKCU\..\Run: [iriw] C:\PROGRA~1\COMMON~1\iriw\iriwm.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} -
    http://www.adshooter.com/pop_shoote...00/SYSsfitb.cab
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown
    owner - C:\WINDOWS\crnn.exe


    Reboot your computer into Safe Mode


    Now run CWShredder, making sure to click "Fix".


    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\WINDOWS\crnn.exe
    C:\WINDOWS\winda32.exe
    C:\WINDOWS\sysms32.dll
    C:\WINDOWS\qgemr.dll
    C:\WINDOWS\Config\rasad.exe
    C:\PROGRA~1\COMMON~1\iriw
    C:\PROGRA~1\WHENUS~1
    C:\Program Files\Security iGuard




    Run a full scan with Adaware.

    Reboot your computer to go back to normal mode and post a new log.
  • StevilousStevilous
    edited April 2005
    Hey. I edited my original hijack log file with the latest results after your instructions.
    Its all you fro here n again!


    Logfile of HijackThis v1.99.1
    Scan saved at 4:01:33 PM, on 04/29/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\DR_S\DR_S.exe
    C:\PROGRA~1\CLOCKS~1\Sync.exe
    C:\WINDOWS\SYSfit.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Juneann\Desktop\Hijck\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

    Files\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

    - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal

    Firewall\IAMAPP.EXE"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common

    Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    -quiet
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"

    /nosplash /minimized
    O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program

    Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: Yahoo! Messenger -

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper -

    {DAF86D6F-3EB7-45DF-869D-118374C0C241} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

    {DAF86D6F-3EB7-45DF-869D-118374C0C241} - (no file) (HKCU)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

    http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup

    Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags

    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

    Class) -

    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) -

    http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
    O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl

    Class) -

    http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/e

    s/filesharingctrl.cab
    O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590}

    (Project1.SBDownloader) -

    http://www.spybouncer.com/downloader/downloader.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown

    Class) -

    http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -

    http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterC

    abInstall.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

    - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

    Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

    Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -

    Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec

    Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton

    Personal Firewall\NISUM.EXE
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

    Symantec Corporation - C:\Program Files\Norton

    AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

    AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec

    Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

    Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

    C:\Program Files\Common Files\Symantec Shared\Security

    Center\SymWSC.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Don't edit your original post when you have a new log. Just post it as a reply to this message. And can you see if you post your log without the double spacing. It's very hard to read.

    Fix these lines with Hijackthis.

    O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe


    Delete these file and folders:

    C:\Program Files\DR_S
    C:\PROGRA~1\CLOCKS~1
    C:\WINDOWS\SYSfit.exe



    Reboot and post a new hijackthis log.
Sign In or Register to comment.