Options
Another smitfraud.c victim, sorry
Right sorry to annoy those helping all of us with this pronlem by starting yet another new thread on the issue. But I feel I probably need to (yes I've read the stickys etc before posting) because of steps to remove it & an annoying thing with the infected pc means I've not found the quite same problem as I'm currently having.
Best to start for the beginning I guess.
Right the middle of last week got this Trojan-Spy.HTML.Smitfraud.c virus on my main pc (this is my second pc by the way). To be honest I've not got a clue how I got it as I'm 99% certain it was NOT via an e-mail as I near never read those from unknown people & never open accachments either. So prehaps I got it via a dodgy website .
I've been going mad trying to get rid of it & have the following installed on my infected pc, AVG Anti Virus, Zone Alarm Pro & Ad Aware 6 installed & active. So how it got through in the first place is beyond me.
What happend upon realising the problem was on wednesday when I tried to boot the pc as usual & got this message on the screen:
After that I get the blue screen of death with the following
As a result of this the pc was unusable in normal mode & I can only use it in safe mode which as a result of only being able to run the pc in safe mode means I cant connect to the internet to speed up the process of getting the problem sorted.
What I then did was to ask about it on a board I use for other needs. One of the responces pointed to the guide at bleepingcomputer that has been mentioned on here several times in the threads I looked through.
But I think I MAY have made a mistake in that process. Well it was at the stage when I used Killbox. Instead of selecting Delete Upon Reboot as I was supposed to I forgot & the default was applied, Standard File Kil. Not to sure how relevent this mistake was but the process seemed to have been going ok. But then at the stage where I was supposed to reboot in normal mode this would'nt work. I got the same message
But no sign of the Smitfraud.c or the blue screen of death. All I had then was a pale blue screen with no desktop at all. But not that blue screen of death. So prehaps the virus was removed I just dont know. Anyways I had to go back into safe mode to complete the process which I guess was ok to do so that way?.
But again just the original Explorer Exe message with the pale blue screen.
Then earlyer today I found this great looking site that looks to have the wealth of info that can hopefully help me. So posting my problem here as it remains as of this post.
Now I cant currently post a HijackThis log on this post because as said cant use the net in safe mode on the infected pc & I have to move parts (modem, g.card & hdd's) just to get on the net & try to find a solution to the problem. By the way the infected hdd is currently a slave in this pc as to hopefully be of use if\when I come by a solution that can be tried when the infected hdd as set as slave in this pc.
So has anyone got any ideas or suggestions on what I can try next?.
Dave9946
Best to start for the beginning I guess.
Right the middle of last week got this Trojan-Spy.HTML.Smitfraud.c virus on my main pc (this is my second pc by the way). To be honest I've not got a clue how I got it as I'm 99% certain it was NOT via an e-mail as I near never read those from unknown people & never open accachments either. So prehaps I got it via a dodgy website .
I've been going mad trying to get rid of it & have the following installed on my infected pc, AVG Anti Virus, Zone Alarm Pro & Ad Aware 6 installed & active. So how it got through in the first place is beyond me.
What happend upon realising the problem was on wednesday when I tried to boot the pc as usual & got this message on the screen:
Exploer Exe Application Error
The Program failed to initialise properly {0xc0000005} click on OK to terminate the program
After that I get the blue screen of death with the following
Fatal Error in IE at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
As a result of this the pc was unusable in normal mode & I can only use it in safe mode which as a result of only being able to run the pc in safe mode means I cant connect to the internet to speed up the process of getting the problem sorted.
What I then did was to ask about it on a board I use for other needs. One of the responces pointed to the guide at bleepingcomputer that has been mentioned on here several times in the threads I looked through.
But I think I MAY have made a mistake in that process. Well it was at the stage when I used Killbox. Instead of selecting Delete Upon Reboot as I was supposed to I forgot & the default was applied, Standard File Kil. Not to sure how relevent this mistake was but the process seemed to have been going ok. But then at the stage where I was supposed to reboot in normal mode this would'nt work. I got the same message
Exploer Exe Application Error
The Program failed to ininialise properly {0xc0000005} click on OK to terminate the program
But no sign of the Smitfraud.c or the blue screen of death. All I had then was a pale blue screen with no desktop at all. But not that blue screen of death. So prehaps the virus was removed I just dont know. Anyways I had to go back into safe mode to complete the process which I guess was ok to do so that way?.
But again just the original Explorer Exe message with the pale blue screen.
Then earlyer today I found this great looking site that looks to have the wealth of info that can hopefully help me. So posting my problem here as it remains as of this post.
Now I cant currently post a HijackThis log on this post because as said cant use the net in safe mode on the infected pc & I have to move parts (modem, g.card & hdd's) just to get on the net & try to find a solution to the problem. By the way the infected hdd is currently a slave in this pc as to hopefully be of use if\when I come by a solution that can be tried when the infected hdd as set as slave in this pc.
So has anyone got any ideas or suggestions on what I can try next?.
Dave9946
0
Comments
Logfile of HijackThis v1.99.1
Scan saved at 21:26:16, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\AVFIX\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearchnetwork.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\timon2.dll (file missing)
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\timon2.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Sorry it wan'nt posted before but as said it's a pain having to swap things between 2 pc all the time. But guess there is nothing anyone can suggest without it!.
Dave9946
Dave9946
http://majorgeeks.com/Ad-Aware_SE_Personal_d506.html
http://majorgeeks.com/SpyBot-Search_&_Destroy_d2471.html
Run the setup files for each. Update Ad-aware se and Spybot with the latest definitions. exit these for now.
Please make sure you can view all hidden files:
Open my computer>click tools>click folder options>
click view tab>check show hidden files>uncheck hide file extensions>click apply>click OK>exit
Close all open windows and place a checkmark next to these entries and click Fix Checked:
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\timon2.dll (file missing)
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\timon2.dll (file missing)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
Then delete the underlined files or folders if they exist:
C:\WINDOWS\timon2.dll
C:\WINDOWS\system32\iasada.dll
C:\Program Files\Media Access\MediaAccK.exe
Reboot into safe mode. Run a "full system scan" with Ad-aware se. Then run a scan with Spybot. Remove all objects found.
Reboot into normal and run one of these online scans:
http://housecall.trendmicro.com/
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
Let me know what files cannot be cleaned from whichever scan you use in your next post.
Post a new log when finished.
So there is no way I know of to update Ad-Aware se 1.06 & Spybot Search & Destroy 1.4 with the latest definitions once I switch to the other pc & install the progs as i've said I cant connect to the net in safe mode can I.
Are these updates not available as a download so I can install them once downloaded?. As I could simply move the downloaded updates to the infected hdd & apply updates after installing the progs.
Also:
In the bottom line Media Access in underlined to delete if found. Is this correct as I fail to see why MediaAccK.exe is posted if the previous file, Media Access is to be romoved. Are you sure I'm not supposed to remove MediaAccK.exe instead?.
Dave9946
Media access is spyware. I forgot to leave off the exe. file from that. Delete the whole directory.
After updating those programs, run them and then post a new log when finished.
Right, first off rebooted in safe mode with networking. Modem took ages to connect but still cant use it for some reason. It's showing as connected but I simply cant open the loging icon on the desktop (in safemode of cause) to confirm the user & pw. Was warned that some items might be unuseable prior to the desktop starting.
Right so I of cause couldnt install & update definitions of cause. after getting the above mentioned programs, Ad Aware 1.06 & Spybot Search & Destroy.
So I simply had little choice than to go through the process as posted above as best as I could. Prior to this I did use a version of Ad Aware but the deffinitions were some 45 days old so well out of date of cause.
Used HijackThis to remove the mentioned 5 lines as above. Then deleted the only 1 files\folder found listed in the 3 above to delete if found.
Done a rescan with the outdated Ad-Aware, nothing found as with the previous scan.
Tried to re-boot in normal mode, again it did not work I just got the same message yet again:
And then the same pale(ish) bluse screen.
So connected the hdd's back into the spare pc, with the infected\problem one as slave. I then installed the downloaded Ad Awarese 1.04 & Spybot Search & Destroy 1.4 & updated the definisions for both & then did a full system scan.
Now doing a full system scan, I can only assume that it did scan the main drive out of the problem pc, slave drive in this pc as I'm unsure of the settings to scan just certain hdd's to get a more acurate report og what was found. I guess by default they both scan all hdd's in the system. Found a load of stuff possably it was all on this hdd running in my spare pc than the problem hdd running as slave in this space pc?.
So switched everything back to the problem pc & booted the hdd in safemode to do a Highjack This log.
Changed everything back into this pc again (you can see how annoying this is for me having to move everything between 2 pc's all the time) & done an online scan with HouseCall. It found this on the problem hdd:
Here is the logfile prior to moving back to this pc:
Logfile of HijackThis v1.99.1
Scan saved at 12:29:01, on 29/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\AVFIX\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearchnetwork.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Dave9946
So I moved it back the the other pc & again cant connect to the net in safemode & again that Explorer EXE Application Error and the pale blue screen when trying to boot in normal mode.
The conclusion of this is that the problem is possably nothing to do with the trojan that I dont seem to have but something that has gone wrong since the cleanup\removal or the original problem.
