1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Getting a "Your computer is infected" in tray on start up

Discussion in 'Virus & Other Malware Removal' started by Towelie, Jun 29, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    Dont know whats wrong. Heres my HJT log after a restart.


    Logfile of HijackThis v1.99.1
    Scan saved at 6:46:08 PM, on 6/29/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\S4F\Filter7.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\intel32.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\PHIL\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [nzli] C:\WINDOWS\System32\nzli.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16cd97bf3dde4c978d05/netzip/RdxIE601.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
    O18 - Filter hijack: deflate - (no CLSID) - (no file)
    O18 - Filter hijack: gzip - (no CLSID) - (no file)
    O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    I tryed my restore point said there was no changes made from time of point. Any help would be great.
     
  2. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    It has something to do with the intel32.exe file thats running and when i stop it in the processes it goes away. Comes back on start up, tho.
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
    Fix these with HJT

    O4 - HKLM\..\Run: [nzli] C:\WINDOWS\System32\nzli.exe

    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

    O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)

    O18 - Filter hijack: deflate - (no CLSID) - (no file)

    O18 - Filter hijack: gzip - (no CLSID) - (no file)

    O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Uncheck hide extensions
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\System32\nzli.exe

    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

    START – RUN – type in %temp% OK - Edit – Select all – File – Delete
    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
    Empty the recycle bin
    Boot

    Run ActiveScan online virus scan

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan


    Please give feedback on what worked/didn’t work and the current status of your system
     
  4. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    Incident Status Location

    Virus:W32/Smitfraud.B Disinfected Operating system
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
    Adware:Adware/SearchExe No disinfected C:\WINDOWS\Downloaded Program Files\on-line.exe
    Spyware:Spyware/SurfSideKick No disinfected Windows Registry
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
    Adware:Adware/SearchExe No disinfected C:\WINDOWS\Downloaded Program Files\on-line.exe
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\oleadm.dll
    Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\uninstIU.exe
    Logfile of HijackThis v1.99.1
    Scan saved at 9:38:44 PM, on 6/29/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\S4F\Filter7.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\PHIL\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16cd97bf3dde4c978d05/netzip/RdxIE601.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
    O18 - Filter hijack: deflate - (no CLSID) - (no file)
    O18 - Filter hijack: gzip - (no CLSID) - (no file)
    O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    I could not delete all of the file found by activescan.
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
    · Install ewido.
    · During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    · Launch ewido
    · It will prompt you to update click the OK button and it will go to the main screen
    · On the left side of the main screen click update
    · Click on Start and let it update.
    · DO NOT run a scan yet. You will do that later in safe mode.

    Restart your computer into safe mode now. Perform the following steps in safe mode:

    Run Ewido:
    · Click on scanner
    · Put a check by the following before you scan:
    o Binder
    o Crypter
    o Archives
    · Click the Start Scan button to start the scan.
    · During the scan it will prompt you to clean files, click OK
    · When the scan is finished, look at the bottom of the screen and click the Save report button.
    · Save the report to your desktop
    Post that log
     
  6. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    + Scanned items:
    C:\

    + Scan result:
    C:\Documents and Settings\PHIL\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected]_5w4m[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\PHIL\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup


    ::Report End

    Ok heres the report.
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go http://www.ccleaner.com/ccdownload.asp to download and install CCleaner
    Do not use it yet.
    ____________________________

    DL http://www.downloads.subratam.org/KillBox.zip and save it to your desktop.
    _________________________________________
    http://castlecops.com/zx/flrman1/smitfraudfix.zip

    download smitfraudfix.zip. Download it and unzip it to your desktop and have it ready to run later.

    _______________________________________________

    Now copy these instructions to notepad and save them to your desktop or print them. You will need them to refer to.
    ________________________________________________

    Add or Remove Programs and remove the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid

    Exit Add/Remove Programs.


    * Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\Golden Palace Casino Setup.exe
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\ole32vbs.exe
    C:\WINDOWS\system32\intmon.exe
    C:\WINDOWS\system32\hhk.dll
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\WINDOWS\System32\helper.exe
    C:\WINDOWS\System32\msmsgs.exe
    C:\WINDOWS\System32\shnlog.exe
    C:\WINDOWS\System32\wldr.dll
    C:\WINNT\system32\hpD2D9.tmp
    C:\WINDOWS\System32\OLEADM.dll
    C:\WINDOWS\Downloaded Program Files\on-line.exe
    C:\WINDOWS\system32\wininet.dll
    C:\WINDOWS\uninstIU.exe



    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    Exit the Killbox.


    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Find and delete these folders if they exist:

    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Program Files\Security IGuard
    C:\WINDOWS\System32\Services

    Delete this file if found:

    C:\Windows\System32\Log Files



    * Locate smitfraudfix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.


    * Start Ccleaner and click Run Cleaner


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Restart back into Windows normally now.



    * Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan
     
  8. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    The castlecops site link is broken when i click on it.
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Works for me - skip that for now
     
  10. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    Security IGuard
    Virtual Maid
    Search Maid
    Those files were not on my computer. Searched everthing. And its says download the hoster theres no link to the download.
     
  11. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    C:\WINDOWS\Golden Palace Casino Setup.exe
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\ole32vbs.exe
    C:\WINDOWS\system32\intmon.exe
    C:\WINDOWS\system32\hhk.dll
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\WINDOWS\System32\helper.exe
    C:\WINDOWS\System32\msmsgs.exe
    C:\WINDOWS\System32\shnlog.exe
    C:\WINDOWS\System32\wldr.dll
    C:\WINNT\system32\hpD2D9.tmp
    C:\WINDOWS\uninstIU.exe
    These files didnt exist for killbox and these could not be deleted:
    C:\WINDOWS\system32\wininet.dll
    C:\WINDOWS\System32\OLEADM.dll
    And when i tryed to delete the C:\WINDOWS\System32\Services
    file it said This cannot be deleted it is writeprotected or disk drive is full...........
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  13. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    I just noticed this. When I try to change my wallpaper I only get 4 choices ScreenSaver,MSI Info, MSI Clock, and Settings. The only way i can change the Wallpaper is to have an actual picture and do set as background. I also cant make all the desktop Icons to go away by right clicking. Strange. Could this be from the bug ?
     
  14. Towelie

    Towelie Thread Starter

    Joined:
    May 28, 2005
    Messages:
    55
    Heres my activescan and HJT log.
    Incident Status Location

    Virus:W32/Smitfraud.B Disinfected Operating system
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
    Spyware:Spyware/SurfSideKick No disinfected Windows Registry
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\oleadm.dll
    Adware:Adware/Smitfraud No disinfected C:\!Submit\OLEADM.dll
    Virus:W32/Smitfraud.B Disinfected C:\!Submit\wininet.dll
    Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\oleadm.dll
    Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
    Logfile of HijackThis v1.99.1
    Scan saved at 10:45:39 AM, on 6/30/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\S4F\Filter7.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Documents and Settings\PHIL\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16cd97bf3dde4c978d05/netzip/RdxIE601.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
    O18 - Filter hijack: deflate - (no CLSID) - (no file)
    O18 - Filter hijack: gzip - (no CLSID) - (no file)
    O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I am attaching a smitRembeta.zip file to this post.
    • Download it and save it to your desktop.
    • Unzip smitRembeta.zip to extract the four files it contains.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


    * Go here to download CCleaner.
    • Install CCleaner
    • Launch CCleaner and look in the upper right corner and click on the "Options" button.
    • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
    • Click OK
    • Do not run CCleaner yet. You will run it later in safe mode.


    • Launch ewido and update it again.
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
    O18 - Filter hijack: deflate - (no CLSID) - (no file)
    O18 - Filter hijack: gzip - (no CLSID) - (no file)
    O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)



    * Open the smitRembeta folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Start Ccleaner and click Run Cleaner


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan and the ewido scan
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/376509

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice