Options

need help with trojan-spy.html...

Unknown
edited June 2005 in Spyware & Virus Removal
I have a blue screen that says fatal error caused by trojan-spy.html.smitfraud.com.
I would appreciate any help thank you!! I have read other posts about this same problem, but none of the files or keys to delete are listed in my logfile from hijack this. So i really don't know what else to do.


I downloaded hijack this and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 3:40:30 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\WINDOWS\system32\rpknrn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\d?dplay.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [esamerl] c:\windows\system32\esamerl.exe
O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LEAPFR~1\LeapFrogMessenger.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DIPPER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P41 "Auto EPSON Stylus CX4600 Series on DIPPER" /O16 "\\DIPPER\Printer" /M "Stylus CX4600"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rpknrn.exe reg_run
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SOAPNetStoryline] C:\Program Files\SOAPNET\Storyline\spbline.exe
O4 - HKCU\..\Run: [Bolo] C:\Documents and Settings\Linetta\Application Data\bptm.exe
O4 - HKCU\..\Run: [Cmny] C:\WINDOWS\system32\d?dplay.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
O9 - Extra 'Tools' menuitem: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING14.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49937C71-B31C-4EE4-8096-9C935DE005C9} (GBTripeak Control) - http://www.gamebonus.com/dngame/gbtripeak.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/messenger/i1initialsetup1.0.0.5.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
O16 - DPF: {6944D0ED-F974-40CC-AE94-5A6ABAA2557A} (GBSolitaire Control) - http://www.gamebonus.com/dngame/gbsolitaire.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {957C7A6D-55D1-4DAD-B7B5-DAC4362939A6} (GBMemoryflash Control) - http://www.gamebonus.com/dngame/gbmemory.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {E25A1F13-E9ED-4ABA-83E7-E50DFBE5F070} (GBMunchnMatch Control) - http://www.gamebonus.com/dngame/gbMunchnMatch.cab
O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab
O16 - DPF: {F966DD44-E369-4390-A801-19D225BEB129} (GBScramble Control) - http://www.gamebonus.com/dngame/gbscramble.cab
O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/4.1.0.1414-3.0.0.7206/MILive.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited June 2005
    Don't worry about your desktop for now. First we need to remove the underlying infections. Then we will fix your desktop.

    Download PFind.zip and unzip the contents to its own permanent folder.

    Reboot your computer into Safe Mode

    Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

    Post the contents of C:\pfind.txt along with a new hijackthis log.
  • netta7787
    edited June 2005
    Ok I ran pfind in safe mode and here is the log:

    Files found with this application may be legitimate.
    Only remove files that you know are malware related.


    Checking the C: folder



    Checking the C:\Program Files folder

    C:\Program Files\a1bingosetup.exe: UPX!
    C:\Program Files\CashmillSetup.exe: UPX!
    C:\Program Files\Firefox Setup 1.0.exe: UPX!
    C:\Program Files\HijackThis.exe: UPX!
    C:\Program Files\remover.exe: UPX!
    C:\Program Files\SetupBingo.exe: UPX!


    Checking the C:\WINDOWS folder

    C:\WINDOWS\abi.exe: .aspack
    C:\WINDOWS\Mapau Bingo setup.exe: UPX!
    C:\WINDOWS\RMAgentOutput.dll: UPX!
    C:\WINDOWS\ssk.exe: UPX!
    C:\WINDOWS\tsc.exe: UPX!
    C:\WINDOWS\vsapi32.dll: UPX!t4


    Checking the C:\WINDOWS\SYSTEM32 folder

    C:\WINDOWS\SYSTEM32\cmnococ.exe: .aspack
    C:\WINDOWS\SYSTEM32\HLInstaller1.exe: UPX!
    C:\WINDOWS\SYSTEM32\HyperLinker1.exe: UPX!
    C:\WINDOWS\SYSTEM32\msclock32.dll: UPX!
    C:\WINDOWS\SYSTEM32\msplock32.dll: UPX!
    C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
    C:\WINDOWS\SYSTEM32\qkavq.dat: UPX!
    C:\WINDOWS\SYSTEM32\redit.cpl: .aspack
    C:\WINDOWS\SYSTEM32\rpknrn.exe: UPX!
    C:\WINDOWS\SYSTEM32\supdate.dll: UPX!
    C:\WINDOWS\SYSTEM32\temperror32.dat: FSG!


    Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



    Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder


    C:\Documents and Settings\All Users\Start Menu\programs\Startup\dikt.exe: UPX!