In fact the onlt thing I can see wrong is that I'm getting that Explorer EXE Application Error message & that the desktop is not loading.
Hopefully the above log will confirm I'm pretty much clean & something else is the cause of my problem.
Dave9946
http://www.pandasoftware.com/produc...n_principal.htm
Make sure you can view all hidden files:
Open my computer>click tools>click folder options>
click view tab>check show hidden files>uncheck hide file extensions>click apply>click OK>exit
Close all open windows. Place a checkmark next to this entry and click Fix Checked:
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
Post a new log.
I can view ALL hidden files on the infected hdd, see no reason why I would need to enable viewing on this hdd as there are no problems with it.
Done as suggested above, here in the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 15:44:54, on 29/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\AVFIX\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Dave9946
This seems to likely be the real problem and as suggested above a side effect\remains of the damage cause by the original smitfraud virus.
As said The quote above, in this post and the pale blue screen was the first sign of the damage the virus had probably caused.
If as I beleive the virus has been removed with a load of other stuff it's just a matter of repairing the damage.
Of cause I'm knowleged enough to know that the removal or trojans\viruses etc will not repair the damage caused.
It was suggested by someone that I might try sticking my XP Pro OS disc in to reinstall\repair damage that might have be caused without messing or losing anything. Is this worth trying?.
Dave9946
Logfile of HijackThis v1.99.1
Scan saved at 16:45:04, on 01/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\AVFIX\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Am confirming I can view all hidden files on that hdd also.
My main problem at the moment is that 1- I'm getting a error message:
And then the pale blue screen as I mentioned above.
This problem was present when I first had the problem, which was likely to have been caused by the smitfraud virus. I originally thought the process of removing the virus cause the problem, but no it was there the same time (and deff not before) the smitfraud virus entered the pc.
The seeming likelyness that I have removed the original virus & other infections has not fixed what seems to have damaged Internet Explorer & stopping the desktop from loading.
Apart from those 2 problems the pc seems ok in itself. Of cause I can boot in normal mode & the modem seems to be connecting. In fact I can even access programs using the ctrl, alt & del to get into task manager. So the structure of the pc seems fine.
Will try a Panda Actice scan again as suggested Shadow2018 to see if it works\reports anything.
Dave9946
Just done a fresh scan with Housecall & again that shows the infected hdd as clean of any virus. But as that lacks a logfile there is nothing to post using that.
Is there not another scanning program, online or not that I can try to be of use to solve the problem?.
Dave9946
http://www.pandasoftware.com/register.asp?CodigoProducto=13&TipoLead=2&TipoUsuario=1&Tipo=1&Ref=WWEN-TIT5-DES&Idioma=2&Country=US&sec=down
Once downloaded, install the program, check for updates, and run a full scan.
Anyone know what going on with Panda asking me to uninstall a program thats not installed in the first place?.
Dave9946
First off I am now running the infected\problematic hdd is the second pc in normal mode & all seems well apart from a rather slow net at the moment. Pretty sure this has nothing to do with my problems.
As a result of this I'd guess quite a bit of things may or may not be screwed up as this hdd & os was setup on another pc using different hardware. But when the os, XP Pro with SP2 included started it seemed to detect most hardware changes & reconfigure itself with no real problems to mention.
So in some ways things are kind of working & getting NO of the problems I mentioned above.
So this is in a way good but in others not so as it still does not solve the problem. And weather or not it will work back in the main pc remains to be seen. But as I've got the hdd working on the space pc to boot from it aught to better help to work out what the problem is.
A fresh HT log for your eyes I think
Logfile of HijackThis v1.99.1
Scan saved at 12:21:12, on 04/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AVFIX\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28AEE125-18F1-4816-9BE6-1EECB56E4B9D}: NameServer = 212.159.13.49 212.159.13.50
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Dave9946
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
When you get this error - Exploer Exe Application Error
Are you sure that it reads Exploer and not Explorer?
You said that you uninstalled Kasperky, yet I see no signs of it in any of your logs.
Were you running Kasperky?
I do see signs of AVG though.
Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your in your next post.
Right first off that pale blue background I mentioned in previous posts is the same colour as I have now on the desktop on this the spare pc. All the icons & desktop are there while on the other pc they never shown. From this I gather that the original XP desktop was "knackered" via the virus & somehow replaced with this pale blue background. This note in itself will hopefully mean something.
Here is the Hijack This uninstall manager list as requested:
ABIT uGuru
Ad-Aware SE Professional
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
ADSL PCI
AVG Anti-Virus 7.0
BitComet 0.58
Brothers In Arms
CleanUp!
