Please help trojan-spy.html.smitfraud.c

Unknown · May 2005

Hello, I've been trying to get rid of the trojan-spy.html.smitfraud.c virus for a week. I've found post that have had instructions, but they either do not work or the virus has something in place that blocks me from downloading a file (reglite for example). I've run spybot, ad-adware, norton anitvirus all with the latest updated, but have not been able to correct it. It also changes my IE page to IPAssist.biz every time I open IE. At this point, I am at a loss. I've done a search in this forum and it seems that there isn't a common set of instructions to remove this, so I'm posting my log below. Any help would be greatly appreciated.

Thanks,
dagobin

Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:41:36 PM, on 5/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijackThis.exe

R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Dennis Gobin\Application Data\Mozilla\Profiles\default\y1pd5lay.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchpl ugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dennis Gobin\Application Data\Mozilla\Profiles\default\y1pd5lay.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Fzqcalo] C:\Program Files\Glonqxt\Rtxcjh.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SVCHOST.EXE
O4 - HKLM\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SECURITY.EXE
O4 - HKLM\..\RunServices: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yot6Rgc8T] netsutil.exe
O4 - HKCU\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {3D6B85F7-7765-46D9-AFD4-E85BC0AEF26A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3D6B85F7-7765-46D9-AFD4-E85BC0AEF26A} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6.../bridge-c46.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/182a0b73c1e6d3...tzip/RdxIE2.cab
O16 - DPF: {5FA91BF0-39F1-11D3-8093-0060080A776C} (FileDrop Class) - http://atlantic.photoisland.com/downloads/upload.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.ezprints.com/software/ImageUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Sha...c/bin/cabsa.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

HJThis · May 2005

Hello,dagobin & Welcome

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
Security iGuard

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

These items here are user preference
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Fzqcalo] C:\Program Files\Glonqxt\Rtxcjh.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SECURITY.EXE
O4 - HKLM\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Yot6Rgc8T] netsutil.exe
O4 - HKCU\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\Program Files\Glonqxt\<---This folder
c:\winnt\system32\winserver.exe<---This file
C:\WINNT\System32\spoolsrv32.exe<---This file
C:\Program Files\Security iGuard\<---This folder
C:\wp.exe<---This file
C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}<= entire folder

still in Safe Mode do a file Search for this file
netsutil.exe<--This file if found delete it

Then reboot show us new logfile & any info you think we should know

HGD

dagobin · May 2005

Hello HGD,
Thank you for helping me! I was able to find the majority of the things listed in your post. However, after I rebooted into normal mode, a lot of them came back (R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/ for example). Also when I rebooted, I received a message " Can't find the file 'C:\WINNT\System32\Spoolsrv32.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." Lastly, i'm not sure if this means anything, the page that my IE gets pushed to has also changed from "http://ipassist.biz/free.php" to "http://clicksearchclick.com/". I've attached the log below. Once again thank you for your help.

dagobin

Logfile of HijackThis v1.99.1
Scan saved at 8:42:22 PM, on 5/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SECURITY.EXE
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c46.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/182a0b73c1e6d3101d01/netzip/RdxIE2.cab
O16 - DPF: {5FA91BF0-39F1-11D3-8093-0060080A776C} (FileDrop Class) - http://atlantic.photoisland.com/downloads/upload.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.ezprints.com/software/ImageUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Let's try this...

Step 1
Download CWShredder but don't run it yet.

Step 2
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.

Step 3
Make sure that you can VIEW ALL HIDDEN FILES.

Step 4
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/
O4 - HKLM\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SECURITY.EXE
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [win32 system server] c:\winnt\system32\winserver.exe
O4 - HKCU\..\Run: [win32 system server] c:\winnt\system32\winserver.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6.../bridge-c46.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/182a0b73c1e6d3...tzip/RdxIE2.cab

Step 5
Reboot your computer into SAFE MODE

Step 6
Now run CWShredder, making sure to click "Fix".

Step 7
Then delete these files or directories (Do not be concerned if they do not exist)

c:\winnt\system32\winserver.exe
C:\WINNT\system32\Services\{D942270B-3325-403C-A5CD-FA96A665B541}

Step 8
Run a full scan with Adaware.

Reboot your computer to go back to normal mode.

Please run at least two of these online scans.
Make sure they are set to clean automatically:

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scans.

dagobin · May 2005

Hello Buckeye_Sam,
Thank you for your help. I ran the CWShredder and it did not find anything. The Adware scan found 13 Cool Web items that I deleted. I started running the virus scans and my Norton displayed some download.trojan virus messages. The defaul IE page now gets pushed to [url]http:///[/url]. Below are the files from each of the virus scans that could not be deleted. I've also attached the hijack files. Once again, thank you for your help.

Dagobin

Virus Scans:
Panda Scan:

Incident Status Location

Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\iinstall.exe
Adware:Adware/KeenValue No disinfected Windows Registry
Adware:Adware/CWS.Yexe No disinfected C:\WINNT\system32\services
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINNT\smdat32a.sys
Adware:Adware/WUpd No disinfected Windows Registry
Spyware:Spyware/IESearchToolbarNo disinfected C:\Program Files\iesearchtoolbar
Adware:Adware/P2PNetworking No disinfected C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\p2psetup.exe
Virus:Trj/Downloader.BOH Disinfected Operating system
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\4XPFOY.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\FDj4BD.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\iinstall.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\istsv_.exe
Adware:Adware/P2PNetworking No disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\p2psetup.exe
Spyware:Spyware/Altnet No disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\__unin__.exe
Virus:Trj/Multidropper.ADG Disinfected C:\Documents and Settings\Dennis Gobin\Local Settings\Temporary Internet Files\Content.IE5\FJLHZCA3\file[1].exe
Adware:Adware/WinAD No disinfected C:\hijack\backups\backup-20050519-211552-420.dll
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
Virus:Trj/Downloader.CHD Disinfected C:\RECYCLER\S-1-5-21-789336058-1993962763-839522115-1000\Dc1.exe
Adware:Adware/Findspy No disinfected C:\sys126412759.exe
Virus:Trj/Dropper.FQ Disinfected C:\sys190528444.exe
Adware:Adware/Findspy No disinfected C:\sys2429416950.exe
Virus:Trj/Dropper.FQ Disinfected C:\sys303026595.exe
Virus:Trj/Multidropper.TY Disinfected C:\Temp\Bargains.exe
Adware:Adware/nCase No disinfected C:\Temp\salmau.dat
Adware:Adware/nCase No disinfected C:\Temp\salm_gdf.dat
Adware:Adware/nCase No disinfected C:\Temp\salm_kyf.dat
Adware:Adware/Twain-Tech No disinfected C:\WINNT\smdat32a.sys
Adware:Adware/Twain-Tech No disinfected C:\WINNT\smdat32m.sys
Virus:Trj/Downloader.CKQ Disinfected C:\WINNT\system32\srpcsrv32.dll
Virus:Trj/Downloader.CKQ Disinfected C:\WINNT\system32\txfdb32.dll
Bit Defender Scan:
\Local Settings\Temp\4XPFOY.exe: infected with Trojan.Downloader.IstBar.GEN
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\4XPFOY.exe: disinfection failed
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\56217.tmp=>tsi2.db: bad crc
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\iinstall.exe: infected with Trojan.Downloader.IstBar.GEN
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\iinstall.exe: disinfection failed
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\istsv_.exe: infected with Trojan.Downloader.IstBar.GEN
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\istsv_.exe: disinfection failed
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\remove.exe=>(NSIS o)=>zlib_nsis0002: infected with Trojan.Downloader.Keenval.F
C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\remove.exe=>(NSIS o)=>zlib_nsis0002: disinfection failed
\sys15205025.exe: infected with Backdoor.Garmond.A
C:\sys15205025.exe: disinfection failed
C:\sys2491327195.exe: infected with Trojan.Downloader.Agent.LV
C:\sys2491327195.exe: deleted
C:\sys2786018252.exe: infected with Backdoor.Garmond.A
C:\sys2786018252.exe: disinfection failed
C:\sys3275112606.exe: infected with Trojan.Downloader.Agent.LV
C:\sys3275112606.exe: deleted
C:\WINNT\system32\winserv.dll: suspect BehavesLike:Win32.AV-Killer
C:\WINNT\system32\winserv.dll: disinfection failed
C:\WINNT\system32\winserv32.dll: infected with Win32.Mydoom.4.Gen@mm
C:\WINNT\system32\winserv32.dll: disinfection failed

Trend Micro Scan:
JS_BACKBUG.A - C:\Documents and Settings\Dennis Gobin\Desktop\IE6WARN.txt
TROJ_ISTBAR.CJ - C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\4XPFOY.exe
TROJ_ISTBAR.BX - C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\Install.exe
TROJ_ISTBAR.CJ - C:\Documents and Settings\Dennis Gobin\Local Settings\Temp\istsv_.exe
TROJ_SMALL.YH - C:\sys126412759.exe
TROJ_SMALL.YH - C:\sys2429416950.exe

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:09 PM, on 5/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5FA91BF0-39F1-11D3-8093-0060080A776C} (FileDrop Class) - http://atlantic.photoisland.com/downloads/upload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.ezprints.com/software/ImageUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Please download and install Cleanup 4.0
http://cleanup.stevengould.org/

Reboot your computer into SAFE MODE

Please delete these files/folders:

C:\Program Files\MyWay
C:\Program Files\iesearchtoolbar
C:\WINNT\smdat32a.sys
C:\WINNT\smdat32m.sys
C:\sys126412759.exe
C:\sys2429416950.exe
C:\sys15205025.exe
C:\sys2786018252.exe
C:\WINNT\system32\winserv.dll
C:\WINNT\system32\winserv32.dll
C:\WINNT\system32\services