    Checking the C:\Documents and Settings\All Users\Application Data folder




    Checking the C:\Documents and Settings\Linetta\Start Menu\programs\Startup\ folder




    Checking the C:\Documents and Settings\Linetta\Application Data folder




    Checking the Windows folder for system and hidden files within the last 60 days



    Here is also the new log from hijack this:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:39:59 AM, on 6/17/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\WildTangent\Apps\GameChannel.exe
    C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
    C:\WINDOWS\system32\rpknrn.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis_199\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [esamerl] c:\windows\system32\esamerl.exe
    O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LEAPFR~1\LeapFrogMessenger.exe
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
    O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DIPPER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P41 "Auto EPSON Stylus CX4600 Series on DIPPER" /O16 "\\DIPPER\Printer" /M "Stylus CX4600"
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rpknrn.exe reg_run
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [SOAPNetStoryline] C:\Program Files\SOAPNET\Storyline\spbline.exe
    O4 - HKCU\..\Run: [Bolo] C:\Documents and Settings\Linetta\Application Data\bptm.exe
    O4 - Startup: DLHelperEXE.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
    O9 - Extra 'Tools' menuitem: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {49937C71-B31C-4EE4-8096-9C935DE005C9} (GBTripeak Control) - http://www.gamebonus.com/dngame/gbtripeak.cab
    O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
    O16 - DPF: {6944D0ED-F974-40CC-AE94-5A6ABAA2557A} (GBSolitaire Control) - http://www.gamebonus.com/dngame/gbsolitaire.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {957C7A6D-55D1-4DAD-B7B5-DAC4362939A6} (GBMemoryflash Control) - http://www.gamebonus.com/dngame/gbmemory.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E25A1F13-E9ED-4ABA-83E7-E50DFBE5F070} (GBMunchnMatch Control) - http://www.gamebonus.com/dngame/gbMunchnMatch.cab
    O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab
    O16 - DPF: {F966DD44-E369-4390-A801-19D225BEB129} (GBScramble Control) - http://www.gamebonus.com/dngame/gbscramble.cab
    O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/4.1.0.1414-3.0.0.7206/MILive.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited June 2005
    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    Wild Tangent


    =======================


    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [esamerl] c:\windows\system32\esamerl.exe
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rpknrn.exe reg_run
    O4 - HKCU\..\Run: [Bolo] C:\Documents and Settings\Linetta\Application Data\bptm.exe
    O4 - Startup: DLHelperEXE.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present



    ======================



    Download the Pocket Killbox.

    Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
    • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

        C:\WINDOWS\abi.exe
        C:\WINDOWS\Mapau Bingo setup.exe
        C:\WINDOWS\RMAgentOutput.dll
        C:\WINDOWS\ssk.exe
        C:\WINDOWS\SYSTEM32\cmnococ.exe
        C:\WINDOWS\SYSTEM32\HLInstaller1.exe
        C:\WINDOWS\SYSTEM32\HyperLinker1.exe
        C:\WINDOWS\SYSTEM32\msclock32.dll
        C:\WINDOWS\SYSTEM32\msplock32.dll
        C:\WINDOWS\SYSTEM32\qkavq.dat
        C:\WINDOWS\SYSTEM32\redit.cpl
        C:\WINDOWS\SYSTEM32\rpknrn.exe
        C:\WINDOWS\SYSTEM32\supdate.dll
        C:\WINDOWS\SYSTEM32\temperror32.dat
        C:\WINDOWS\system32\esamerl.exe
        C:\WINDOWS\system32\rpknrn.exe
        C:\Documents and Settings\Linetta\Application Data\bptm.exe
        C:\Documents and Settings\All Users\Start Menu\programs\Startup\dikt.exe


      [*]Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
      [*]Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

      Your system will reboot now.



      Please post a new hijackthis log.
    • netta7787
      edited June 2005
      I have a question before i remove Wild Tangent. If I remove it, will that disable my games that I bought? I bought Blasterball remix and Polar Bowler and I dont' want to ruin it for me to play them.
    • Buckeye_SamBuckeye_Sam Columbus, Ohio
      edited June 2005
      The removal of Wild Tangent shouldn't affect your games, but if for some reason it does all you would need to do is reinstall it.

