Smitfraud virus infecting husband's computer - please help[resolved]

Unknown

First of all, thank you so much for this service! My husband's computer is currently infected with the smitfraud trojan. I have updated his Windows patches, tried to run AdAware and Spybot after updating them, but am getting nowhere. Help is appreciated.

Here's the Hijack this log - and please don't hesitate to tell me if I've not supplied correct information. Bear with me, this trojan is new to me!:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:50 AM, on 6/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\MSPG32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\SYSTEM\APPGS32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\PROGRAM FILES\TOOLBAR\RADIO.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {0E10B003-516B-A5FE-961E-ECF25BE3662B} - C:\WINDOWS\SYSTEM\NETJJ.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [APPGS32.EXE] C:\WINDOWS\SYSTEM\APPGS32.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [MSPG32.EXE] C:\WINDOWS\SYSTEM\MSPG32.EXE /s
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\PBI\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: X36 Winload.lnk = C:\SAITEK\WINLOAD.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {50F252A7-F60D-4879-AA19-2BBC822922DB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {50F252A7-F60D-4879-AA19-2BBC822922DB} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/16235d810fa8206a4f18/netzip/RdxIE.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c8.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

Thanks!

Buckeye_Sam

I see a few other issues in addition to smitfraud.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Media Access
Wintools




You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind, some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.

Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.


Step 1
Download CWShredder but don't run it yet.


Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.


Step 3
Download Ad-aware SE 1.06
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Step 5
Make sure that you can VIEW ALL HIDDEN FILES.


Step 6
Reboot your computer into SAFE MODE


Step 7
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zymnn.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0E10B003-516B-A5FE-961E-ECF25BE3662B} - C:\WINDOWS\SYSTEM\NETJJ.DLL
O4 - HKLM\..\Run: [APPGS32.EXE] C:\WINDOWS\SYSTEM\APPGS32.EXE
O4 - HKLM\..\RunServices: [MSPG32.EXE] C:\WINDOWS\SYSTEM\MSPG32.EXE /s
O9 - Extra button: Microsoft AntiSpyware helper - {50F252A7-F60D-4879-AA19-2BBC822922DB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {50F252A7-F60D-4879-AA19-2BBC822922DB} - (no file) (HKCU)
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/16235d810fa820...etzip/RdxIE.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c8.cab



Step 8
Now run CWShredder, making sure to click "Fix".


Step 9
Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\SYSTEM\NETJJ.DLL
C:\WINDOWS\SYSTEM\APPGS32.EXE
C:\WINDOWS\SYSTEM\MSPG32.EXE
C:\WINDOWS\zymnn.dll


Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


Step 11
Run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.

sunbunny

Thank you so much, Buckeye Sam! Quite the process, particularly when AboutBuster returned an error & I had to go get another piece of the program in order to continue - but I think I did get the problem resolved and returned to Safe Mode to finish up. I have to say, things already seem a whole lot better!

Here's the AboutBuster log (I guess I must have run it a couple of times to be sure):

AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [4:57:48 PM]

---

Streams(ADS) not scanned: System not NTFS

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 4:57:49 PM


AboutBuster 5.0 reference file 30
Scan started on [6/12/2005] at [4:58:18 PM]

---

Streams(ADS) not scanned: System not NTFS

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 4:58:19 PM


AboutBuster 5.0 reference file 30
Scan started on [6/12/2005] at [5:01:00 PM]

---

Streams(ADS) not scanned: System not NTFS

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 5:01:01 PM


And here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:10:49 PM, on 6/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\PBI\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: X36 Winload.lnk = C:\SAITEK\WINLOAD.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Thanks again, have a wonderful evening!

Buckeye_Sam

Looking better! Are you familiar with this file?

O4 - Startup: X36 Winload.lnk = C:\SAITEK\WINLOAD.EXE



If you are not, please run two of these online virus scans.
Make sure they are set to clean automatically:

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.

sunbunny

Yay! Things are definitely looking up, though I do have to say that downloading those scanners & running them has taken me quite a while. Whew!

I don't know what this file is: O4 - Startup: X36 Winload.lnk = C:\SAITEK\WINLOAD.EXE -- I'm clueless.

Here are the logs:

Panda Scan:
Incident Status Location

Adware:Adware/Apropos No disinfected C:\WINDOWS\TEMP\cfout.txt
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Ab scissor.url
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys???.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\mspg32.exe
Adware:Adware/Howprotect No disinfected C:\WINDOWS\SYSTEM\appgs32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\TEMP\cfin[cfin]
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\TEMP\cfout.txt
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\23MV8PO1\newmajorse2[1].cab
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\23MV8PO1\newmajorse2[1].cab[newmajorse2.txt]
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\WDMNS923\tb3[1].cab[toolbar.dll]
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\WPE3G5IZ\BBDHE[1].cab
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online instant loan.url
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/HuntBar No disinfected C:\NULL
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/SAHAgent No disinfected C:\temp\sahagent-cdt1004.exe
Adware:Adware/SearchAid No disinfected C:\hijackthis\backups\backup-20050612-120000-521.dll
Bit Defender Scan:
C:\WINDOWS\SYSTEM\mspg32.exe: infected with Trojan.Agent.EM
C:\WINDOWS\SYSTEM\mspg32.exe: deleted
C:\WINDOWS\SYSTEM\appgs32.exe: infected with Trojan.Downloader.Agent.AP
C:\WINDOWS\SYSTEM\appgs32.exe: deleted
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>Ad-Aware SE Default.skn: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>arrow1.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>arrow2.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bck1.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt11.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt12.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt13.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt21.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt22.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt23.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt31.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt32.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt33.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt41.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt42.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt43.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt51.bmp: password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\45M34LEV\aawsepersonal[1].exe=>wise0021=>bt52.bmp: password protected
C:\WINDOWS\Temporary Internet

And finally, Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 9:55:04 PM, on 6/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s


Once again, thank you so much!! Sorry about any strange formatting here...

Buckeye_Sam

Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/


Delete these files/folders, if found.

C:\WINDOWS\msxmidi.exe
C:\WINDOWS\Favorites\Sites about
C:\WINDOWS\SYSTEM\mspg32.exe
C:\WINDOWS\SYSTEM\appgs32.exe
C:\WINDOWS\SYSMON.EXE
C:\WINDOWS\msxmidi.exe
C:\NULL
C:\Program Files\Media Access



Reboot and post a new hijackthis log. You cut off the second part of your last log.

sunbunny

Ooops, how lame of me. I'll have to remove "detail oriented" from my resume.

I ran Cleanup, deleted any of those files that I found and then ran Cleanup again to make sure that I emptied the recycle bin.

After a reboot, here's the COMPLETE HijackThis log! Thank you so much for all you're doing.

Logfile of HijackThis v1.99.1
Scan saved at 7:28:54 PM, on 6/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\PBI\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: X36 Winload.lnk = C:\SAITEK\WINLOAD.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Buckeye_Sam

Submit C:\SAITEK\WINLOAD.EXE to this site and let me know what it tells you.

http://virusscan.jotti.org/

sunbunny

Happy Friday!

Here's what the site said:

Service load: 0% 100%

File: WINLOAD.EXE
Status: OK
MD5 e5f75fb5992ade1a4cd6f563b2ca4f36
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing


As an aside, do you have any idea why I would have an "improper shutdown" error every time I start this PC up? It wants to scan my drives -- which I'd normally let it go ahead & do, but it's taking what seems to be an unusually long time to do it. Thoughts?

Thank you so much for all your help, though. Things are seriously better. I could not have un-hosed this PC without your help.

Buckeye_Sam

Taking into account that one unknown file is ok, your log looks clean to me.

Windows Me is known to be a very unstable OS. I would let it run scandisc, no matter how long it takes. You should also visit Windows Update and install any critical updates found for your computer.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
   
   You can find instructions on how to enable and reenable system restore here:
   
   Managing Windows Millenium System Restore
   
   or
   
   Windows XP System Restore Guide
   
   Renable system restore with instructions from tutorial above
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

sunbunny

Thank you so much! I see a couple of steps that you recommend that I had not known about and will follow the directions. I'm of course going to extend those to my PC as well.

Perhaps it's time to go ahead and install the Win2000 upgrade I've been putting off dealing with...

I can't thank you enough for your help and consideration. Have a wonderful weekend!

Roni