HTML.Smitfraud & Trojanhorse Collected.6.BC

[sojerguy]

This has all started since yesterday (5/23/05).

This most recent infection has happened since;
a) I let AOL know I would be dispensing with their services and
b) Since I got DSL .

This has convinced me to get a firewall. Any recommendations on that?

The symptoms.
A blue screen of death look-a-like with a message in the center (my normal desktop icons are still around the edges), with a message in the center stating;

“Security Warning
A fatal error has happened in IE at 0028.C0011E36 in UXD VMM(01) + 0001E036. Error was caused by Trojan-Spy.HTML.Smitfraud.c”

It then tells me to check my security settings and to use an anti-virus software.

That is on my desktop.

Today in my “icon tray” I have gotten two new mini-icons, a red stop screen with a white X and a random timed “popup” balloon, saying “you’re infected with soyware; and next to it a pulsing upside down caution sign. Neither has any property or delete options when right clicked.

Also a new “Anti-virus Gold 2.0” option appeared on my start menu (ain’t it fun), with requisite attempts to get me to buy it. I was able to remove it using Setting-Contro Panel-Add remove software.

Have done(s).

Running Ad-Aware since Sunday has continually found 7-11 “serious” dangers each time.

AVG will continually find (and remove Trojan Horse Collected.6.BC), but is unable to prevent it getting back on.

Spybot Search & Destroy is now finding 1 or 2 items each time I run it, (as opposed to 1 threat every two weeks).

CWShredder finds nothing (though Ad-Aware found and eliminated 8 CoolWebSearch items).

Have just run HJT (after running all the above. Here’s the log.

Logfile of HijackThis v1.99.0
Scan saved at 7:28:46 PM, on 5/24/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\msole32.exe
C:\WINNT\popuper.exe
C:\WINNT\System32\intmonp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINNT\System32\intmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\bsw.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\akik.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

http://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by America Online
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -

C:\WINNT\System32\hp5389.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -

http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2...ousecall/xscan

53.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. -

C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: Smart Card Client - Unknown - C:\WINNT\System32\SCardClnt.exe (file missing)

[Scorpex]

Sojerguy,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.


You an outdated version of HijackThis. Please download and install the latest version by going to this Site
The newest version of HiJackThis(1.99.1) gives us more information to work with.
Note: When you post your next log – make sure word wrap is off before you copy and paste it.


Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.


Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.



Go to My Computer->Tools/View->Folder Options->View tab
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button



Download KillBox. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\ole32vbs.exe
C:\WINNT\System32\hp5389.tmp
C:\WINNT\System32\winnook.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\akik.exe


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders (in blue) if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\WINNT\System32\LogFiles
C:\Program Files\Security iGuard



Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\System32\hp5389.tmp
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <- if this is something you did – don’t delete
O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.



Close HijackThis.



Restart your computer.


1. Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winhelp2002/DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. Download CleanUp! and install it.
(Alternate Link if the main link doesn't work - http://www.greyknight17.com/spy/Cleanup.exe )
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.


4SG

[sojerguy]

Here are the latest results of HJT & Panda's efforts.

Some side effects of the "cleansing" are:

1) after start up, I have a black wallpaper (normal icons on top) with a 9x11 message box telling me I have viruses. A link at the bottom of the warning page opens internet explorer and takes me to:

http://www.antivirus-gold.com/?wm=

2) Quicktime attempts to load each time I open AOL, (which I'llb dumping next month).

3) My "Dell Backup software" attempts to load (from E;).

Are these also symptoms of virii?


Logfile of HijackThis v1.99.1
Scan saved at 2:36:11 PM, on 5/29/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\System32\MsiExec.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)



Here is the Panda ActiveScan Log.


Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry
Virus:W32/Klez.I Disinfected C:\Documents and Settings\All Users.WINNT\Documents\AOL Downloads\America Online 5.0\47528.mim[47528.exe]
Virus:W32/Klez.I Disinfected C:\Documents and Settings\All Users.WINNT\Documents\AOL Downloads\America Online 5.0\for.mim[for.exe]
Adware:Adware/WUpd No disinfected C:\HJT\backups\backup-20041015-063347-418.inf
Adware:Adware Program No disinfected C:\HJT\backups\backup-20041015-063347-931.inf
Virus:W32/Klez.I Disinfected C:\Oldaol dwnlds\47528.zip[47528.mim][47528.exe]
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinCtlAdX.dll
Adware:Adware/Virmaid No disinfected C:\WINNT\system32\perfcii.ini
Adware:Adware/TopSpyware No disinfected C:\WINNT\system32\winnook.exe

[sojerguy]

Please READ the rules and DO NOT bump a post unless it's hasn't been responed to in 24hrs.!

[Scorpex]

Sojerguy,

Let’s try this.

Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.


Make sure you can still view hidden files:
Go to My Computer->Tools/View->Folder Options->View tab
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button



Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Go to Start->Run and type Services.msc then hit Ok
You must be very careful when dealing with services – There are other ones named very similar to this one. If you do not see the one named below - do nothing and close the Services window and continue on to the *** .

Scroll down and find the service called: Smart Card Client (SCardClnt)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled.

Now hit Apply and then Ok and close any open windows.


***Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)



Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\Downloaded Program Files\WinCtlAdX.dll
C:\WINNT\system32\perfcii.ini
C:\WINNT\system32\winnook.exe
C:\WINNT\System32\SCardClnt.exe

Note: If you open the C:\WINDOWS\Downloaded Program Files folder and do not see the file WinCtlAdX.dll, double-click on each of the ActiveX Controls listed there and click on the dependency tab - look for WinCtlAdX.dll.

In your next post list the ActiveX Control that has WinCtlAdX.dll in the dependency tab.



Close HijackThis.



Restart your computer.


Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.


4SG

[sojerguy]

Don't have a "desktop tab" under properties on my desktop.

1) When clicking the basic desktop, and r-clicking the properties drop-down, I have one tab displayed. "General". No customize button available.

2) When clicking the desktop icon in my icon tray, and selecting properties from the drop-down, I get three tabs. "General, Security & summary". None have a customize button.

???????

[Scorpex]

Skip this part and continue on with the rest:

SKIP- Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

4SG

[sojerguy]

Ran Services.msc and found

Smart Card (Not touched)
Smart Card Client (double clicked and disabled per instructions)
Smart Card Help (Not touched)

Ran HJT in safe mode - did not find the following.
O23 - Service: Smart Card Client ....

Used Windows explorer When searching the Windows\downloaded program file\ and did not find "WinCtlAdX.dll"

Then opened each of the Active-X controls and did not find the "WinCtlAdX.dll (they're listed below.

{2B323CD9-50E3-11D3-9466-00A0C9700498}

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

{9B03C5F1-F5AB-47EE-937D-A8EDA626F876}

{74D05D43-3236-11D4-BDCD-00C04F9A3B61}

{9F1C11AA-197B-4942-BA54-47A8489BB47F}


Also listed is tHe Java (applet?) It wasn't in there either.

Yahoo! Chat




Found and deleted \perfecii.ini and \winook.exe

Did not find \ScardClnt.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:11:51 PM, on 5/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by America Online
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -

http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2...ousecall/xscan

53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -

http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINNT\system32\ZoneLabs\vsmon.exe



This is the ActiveScan log.


Incident Status Location
Adware:Adware/MyWay No disinfected Windows Registry


Adware:Adware/WUpd No disinfected C:\HJT\backups\backup-20041015-063347-418.inf


Adware:Adware Program No disinfected C:\HJT\backups\backup-20041015-063347-931.inf


Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program
Files\WinCtlAdX.dll




You'll notice what the last item is! I went and re-checked for it using Windows Explorer. Still couldn't find it. May need baby-step instructions to get it.

[Scorpex]

Do you have a "desktop tab" under properties on my desktop now?


If not,

Run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site.



Download Silent runners.Vbs http://www.silentrunners.org/Silent%20Runners.vbs
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.



4SG

[Scorpex]

sojerguy,

After you run the tools I mentioned above, run the Ewido Trojan scanner as instructed below. I looked around and saw some other people sucessfully removing the WinCtlAdX.dll.