Creative DVD Audio Plugin for Audigy Series
DAEMON Tools
DivX Player
DivX Pro Trial
DVD Shrink 3.2
FileSpecs plug-in for Ad-Aware SE
Google Toolbar for Internet Explorer
HexDump plug-in for Ad-Aware SE
HijackThis 1.99.1
InterActual Player
InterVideo WinDVD 6
K-Lite Codec Pack 2.27 Full
Lavasoft Reghance 2.1 -licensed-
LSP Explorer plug-in for Ad-Aware SE
MAGIX Media Manager 2004 silver
MAGIX ringtone maker
MakeTorrent v2.1
Messenger-Control plug-in for Ad-Aware SE
Microsoft Motocross Madness 2
Nero 6 Ultra Edition
NVIDIA Drivers
OE/W Messengerctrl plug-in for Ad-Aware SE
Panda Titanium Antivirus 2005
PowerDVD
Right cant remove this:
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
as I'll explain in a moment.
The reason why Kasperspy never shown on any of the previous logs is easy to explain. I can\could only access the net from the second pc using the spare hdd setup for that pc. So that was the only way I was able to try & download the Panda prog as mentioned. I managed to download it but could not install as Kasperspy was one of the programs not compatable with Panda. And I had to install to that hdd as with no access to the net on the infected hdd I would have been unable to update the program with the latest deffinitions & therefor scan the infected hdd. Bus as it was installed as slave in this pc I then could have scanned with Panda. Kasperspy was therefor installed on the spare hdd in the spare pc.
Right as I said above got the infected hdd to boot in the spare pc in normal mode with net access so will be easier to work with for now. I've managed to install the downloaded version of Panda & update from there.
Done the scan & found a load of things which it seemed to fix\remove. This is what it reported upon the scan:
Infected - 175
Disinfected - 88
Renamed - 8
Funny how Housecall missed all of this???.
Among the find with Panda was this:
So the smitfraud.C is gone & I have now got a W32\Smitfraud.B instead!.
I was asked to post a log by Shadow for Panda but can work out how to make one or is it only possable with the online version?.
The scan using Panda is the reason why I cant remove
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c24.cab
Because I guess Panda got there first.
The latest HT log:
Logfile of HijackThis v1.99.1
Scan saved at 16:27:12, on 04/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\avciman.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AvltMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AVFIX\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\ADSL\ADSL PCI Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{28AEE125-18F1-4816-9BE6-1EECB56E4B9D}: NameServer = 212.159.13.49 212.159.13.50
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
At least we are getting somewere I guess.
Dave9946
I am getting some net access but it's a case of connecting & It will only work for a few secs & then lockup all together. Upon some boots the modem wont even connect at all. Guess this MIGHT have something to do with running the hdd in the spare pc.
Right, also the normal XP background is back on the desktop (the field with the sky) instead of that pale blue screen. Dunno how this happened as I did nothing.
Back to the main problem,
As said Panda detected this & this according to Panda is the only problem I have now. But restarting the pc does not remove the file. I've tried many times making sure all programs are closed but it wort remove it.
So I have got rid on the Smitfraud.C virus now I have a Smitfraud.B virus instead. Does anyone know how to remove this one?.
Dave9946
Dave9946
I've removed the file, c:\windows\system32\wininet.dll . But now when trying to boot from that hdd, in the spare pc anyways, all I'm getting is just the desktop background, none of the icons that were there prior to the action & the following 2 error popups:
And then this one:
I then did a fresh scan with Panda (which thankfully due to a popup message from it I was able to do so) and it again found the Smitfraud.B virus:
Panda reported having disinfected the file but dunno if it did as of yet. But that file and or location was not mentioned before as containg the Smitfraud.B virus.
Any more ideas anyone?.
While here I just want to thank you 2 guys for the support you have given me upto this stage. Even if the problem cant be solved you have still given me much support & given me an enlightened view of viruses via this board.
Dave9946
http://www.short-media.com/forum/showthread.php?t=32218
So can it be confirmed the steps in the link posted also refer to a smithfraud.B virus as well as the Smitfraud.C virus?.
EDIT:
That file mentioned was already installed in my original step to fix the problem. Is there any real point in trying it again ?.
Dave9946
Let's see if we can find a clean copy of wininet.dll on your computer somewhere.
Open Notepad, and copy/paste the following into a new file: Save this as FindFiles.bat, choose to save it as *all files and place it on your desktop.
Double click on FindFiles.bat and post the content of the text file you get in your next reply.
Had a look for it by hand & cant find it anywere.
So seems all I have to do now is to try & get the errors sorted & the desktop back. Can now see the end of the problem in sight.
Buckeye_Sam, currently running the spare hdd in the spare pc with the problem one as slave. Would I not be able to copy over a wininet.dll from this hdd to the problem one as I gather that is not infected?.
Dave9946