dyando28115 - Would really appreciate help with removal of Trojan-Spy.html.smitfrau

Unknown · June 2005

Hello, my name is dave and I have some pc issues that I would love some help (oh, and by the way I am a novice!) I have a trojan issue (trojan-spy.html.smithfraud.c) that has left my desktop with a blue backround with a security notice on it.

I printed out the 7 step instructions that were posted on the SVT discussion board without success. I didnt' find any of the Security IGuard, Virtual or Search Maid with ADD/Remove programs, nor after running Hijackthis did I find any of the 10 items listed in Step 3.

I have run Adaware and Spybot and will attach the log generated from Hijackthis below. Any and all help will be greatly appreciated, thanks in advance.

Also, any sort of suggestion on security programs for purchase for my two home computers will be appreciated also. Its like buying a car without knowing anything about engine and the salepeople harp on the engine's characteristics. Thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 12:07:35 AM, on 6/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\McAfee\MCAFEE~1\cpd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\supervisor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave\Desktop\PROTECTION\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\\CMGRDIAN.EXE /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [CPD_EXE] C:\Program Files\McAfee\McAfee Firewall\\CPD.EXE AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O15 - Trusted Zone: www.sd331.k12.id.us
O15 - Trusted Zone: www.revenue.state.az.us
O15 - Trusted Zone: www.dpuc.state.ct.us
O15 - Trusted Zone: www.state.hi.us
O15 - Trusted Zone: www.state.il.us
O15 - Trusted Zone: www.red.state.nv.us
O15 - Trusted Zone: www.oag.state.va.us
O15 - Trusted Zone: www.lii.warwick.ac.uk
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

Buckeye_Sam · June 2005

Please run this online virus scan.

Panda Virus Scan

There may be files that the virus scan will not remove. Please include that information in your next post.

You are using an outdated version of Hijackthis.
Please download the current version of Hijackthis and post a new hijackthis log.

http://www.short-media.com/download.php?d=245

dyando28115 · June 2005

Thanks for the help, it is greatly appreciated. The text is too long to get into one post (60,000+ characters,) so I have to post most of the Panda scan into this post and the remianing Panda and all Highjackthis into the next, sorry...

Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/Popuper No disinfected C:\WINDOWS\System32\msole32.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Dave\Application Data\PSGuard.com
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[Beyond.class]
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Dave\Local Settings\Temp\temp.fr36E0
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\APPUB2PK\input[1].php[input[1]]
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\E99YVEPS\payload[1].ani
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\IK9HJB73\gal[1].htm
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\IK9HJB73\input[1].php[input[1]]
Virus:Exploit/MhtRedir.BV Renamed C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\N39R3XWK\wow[1].htm
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\ND80GRFZ\input[1].php[input[1]]
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[28].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[29].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[30].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[31].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[32].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[33].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[34].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[35].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[36].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[37].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[38].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[39].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[40].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[41].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[42].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[43].exe
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\WXM34PQV\prompt[2].php
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS1865.exe
Virus:Trj/Clicker.GY Disinfected C:\WINDOWS\system32\msole32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp

Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/Popuper No disinfected C:\WINDOWS\System32\msole32.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Dave\Application Data\PSGuard.com
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[Beyond.class]
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Dave\Local Settings\Temp\temp.fr36E0
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\APPUB2PK\input[1].php[input[1]]
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\E99YVEPS\payload[1].ani
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\IK9HJB73\gal[1].htm
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\IK9HJB73\input[1].php[input[1]]
Virus:Exploit/MhtRedir.BV Renamed C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\N39R3XWK\wow[1].htm
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\ND80GRFZ\input[1].php[input[1]]
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[28].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[29].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[30].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[31].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[32].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[33].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[34].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[35].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[36].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[37].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[38].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[39].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[40].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[41].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[42].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[43].exe
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\WXM34PQV\prompt[2].php
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS1865.exe
Virus:Trj/Clicker.GY Disinfected C:\WINDOWS\system32\msole32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp

Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Adware:Adware/Popuper No disinfected C:\WINDOWS\System32\msole32.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Dave\Application Data\PSGuard.com
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5e095e7e-4aa5f398.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-113520d8.zip[Beyond.class]
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Dave\Local Settings\Temp\temp.fr36E0
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\APPUB2PK\input[1].php[input[1]]
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\E99YVEPS\payload[1].ani
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\IK9HJB73\gal[1].htm
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\IK9HJB73\input[1].php[input[1]]
Virus:Exploit/MhtRedir.BV Renamed C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\N39R3XWK\wow[1].htm
Virus:Trj/Malam.B Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\ND80GRFZ\input[1].php[input[1]]
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[28].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[29].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[30].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[31].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[32].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[33].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[34].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[35].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[36].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[37].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[38].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[39].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[40].exe

dyando28115 · June 2005

Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[41].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[42].exe
Virus:Trj/Downloader.DEO Disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\W9WFUZM7\gdnUS1865[43].exe
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\WXM34PQV\prompt[2].php
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS1865.exe
Virus:Trj/Downloader.DEO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS1865.exe
Virus:Trj/Clicker.GY Disinfected C:\WINDOWS\system32\msole32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp

Logfile of HijackThis v1.99.1
Scan saved at 6:23:41 PM, on 6/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\McAfee\MCAFEE~1\cpd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\supervisor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\\CMGRDIAN.EXE /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [CPD_EXE] C:\Program Files\McAfee\McAfee Firewall\\CPD.EXE AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O15 - Trusted Zone: www.sd331.k12.id.us
O15 - Trusted Zone: www.revenue.state.az.us
O15 - Trusted Zone: www.dpuc.state.ct.us
O15 - Trusted Zone: www.state.hi.us
O15 - Trusted Zone: www.state.il.us
O15 - Trusted Zone: www.red.state.nv.us
O15 - Trusted Zone: www.oag.state.va.us
O15 - Trusted Zone: www.lii.warwick.ac.uk
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee Firewall (McAfee Firewall Service) - Network Associates Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Buckeye_Sam · July 2005

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)

=================

Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/

=================

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

=================

Please make sure that you can VIEW ALL HIDDEN FILES.

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\uninstIU.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\vx.tll
C:\Windows\System32\Log Files
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\Program Files\PSGuard

=================

While still in Safe mode:
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Reboot back to normal mode.

=================

Please follow these instructions to run Adware.

Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
1. Download Ad-Aware SE Personal 1.06:
  - Download Ad-Aware SE Personal 1.05.
  - Save aawsepersonal.exe to a convenient location.
2. Install Ad-Aware SE Personal 1.06:
  - Double-click on aawsepersonal.exe to install the program.
  - Follow the default settings for installation.
  - After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
3. Update Ad-Aware SE Personal 1.06:
  - Double-click the Ad-Aware SE Personal icon on your desktop.
  - Click "Check for updates now" then click "Connect".
  - It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
4. Configure Ad-Aware SE Personal 1.06:
  - Click on the Gear button at the top of the window.
  - Click "General" on the left hand side to display the General Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Automatically save logfile"
      - "Automatically quarantine objects prior to removal"
      - "Safe Mode (always request confirmation)"
      - "Prompt to update outdated definitions" - change to 7 days from the default 14.
  - Click "Scanning" on the left hand side to display the Scan Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Scan within archives"
      - "Select drives & folders to scan" - select your hard drive(s).
      - "Scan active processes"
      - "Scan registry"
      - "Deep-scan registry"
      - "Scan my IE favorites for banned URLs"
      - "Scan my Hosts file"
  - Click "Advanced" on the left hand side to display the Advanced Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Move deleted files to Recycle Bin"
      - "Include additional object information"
      - "Include negligible objects information"
      - "Include environment information"
  - Click "Defaults" on the left hand side to display the Default Settings box.
    - Make sure these items have your preferred settings in them.:
      - "Default homepage"
      - "Default searchpage"
  - Click "Tweak" on the left hand side to display the Tweak Settings box.
    - Click the + (plus) sign next to the Log Files section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Include basic Ad-Aware settings in log file"
      - "Include additional Ad-Aware settings in log file"
      - "Include reference summary in log file"
      - "Include alternate data stream details in log file"
    - Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Unload recognized processes & modules during scan"
      - "Scan registry for all users instead of current user only"
      - "Obtain command line of scanned processes"
    - Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Always try to unload modules before deletion"
      - "During removal, unload Explorer and IE if necessary"
      - "Let Windows remove files in use at next reboot"
      - "Delete quarantined objects after restoring"
  - Once you are done with these settings, click "Proceed" to save them.
  - This will take you back to the main screen.
5. Run Ad-Aware SE Personal 1.05:
  - Click the "Start" button.
  - Uncheck the "Search for negligible risk entries" entry.
  - Choose the "Use custom scanning options" scan mode.
  - Click the "Next" button.
  - Ad-Aware will begin to scan for malware residing on your computer.
  - Allow the scan to finish.
  - Right-click on any entry in the list and click "Select All" to select the whole list.
  - Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Reboot and post a new hijackthis log and let me know how it feels/looks on your end.

dyando28115 · July 2005

Buckeye_Sam wrote:

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)

=================

Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/

=================

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

=================

Please make sure that you can VIEW ALL HIDDEN FILES.

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\uninstIU.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\vx.tll
C:\Windows\System32\Log Files
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\Program Files\PSGuard

=================

While still in Safe mode:
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Reboot back to normal mode.

=================

Please follow these instructions to run Adware.
Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
Download Ad-Aware SE Personal 1.06:
Download Ad-Aware SE Personal 1.05.

Save aawsepersonal.exe to a convenient location.

Install Ad-Aware SE Personal 1.06:
Double-click on aawsepersonal.exe to install the program.

Follow the default settings for installation.

After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.

Update Ad-Aware SE Personal 1.06:
Double-click the Ad-Aware SE Personal icon on your desktop.

Click "Check for updates now" then click "Connect".

It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".

Configure Ad-Aware SE Personal 1.06:
Click on the Gear button at the top of the window.

Click "General" on the left hand side to display the General Settings box.
Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
"Automatically save logfile"

"Automatically quarantine objects prior to removal"

"Safe Mode (always request confirmation)"

"Prompt to update outdated definitions" - change to 7 days from the default 14.

Click "Scanning" on the left hand side to display the Scan Settings box.
Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
"Scan within archives"

"Select drives & folders to scan" - select your hard drive(s).

"Scan active processes"

"Scan registry"

"Deep-scan registry"

"Scan my IE favorites for banned URLs"

"Scan my Hosts file"

Click "Advanced" on the left hand side to display the Advanced Settings box.
Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
"Move deleted files to Recycle Bin"

"Include additional object information"

"Include negligible objects information"

"Include environment information"

Click "Defaults" on the left hand side to display the Default Settings box.
Make sure these items have your preferred settings in them.:
"Default homepage"

"Default searchpage"

Click "Tweak" on the left hand side to display the Tweak Settings box.
Click the + (plus) sign next to the Log Files section. This will expand the section.

Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
"Include basic Ad-Aware settings in log file"

"Include additional Ad-Aware settings in log file"

"Include reference summary in log file"

"Include alternate data stream details in log file"

Click the + (plus) sign next to the Scanning Engine section. This will expand the section.

Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
"Unload recognized processes & modules during scan"

"Scan registry for all users instead of current user only"

"Obtain command line of scanned processes"

Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.

Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
"Always try to unload modules before deletion"

"During removal, unload Explorer and IE if necessary"

"Let Windows remove files in use at next reboot"

"Delete quarantined objects after restoring"

Once you are done with these settings, click "Proceed" to save them.

This will take you back to the main screen.

Run Ad-Aware SE Personal 1.05:
Click the "Start" button.

Uncheck the "Search for negligible risk entries" entry.

Choose the "Use custom scanning options" scan mode.

Click the "Next" button.

Ad-Aware will begin to scan for malware residing on your computer.

Allow the scan to finish.

Right-click on any entry in the list and click "Select All" to select the whole list.

Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Reboot and post a new hijackthis log and let me know how it feels/looks on your end.

dyando28115 · July 2005

Buckeye_Sam - thanks for your expertise and more importantly your willingness to help out those in need with your time! Let me know what I can do (as helping others with computer problems is not a real option,) thnaks again.

Logfile of HijackThis v1.99.1
Scan saved at 10:06:22 PM, on 7/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\McAfee\MCAFEE~1\cpd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\supervisor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\\CMGRDIAN.EXE /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [CPD_EXE] C:\Program Files\McAfee\McAfee Firewall\\CPD.EXE AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O15 - Trusted Zone: www.sd331.k12.id.us
O15 - Trusted Zone: www.revenue.state.az.us
O15 - Trusted Zone: www.dpuc.state.ct.us
O15 - Trusted Zone: www.state.hi.us
O15 - Trusted Zone: www.state.il.us
O15 - Trusted Zone: www.red.state.nv.us
O15 - Trusted Zone: www.oag.state.va.us
O15 - Trusted Zone: www.lii.warwick.ac.uk
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee Firewall (McAfee Firewall Service) - Network Associates Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Buckeye_Sam · July 2005

Your log looks clean. Let me know of any issues that you are still having.

dyando28115 - Would really appreciate help with removal of Trojan-Spy.html.smitfrau

Comments