Please download ewido security suite it is a trial version of the program.
--Install ewido security suite
--Launch ewido, there should be an icon on your desktop double-click it.
--The program will prompt you to update click the OK button
--The program will now go to the main screen

You will need to update ewido to the latest definition files.
--On the left hand side of the main screen click update.
--Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
--Click on scanner
--Make sure the following boxes are checked before scanning:

--Binder

--Crypter

--Archives

--Click on Start Scan
--Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
--Click Save report
--Save the report to your desktop

Post this log as well.

4SG

[sojerguy]

TrendMirco was run. Nothing found.

Silent Runners. Downloaded and ran. Finished and then a notificaton box came up to tell me the name of the file and dissappeared in 2 seconds. Could not read it. Tried this 5 times. Tried a search on the name of the file. Not found. ??????


--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:50:05 PM, 6/1/2005
+ Report-Checksum: AC0CCF2B

+ Date of database: 6/2/2005
+ Version of scan engine: v3.0

+ Duration: 31 min
+ Scanned Files: 68223
+ Speed: 36.58 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users.WINNT\Documents\AOL Downloads\America Online 5.0\freesol.exe -> Spyware.TimeSink -> Cleaned with backup
C:\Oldaol dwnlds\freesol.exe -> Spyware.TimeSink -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinCtlAdX.dll -> Spyware.WinAD.f -> Cleaned with backup


::Report End

[Scorpex]

I agree - that window’s quick!

Wherever you run the SilentRunners.vbs from is where the log goes.


The last one I ran was named: Startup Programs (my computer name) 2005-06-02 00.52.59.txt

Might be easier to create a new folder (for example C:\SR)
Copy the SilentRunners.vbs file to it
Run SilentRunners.vbs
That’s where the log will go.

4SG

[Scorpex]

Besides the things mentioned above,

Make sure you can still view hidden files:
Go to My Computer->Tools/View->Folder Options->View tab
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button


Do a search (Start>Search) for desktop.html and post the locations (if any)

4SG

[Scorpex]

If you find desktop.html – delete it.

Also try this-

Quote:

Click on the upper edge of the screen and drag it down until you notice a cross in the upper right corner. Click it to close the screen and you will have access to your real desktop and can change the settings.
It is a modified explorer screen laid between your desktop and the shortcuts on it.

Thanks to Metallica for this

4SG

[sojerguy]

Found the desktop.html in c\winnt.

This has eliminated the "black desktop", which now leaves a light grey screen. Right clicking on it and reading its properties, brings up a single tabbed page and an address for it. The address reads //C:WINNT\desktop.html . Anything special about the back-slashes?

It can be dragged down and closed. Where else is it located?

[Scorpex]

I think the backslashes have something to do with how the files are read and where they’re read from. Like in this case setting a web page as an active desktop. But I’m not positive.


Try going into Control Panel – Double click ‘Display’. Click on the ‘Desktop Tab’ then click ‘Customize Desktop’. Click the Web tab. Remove everything in there except my Current Home Page. Hopefully there’s a “security” entry to delete. Put a check in the boxes of all others (not including my Current Home Page) and click delete – Check your desktop.


If that one doesn’t help, do the following:
If you get to the Web Tab and there’s nothing but My Current Homepage, try the following.
Control Panel – Double click ‘Display’. Click on the ‘Desktop Tab’ then click ‘Customize Desktop’. Click the General Tab and then ‘Restore Defaults’.

4SG

[sojerguy]

Have gotten fid of the gray screen as well. Apparently there were two version of that blasted page on my system. Both are gone now.

right-clicking on my desktop and selecting Active Desktop-Customize My Desktop brings up a 5x8 screen with a monitor in the middle and various tabs across the top.

Selecting the WEB tab brings up a white square with two check boxes in it. My Home Page and Security v2. Both are unchecked. The delete button is "grayed out. Selecting either or both does not activate the delete button.

Just above the box is a check box, "show web content on my active desktop. It is checked. Unchecking it "grays out" the white square.



Thats where we're at.

[Scorpex]

You mentioned two versions – was the second c:\winnt\screen.html ? if not look for that file and delete it as well.

You mentioned right clicking the desktop. Did you try going through My Computer – Display applet?


Also, run the SilentRunners.vbs program and post the log. Remember, the log will be created where the program is.



Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.