Now while still in Safe mode run CleanUp 4.0

Reboot back to normal mode. Post a new hijackthis log and let me know of any problems you are still having.

dagobin · May 2005

Buckeye_Sam wrote:

Please download and install Cleanup 4.0
http://cleanup.stevengould.org/

Reboot your computer into SAFE MODE

Please delete these files/folders:

C:\Program Files\MyWay
C:\Program Files\iesearchtoolbar
C:\WINNT\smdat32a.sys
C:\WINNT\smdat32m.sys
C:\sys126412759.exe
C:\sys2429416950.exe
C:\sys15205025.exe
C:\sys2786018252.exe
C:\WINNT\system32\winserv.dll
C:\WINNT\system32\winserv32.dll
C:\WINNT\system32\services

Now while still in Safe mode run CleanUp 4.0

Reboot back to normal mode. Post a new hijackthis log and let me know of any problems you are still having.

Hello Buckeye_Sam,

I was able to delete all of the files. I deleted the Services folder for the C:\Winnt\System32\Services entry. There was a Services file, but couldn't delete it. Also, there was another file called "c:\sys1224110713" that was not in the list. Should I delete it. Also, the default page went to [url]http:///[/url], but seems to be okay since I set it to default. I'll give it some time. I am attaching the hijackthis log below.

Thank you for your help
dagobin

Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:04:47 PM, on 5/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINNT\system32\wuauclt.exe
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5FA91BF0-39F1-11D3-8093-0060080A776C} (FileDrop Class) - http://atlantic.photoisland.com/downloads/upload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.ezprints.com/software/ImageUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Also, there was another file called "c:\sys1224110713" that was not in the list. Should I delete it.

Yes, delete it.

Your log looks clean.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

dagobin · May 2005

Hello Buckeye_Sam,
Thank you for your help, unfortunately, my virus software (norton) is still popping up with a download.trojan virus every time I try to change my background. It says the desktop.html page has the download.trojan and cannot be accessed or repaired. I cannot access any of my active desktop settings. The screen switches to a grey screen when I right click on the screen to get to the active desktop and then goes back to white after I move the mouse off of the desktop. Any thoughts? I've attached my hijackthis log. If you need any additional info, please let me know

Thanks,
dagobin

log:

Logfile of HijackThis v1.99.1
Scan saved at 8:36:54 PM, on 5/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5FA91BF0-39F1-11D3-8093-0060080A776C} (FileDrop Class) - http://atlantic.photoisland.com/downloads/upload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.ezprints.com/software/ImageUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Download the following reg file to your desktop by right clicking on the link, and selecting save as.

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.

Reboot your computer and you should now be able to change your desktop settings back to how you would like it.

Let me know if this does the trick.

dagobin · May 2005

Hello Buckeye_Sam,
Didn't work. I still cannot access my active desktop when I right click on the desktop. I don't even get an option for the active desktop when I right click. I also tried to change it from the display and still no luck. The desktop shows up when I start and end windows, just not when I'm using it. It turns gray when I mouse over the desktop and turns white when the mouse moves off of the desktop. Ran Norton, Adware, Spybot, and Spyblaster, and they did not find anyting. Any thoughts? Please let me know if you need any addtional info.

Thanks,
dagobin.

Buckeye_Sam · May 2005

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

dagobin · May 2005

Hello Buckeye_Sam,
Here is the log from SilentRunners. I was also wondering if this problem has anything to do with the desktop.html file that I deleted. It had the download.trojan virus. If so, could I just replace it with a desktop.html file from another computer runnning 2000? Just a thought. Please let me know if you need any additional info.

Thank you for your help,
dagobin

Log:
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"CreateCD50" = "C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r" ["Roxio"]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Enabled Active Desktop and Wallpaper:

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\Web\Wallpaper\Ocean Wave.jpg"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "Security"
"Source" = "C:\WINNT\Web\desktop.html"
"SubscribedURL" = "C:\WINNT\Web\desktop.html"

Startup items in "Dennis Gobin" & "All Users" startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NMPSystray" -> shortcut to: "C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]

Enabled Scheduled Tasks:

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\
(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

Crypkey License, Crypkey License, "crypserv.exe" ["Kenonic Controls Ltd."]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]
Norton Personal Firewall Proxy Service, SymProxySvc, "C:\Program Files\Norton Personal Firewall\SymProxySvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Service, NISSERV, "C:\Program Files\Norton Personal Firewall\NISSERV.EXE" ["Symantec Corporation"]

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.

Buckeye_Sam · May 2005

Delete this file.

C:\WINNT\Web\desktop.html

Try this:

Click Start>Control Panel>Display
Go to the Desktop tab and click on the Customise Desktop button.
Go to the Web tab
In the web page box, click on the page that is checkmarked and then click the Delete button.
Ok your way out of the dialog and check your desktop.

dagobin · May 2005

Thank you Buckeye_Sam!!!. Everything works fine now. Thank you for your help.

Please help trojan-spy.html.smitfraud.c

Comments