      If you choose not to remove Wild Tangent you should know that Wild Tanget's privacy policy states they collect and share individuals information. It's not really spyware, but more of privacy issue.
    • netta7787
      edited June 2005
      I deleted Wild Tangent from Control Panel Add/Remove programs. I put a checkmark next to each file you mentioned in hijack this. I ran killbox like you said, except I had to manually typed in 3 files and rebooted each time to complete it. Here is the new logfile from Hijack this:

      Logfile of HijackThis v1.99.1
      Scan saved at 6:23:25 AM, on 6/19/2005
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\System32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Microsoft IntelliType Pro\type32.exe
      C:\Program Files\Microsoft IntelliPoint\point32.exe
      C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
      C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
      C:\WINDOWS\system32\rpknrn.exe
      C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
      C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
      C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\hijackthis_199\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
      O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
      O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
      O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LEAPFR~1\LeapFrogMessenger.exe
      O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
      O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DIPPER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P41 "Auto EPSON Stylus CX4600 Series on DIPPER" /O16 "\\DIPPER\Printer" /M "Stylus CX4600"
      O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rpknrn.exe reg_run
      O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
      O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
      O4 - HKCU\..\Run: [SOAPNetStoryline] C:\Program Files\SOAPNET\Storyline\spbline.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
      O9 - Extra button: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
      O9 - Extra 'Tools' menuitem: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
      O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
      O16 - DPF: {49937C71-B31C-4EE4-8096-9C935DE005C9} (GBTripeak Control) - http://www.gamebonus.com/dngame/gbtripeak.cab
      O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
      O16 - DPF: {6944D0ED-F974-40CC-AE94-5A6ABAA2557A} (GBSolitaire Control) - http://www.gamebonus.com/dngame/gbsolitaire.cab
      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
      O16 - DPF: {957C7A6D-55D1-4DAD-B7B5-DAC4362939A6} (GBMemoryflash Control) - http://www.gamebonus.com/dngame/gbmemory.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
      O16 - DPF: {E25A1F13-E9ED-4ABA-83E7-E50DFBE5F070} (GBMunchnMatch Control) - http://www.gamebonus.com/dngame/gbMunchnMatch.cab
      O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab
      O16 - DPF: {F966DD44-E369-4390-A801-19D225BEB129} (GBScramble Control) - http://www.gamebonus.com/dngame/gbscramble.cab
      O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/4.1.0.1414-3.0.0.7206/MILive.cab
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    • Buckeye_SamBuckeye_Sam Columbus, Ohio
      edited June 2005
      Fix this line with Hijackthis.

      O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rpknrn.exe reg_run


      Delete this file.

      C:\WINDOWS\system32\rpknrn.exe



      Reboot and post a new hijackthis log and a new pfind log.
    • netta7787
      edited June 2005
      I fixed the line you told me to with hijack this and I deleted the file C:\WINDOWS\system32\rpknrn.exe, it said access is denied, but it must have deleted it cuz i no longer see it.

      Here is a log from pfind:

      Files found with this application may be legitimate.
      Only remove files that you know are malware related.


      Checking the C: folder



      Checking the C:\Program Files folder

      C:\Program Files\a1bingosetup.exe: UPX!
      C:\Program Files\CashmillSetup.exe: UPX!
      C:\Program Files\Firefox Setup 1.0.exe: UPX!
      C:\Program Files\HijackThis.exe: UPX!
      C:\Program Files\remover.exe: UPX!
      C:\Program Files\SetupBingo.exe: UPX!


      Checking the C:\WINDOWS folder

      C:\WINDOWS\tsc.exe: UPX!
      C:\WINDOWS\vsapi32.dll: UPX!t4


      Checking the C:\WINDOWS\SYSTEM32 folder

      C:\WINDOWS\SYSTEM32\cmnococ.exe: .aspack
      C:\WINDOWS\SYSTEM32\msclock32.dll: UPX!
      C:\WINDOWS\SYSTEM32\msplock32.dll: UPX!
      C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
      C:\WINDOWS\SYSTEM32\prigpgp.dll: UPX!
      C:\WINDOWS\SYSTEM32\qkavq.dat: UPX!
      C:\WINDOWS\SYSTEM32\rpknrn.exe: UPX!


      Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



      Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder


      C:\Documents and Settings\All Users\Start Menu\programs\Startup\dikt.exe: UPX!


      Checking the C:\Documents and Settings\All Users\Application Data folder




      Checking the C:\Documents and Settings\Linetta\Start Menu\programs\Startup\ folder




      Checking the C:\Documents and Settings\Linetta\Application Data folder




      Checking the Windows folder for system and hidden files within the last 60 days



      And here is the new log from hijack this:

      Logfile of HijackThis v1.99.1
      Scan saved at 7:58:50 AM, on 6/19/2005
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\System32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Microsoft IntelliType Pro\type32.exe
      C:\Program Files\Microsoft IntelliPoint\point32.exe
      C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
      C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
      C:\WINDOWS\system32\rpknrn.exe
      C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
      C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\hijackthis_199\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
      O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
      O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
      O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [LFM] C:\PROGRA~1\LEAPFR~1\LeapFrogMessenger.exe
      O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
      O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DIPPER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P41 "Auto EPSON Stylus CX4600 Series on DIPPER" /O16 "\\DIPPER\Printer" /M "Stylus CX4600"
      O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rpknrn.exe reg_run
      O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
      O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
      O4 - HKCU\..\Run: [SOAPNetStoryline] C:\Program Files\SOAPNET\Storyline\spbline.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
      O9 - Extra button: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
      O9 - Extra 'Tools' menuitem: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
      O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
      O16 - DPF: {49937C71-B31C-4EE4-8096-9C935DE005C9} (GBTripeak Control) - http://www.gamebonus.com/dngame/gbtripeak.cab
      O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB
      O16 - DPF: {6944D0ED-F974-40CC-AE94-5A6ABAA2557A} (GBSolitaire Control) - http://www.gamebonus.com/dngame/gbsolitaire.cab
      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
      O16 - DPF: {957C7A6D-55D1-4DAD-B7B5-DAC4362939A6} (GBMemoryflash Control) - http://www.gamebonus.com/dngame/gbmemory.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
      O16 - DPF: {E25A1F13-E9ED-4ABA-83E7-E50DFBE5F070} (GBMunchnMatch Control) - http://www.gamebonus.com/dngame/gbMunchnMatch.cab
      O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab
      O16 - DPF: {F966DD44-E369-4390-A801-19D225BEB129} (GBScramble Control) - http://www.gamebonus.com/dngame/gbscramble.cab
      O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/4.1.0.1414-3.0.0.7206/MILive.cab
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    • Buckeye_SamBuckeye_Sam Columbus, Ohio
      edited June 2005
      Download the Pocket Killbox.

      Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
      • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

          C:\WINDOWS\SYSTEM32\cmnococ.exe
          C:\WINDOWS\SYSTEM32\msclock32.dll
          C:\WINDOWS\SYSTEM32\msplock32.dll
          C:\WINDOWS\SYSTEM32\prigpgp.dll
          C:\WINDOWS\SYSTEM32\qkavq.dat
          C:\WINDOWS\SYSTEM32\rpknrn.exe
          C:\Documents and Settings\All Users\Start Menu\programs\Startup\dikt.exe

        [*]Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
        [*]Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

        Your system will reboot now.



        Please post a new pfind log.
      • netta7787
        edited June 2005
        Ok, I did what you said with killbox and deleted those files. Here is a new pfind log:

        Files found with this application may be legitimate.
        Only remove files that you know are malware related.


        Checking the C: folder



        Checking the C:\Program Files folder

        C:\Program Files\a1bingosetup.exe: UPX!
        C:\Program Files\CashmillSetup.exe: UPX!
        C:\Program Files\Firefox Setup 1.0.exe: UPX!
        C:\Program Files\HijackThis.exe: UPX!
        C:\Program Files\remover.exe: UPX!
        C:\Program Files\SetupBingo.exe: UPX!


        Checking the C:\WINDOWS folder

        C:\WINDOWS\tsc.exe: UPX!
        C:\WINDOWS\vsapi32.dll: UPX!t4


        Checking the C:\WINDOWS\SYSTEM32 folder

        C:\WINDOWS\SYSTEM32\msclock32.dll: UPX!
        C:\WINDOWS\SYSTEM32\msplock32.dll: UPX!
        C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


        Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



        Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




        Checking the C:\Documents and Settings\All Users\Application Data folder




        Checking the C:\Documents and Settings\Linetta\Start Menu\programs\Startup\ folder




        Checking the C:\Documents and Settings\Linetta\Application Data folder




        Checking the Windows folder for system and hidden files within the last 60 days
      • Buckeye_SamBuckeye_Sam Columbus, Ohio
        edited June 2005
        Use Killbox to delete these files. Follow the procedure as before except this time select the option: Use Dummy

        C:\WINDOWS\SYSTEM32\msclock32.dll
        C:\WINDOWS\SYSTEM32\msplock32.dll


        Reboot and post a new pfind log and a new hijackthis log.
      Sign In or Register to comment.