4SG

[sojerguy]

SR Log

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"paint.exe" = "shnlog.exe" [file not found]
"notepad.exe" = "msmsgs.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Lexmark X73 Button Monitor" = "C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe" ["Silitek Corp."]
"Lexmark X73 Button Manager" = "C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe" ["Jetsoft Development Company"]
"PrinTray" = "C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"Bart Station" = "C:\Program Files\ISP50\hta\station.sbrt" [file not found]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio10\VisShe.dll" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio10\VisShe.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" [file not found]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\msjava.dll" [MS]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Smartdreck Log

StartDreck (build 2.1.7 public stable) - 2005-06-04 @ 07:29:55 (GMT -07:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 3)
Internet Explorer: 6.0.2800.1106
Logged in as Administrator at W-1ECAED0A32DD4

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*Lexmark X73 Button Monitor=C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
*Lexmark X73 Button Manager=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
*PrinTray=C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
*Bart Station=C:\Program Files\ISP50\hta\station.sbrt
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\SpywareGuard.lnk
»Default User
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\System32\config.nt
*C:\autoexec.bat
*C:\WINNT\System32\autoexec.nt
*C:\WINNT\System32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+152=\SystemRoot\System32\smss.exe
+176=\??\C:\WINNT\system32\csrss.exe
+172=\??\C:\WINNT\system32\winlogon.exe
+224=C:\WINNT\system32\services.exe
+236=C:\WINNT\system32\lsass.exe
+408=C:\WINNT\system32\svchost.exe
+436=C:\WINNT\system32\LEXBCES.EXE
+468=C:\WINNT\system32\spoolsv.exe
+496=C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
+508=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+552=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+568=C:\WINNT\System32\svchost.exe
+604=C:\Program Files\ewido\security suite\ewidoctrl.exe
+628=C:\Program Files\ewido\security suite\ewidoguard.exe
+708=C:\WINNT\System32\nvsvc32.exe
+728=C:\WINNT\system32\regsvc.exe
+748=C:\WINNT\system32\MSTask.exe
+784=C:\WINNT\system32\stisvc.exe
+880=C:\WINNT\system32\ZoneLabs\vsmon.exe
+936=C:\WINNT\Explorer.EXE
+980=C:\WINNT\System32\WBEM\WinMgmt.exe
+992=C:\WINNT\system32\svchost.exe
+1168=C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
+1128=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
+1184=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
+1172=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+1236=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+1252=C:\Program Files\SpywareGuard\sgmain.exe
+1512=C:\Program Files\SpywareGuard\sgbhp.exe
+208=C:\Program Files\America Online 9.0\waol.exe
+1608=C:\Program Files\America Online 9.0\shellmon.exe
+1560=C:\Program Files\Common Files\Aol\aoltpspd.exe
+1740=C:\web downloads\Dreck\StartDreck.exe
»NT Services
*Alerter Alerter - on demand
*AOL Connectivity Service AOL ACS running auto
*Application Management AppMgmt - on demand
*AVG7 Alert Manager Server Avg7Alrt running auto
*AVG7 Update Service Avg7UpdSvc running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*ewido security suite control ewido security suite starting... auto
*ewido security suite guard ewido security suite running auto
*Fax Service Fax - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*LexBce Server LexBceS running auto
*TCP/IP NetBIOS Helper Service LmHosts running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc running auto
*NVIDIA Driver Helper Service NVSvc running auto
*Plug and Play PlugPlay running auto
*IPSEC Policy Agent PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry Service RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Client SCardClnt - disabled
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*RunAs Service seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Sharing SharedAccess - on demand
*Print Spooler Spooler running auto
*Still Image Service StiSvc running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Uninterruptible Power Supply UPS - on demand
*Utility Manager UtilMan - on demand
*TrueVector Internet Monitor vsmon running auto
*Windows Time W32Time - on demand
*Windows Management Instrumentation WinMgmt running auto
*Windows Management Instrumentation Driver Exten Wmi running on demand
`sions
*Automatic Updates wuauserv running auto
»Application specific

[Scorpex]

I’ve been researching your problem - didn’t want you to think I forgot about you. I easily spent 3-4 hours today researching this . Results to follow