Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Got Trojan-Spy.HTML.Smitfraud.c virus
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-30-2005, 08:02 PM   #1 (permalink)
I helped the forums.
 
Join Date: Jun 2005
Posts: 12
OS: Windows 2000


Got Trojan-Spy.HTML.Smitfraud.c virus
I am running Windows 2000. I recently contracted the Trojan-Spy.HTML.Smitfraud.c virus. After doing some research, I found a site that said running XoftSpy I could remove this virus. I paid $39.95 for XoftSpy and ran it, and it did allow me to use Internet Explorer again. The problem is, that now my IE home page keeps getting changed to http://ie-searchengine.com. I installed Norton Internet Security 2005 Antispyware Edition and it says that the virus is still in C:\winnt\system32\wininet.dll.

I'm including the output of hijackthis.log. PLEASE HELP ME REMOVE THIS VIRUS!!

Logfile of HijackThis v1.99.1
Scan saved at 6:55:51 PM, on 6/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
C:\WINNT\LogonSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Host Integration Server\system\ddmserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
D:\QuickTime\qttask.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\TIREMOTE\tiremote.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winnt\ykmhnkx.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Documents and Settings\stangm\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINNT\eltt.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: gpgigvdzxevnzufmlfxl - {54d8a0cf-3cf1-4119-83e2-ec55aeef8667} - C:\DOCUME~1\stangm\APPLIC~1\thblldxckm.dll (file missing)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [eltupt] C:\WINNT\eltupt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\stangm\LOCALS~1\Temp\app33.tmp
O4 - HKCU\..\Run: [Track-It! Remote] C:\Documents and Settings\stangm\TIREMOTE\tiremote.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ehovxxe] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [aynffjx] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [nukanme] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [vqwevho] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [oxtbwid] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [vofexfw] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [ptoscqu] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [rvgtxdu] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [yqbhdiu] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [yxkqyyj] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [lijgrbl] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [ursgvcs] c:\winnt\cwldobu.exe
O4 - HKCU\..\Run: [yvdvgnm] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [tynklng] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [fvmkxwq] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [mpeucaa] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [alhbbpy] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [lgumuio] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [jhywapb] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [hqyyyxe] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [wsxlgju] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [dxujbaq] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [smewcqn] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [uuybmwj] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [wlkjlrc] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [hrnhqwt] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [elogpyx] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [kcppgaf] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [premphk] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [kxshpxa] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [runmgtu] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [idfdrxt] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [tvvpsss] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [psvdyxk] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [raryjcy] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [qkmkerg] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [mmmquvx] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [taendwj] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [etvqtoi] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [epmwxui] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [aqxemjq] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [ngrikny] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [aoobako] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [nkjvaob] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [counceg] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [jhoovsi] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [pviolbk] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [btfenlq] c:\winnt\nktktjb.exe
O4 - HKCU\..\Run: [juuxltj] c:\winnt\nktktjb.exe
O4 - HKCU\..\Run: [myenuty] c:\winnt\gfkiiri.exe
O4 - HKCU\..\Run: [vfybcma] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [tnibbsl] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [dlsqvhj] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [nracmvt] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [kfkswyf] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [tjoofiy] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [esbcvrk] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [yskwbrn] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [ygrxkqa] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [kqbydlm] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [tpnatlc] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [dnnkdfj] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [emamkgq] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [dkqdfjp] c:\winnt\lntmdic.exe
O4 - HKCU\..\Run: [hbecset] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [xwswbga] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [hlgrgvf] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [mcehvty] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [grinhdj] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [xaxfwft] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [uxflofo] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [anytxkr] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [beldlca] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [ifdxhdt] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [ksxiycd] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [suorclj] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [kmudgdg] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [qfkrjwe] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [dadqiag] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [lsrkptn] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [xdlkecp] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [pkybsdm] c:\winnt\picpubl.exe
O4 - HKCU\..\Run: [mgllwuj] c:\winnt\cycqwoq.exe
O4 - HKCU\..\Run: [puwbcsm] c:\winnt\fipnleq.exe
O4 - HKCU\..\Run: [wxgoeqs] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [crocilg] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [fkmyskr] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [bekqxpb] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ufxwjtw] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [eoebxhf] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [cxibfdh] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ixijsnh] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [sumpwfy] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [gbyvokv] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [hyglnfb] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [lxhqdfk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [tmcpngy] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [vjaasef] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [mqywlbk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [drqgysc] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [uamepyw] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [tyoeruc] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nnoijgw] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [anjvivs] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [kefceao] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [fuafgxx] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [jbtppks] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [heqoqta] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [njjwaex] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [gyovrhe] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [jftryik] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [alqdgve] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [qafxcqb] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [eqlltpl] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [huttepj] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [kkcqugt] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nsvwoen] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [xkscmnv] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [utvflhx] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [kvhtqxe] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nnyokcm] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ptrfhsk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [rundccv] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [hwwysde] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nnublxk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [awodcol] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [hmxdgrl] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [dbugudr] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [gttdiga] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [mdfjowy] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ypjnpsl] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [prfcmyq] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nhppgqa] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [fplgtdt] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [ontmkrk] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [pqrvpnp] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [pradlra] c:\winnt\yxdoeen.exe
O4 - HKCU\..\Run: [soaqskr] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [dcmpemq] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [bbwkkpf] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [lfnrwjc] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [lddfapk] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [ssobfmp] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [hnjnhuc] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [tjfpjow] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [syidvxj] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xjfnqig] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wsgwkqk] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [avfvtrk] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wenewlu] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ldksfip] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [oglleta] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [nfopmvo] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [simcmqg] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [dftukcv] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [syvqjjb] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [mrywnob] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [cmfnbrg] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [srfjace] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jngnomf] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [sulnafl] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [rexhluf] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xbqilpw] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [hfdbdme] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [tvqmkxb] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [tfhmjrp] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ywvuoud] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ycpahbi] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [aielcjs] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jgeqesn] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [suimeet] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wvkeihn] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xbyypky] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jmfpgey] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [maeeydh] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [lgqasgu] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [egsjnin] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [uoawycr] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [hobrfjy] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jpfyotf] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [celtniw] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [bylnjwq] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ptgbrwr] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xcpipou] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wyalseb] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [cqybdfs] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [vdwgmal] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [lpfuwrm] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [iwumpkx] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [cwishwk] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [icwrhyd] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [iurbbje] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xnliasw] c:\winnt\tucrkiy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\flsmngr.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://orafin_ap_test.pbso.org:8892/...jinit11816.exe
O16 - DPF: {9F77A997-F0F3-11D1-9195-00C04FC990DC} - http://orafin_ap_prod.pbso.org:7004/...init115211.exe
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pbso.org
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Quest Launcher Service (LaunchService) - Quest Software - C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
O23 - Service: LogonSvc (LogonSvcID) - WiredRed Software - C:\WINNT\LogonSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\ORANTDEV2000\BIN\ONRSD80.EXE
O23 - Service: OracleORANT8iAgent - Oracle Corporation - D:\orant8i\bin\dbsnmp.exe
O23 - Service: OracleORANT8iClientCache - Unknown owner - D:\orant8i\BIN\ONRSD.EXE
O23 - Service: OracleORANT8iDataGatherer - Oracle Corporation - D:\orant8i\bin\vppdc.exe
O23 - Service: OracleORANT8iHTTPServer - Unknown owner - D:\orant8i\Apache\Apache\Apache.exe
O23 - Service: OracleORANT8iManagementServer - Unknown owner - D:\orant8i\bin\OMSNTsrv.exe
O23 - Service: OracleORANT8iPagingServer - Unknown owner - D:\orant8i/bin/pagntsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
Harleymaninwpb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-01-2005, 02:03 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,445
OS: N/A


Hi and Welcome to TSF! You have whole lot more than Smitfraud !!

BroadJump - I see you have BroadJump on your system. This is the newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. I suggest that you carry out the fixes indicated below but I would approach your ISP as soon as possible and ask them how to remove it and why they installed it in the first place. Do not attempt to uninstall the program yourself.

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.


WARNING
You are running HiJackThis from an inappropriate location. It should be run from a permanent folder. This program creates backup files which we may need to use later. If the program is in a temporary folder, important backups may be accidentally deleted.
  1. Please go into Windows Explorer
  2. Click on C:\
  3. Click on File > New > Folder
  4. Call it HJT, or another name of your choice.
  5. Move all files to the newly created folder.

Enable the viewing of Hidden files
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Select the Show hidden files and folders option.
  • Deselect the Hide file extensions for known types option.
  • Deselect the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

~~~~~~~~~~~~~~~

We require some additional files/programs for this fix. Please download the following files :-
Do not run any of the files unless instructed to do so

Download CleanUp! - Install but do not run it yet.

Download Hoster - Save to desktop.

Download KillBox v2.0.0.175 - Save to desktop.

Download DelO15Domains.inf - Right click & choose "Save As...". Save it to Desktop as DelO15Domains.inf.

Download Smitfraud.reg - Right click & choose "Save As...". Save it to Desktop as Smitfraud.reg.

Download ETRemover_v130.zip - Unzip to a new folder on Desktop.
  • From that folder, click on ETRemover_v130.exe
  • Click "About" >> "check for updates".
  • After it has updated itself, close that program. We'll run it later

Download & RUN WinsockFix

Unplug your computer from the Internet when you have finished downloading.


~~~~~~~~~~~~~~~

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer
  • Go to Tools>Resident - Deselect TeaTimer.
Microsoft AntiSpyware
  • Click on Options>Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
  • Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
  • After you've done these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Webroot SpySweeper
  • Go to the Options>Program Options.
  • Deselect Load at Windows Startup.
  • Click Shields and Deselect all items there.
  • Deselect Home page shield.
  • Deselect Automaticly restore default without notifiction.
Ad-aware's Ad-Watch
  • Right-click on the Ad-Watch icon in the system tray
    At the bottom of the screen you will see 2 options Active and Automatic.
  • Deselect Active
  • Deselect Automatic
  • Go to "Tools & Preferences">Options
  • Deselectt "Load Ad-Watch at Windows startup"

~~~~~~~~~~~~~~~

Uninstall the following programs using Control Panel>Add/Remove Programs :
  • Security IGuard
    Virtual Maid
    Search Maid
    AntivirusGold

~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
  • C:\WINNT\eltt.dll (file missing)
    C:\DOCUME~1\stangm\APPLIC~1\thblldxckm.dll
    C:\DOCUME~1\stangm\LOCALS~1\Temp\app33.tmp
    c:\winnt\ykmhnkx.exe
    c:\winnt\cwldobu.exe
    c:\winnt\fffsbuu.exe
    c:\winnt\nktktjb.exe
    c:\winnt\ilesuqt.exe
    c:\winnt\qtnnefy.exe
    c:\winnt\lntmdic.exe
    c:\winnt\qwwmkrp.exe
    c:\winnt\nfynkla.exe
    c:\winnt\yomnrfl.exe
    c:\winnt\picpubl.exe
    c:\winnt\cycqwoq.exe
    c:\winnt\fipnleq.exe
    c:\winnt\hvdalyk.exe
    c:\winnt\iduonpx.exe
    c:\winnt\bdscrts.exe
    c:\winnt\esqdyha.exe
    c:\winnt\tucrkiy.exe
    c:\winnt\system32\flsmngr.dll
    C:\WINDOWS\System32\hp596C.tmp
    C:\WINDOWS\System32\hp5F27.tmp
    C:\WINDOWS\System32\hpC776.tmp
    C:\WINDOWS\System32\hookdump.exe
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\WINDOWS\sites.ini
    C:\WINDOWS\popuper.exe
    C:\WINDOWS\system32\hhk.dll
    C:\WINDOWS\System32\helper.exe
    C:\WINDOWS\System32\intmonp.exe
    C:\WINDOWS\System32\msmsgs.exe
    C:\WINDOWS\System32\ole32vbs.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\System32\shnlog.exe
    C:\WINDOWS\System32\intmon.exe
    C:\WINDOWS\System32\msmsgs.exe
    C:\WINDOWS\System32\LogFiles\A5281300.so
    C:\WINDOWS\System32\winnook.exe
    C:\WINDOWS\desktop.html
    C:\WINDOWS\screen.html
    C:\WINDOWS\zloader3.exe
    C:\WINDOWS\system32\oleadm.dll
    C:\WINDOWS\system32\oleadm32.dll

Start KillBox.
  1. Go to the File menu, and choose "Paste from Clipboard".
    Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
  2. Select/tick the following:
    • "Delete on Reboot"
    • "End Explorer Shell While Killing File"
    • "Unregister.dll Before Deleting" if it's not grayed out.
  3. Click the RED X button.
  4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


~~~~~~~~~~~~~~~

Reboot to Safe Mode
  1. Shut Windows down, and then turn off the computer.
  2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
    Windows Advanced Options menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~~

Run ETRemover_v130.exe, then click the "Kill Elite Toolbar" button and wait until it finishes its work.

* Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!


~~~~~~~~~~~~~~~

Remove a malware service.
  1. Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  2. Locate the LogonSvc (LogonSvcID) service and double-click on it to open the Properties dialog.
  3. Click the Stop button.
  4. In the Startup type dropdown select Disabled.
  5. Click the Apply button and then the Ok button.
  6. Close the Services window
  7. Then start HiJackThis & go to Config>Misc.Tools>Delete an NT service....
    In the popup box that appears, type in LogonSvcID & click the "OK" button.

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINNT\eltt.dll (file missing)
O2 - BHO: gpgigvdzxevnzufmlfxl - {54d8a0cf-3cf1-4119-83e2-ec55aeef8667} - C:\DOCUME~1\stangm\APPLIC~1\thblldxckm.dll (file missing)
O4 - HKLM\..\Run: [eltupt] C:\WINNT\eltupt.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\stangm\LOCALS~1\Temp\app33.tmp
O4 - HKCU\..\Run: [ehovxxe] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [aynffjx] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [nukanme] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [vqwevho] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [oxtbwid] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [vofexfw] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [ptoscqu] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [rvgtxdu] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [yqbhdiu] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [yxkqyyj] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [lijgrbl] c:\winnt\ykmhnkx.exe
O4 - HKCU\..\Run: [ursgvcs] c:\winnt\cwldobu.exe
O4 - HKCU\..\Run: [yvdvgnm] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [tynklng] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [fvmkxwq] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [mpeucaa] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [alhbbpy] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [lgumuio] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [jhywapb] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [hqyyyxe] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [wsxlgju] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [dxujbaq] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [smewcqn] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [uuybmwj] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [wlkjlrc] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [hrnhqwt] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [elogpyx] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [kcppgaf] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [premphk] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [kxshpxa] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [runmgtu] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [idfdrxt] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [tvvpsss] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [psvdyxk] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [raryjcy] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [qkmkerg] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [mmmquvx] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [taendwj] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [etvqtoi] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [epmwxui] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [aqxemjq] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [ngrikny] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [aoobako] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [nkjvaob] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [counceg] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [jhoovsi] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [pviolbk] c:\winnt\fffsbuu.exe
O4 - HKCU\..\Run: [btfenlq] c:\winnt\nktktjb.exe
O4 - HKCU\..\Run: [juuxltj] c:\winnt\nktktjb.exe
O4 - HKCU\..\Run: [myenuty] c:\winnt\gfkiiri.exe
O4 - HKCU\..\Run: [vfybcma] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [tnibbsl] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [dlsqvhj] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [nracmvt] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [kfkswyf] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [tjoofiy] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [esbcvrk] c:\winnt\ilesuqt.exe
O4 - HKCU\..\Run: [yskwbrn] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [ygrxkqa] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [kqbydlm] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [tpnatlc] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [dnnkdfj] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [emamkgq] c:\winnt\qtnnefy.exe
O4 - HKCU\..\Run: [dkqdfjp] c:\winnt\lntmdic.exe
O4 - HKCU\..\Run: [hbecset] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [xwswbga] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [hlgrgvf] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [mcehvty] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [grinhdj] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [xaxfwft] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [uxflofo] c:\winnt\qwwmkrp.exe
O4 - HKCU\..\Run: [anytxkr] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [beldlca] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [ifdxhdt] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [ksxiycd] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [suorclj] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [kmudgdg] c:\winnt\nfynkla.exe
O4 - HKCU\..\Run: [qfkrjwe] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [dadqiag] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [lsrkptn] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [xdlkecp] c:\winnt\yomnrfl.exe
O4 - HKCU\..\Run: [pkybsdm] c:\winnt\picpubl.exe
O4 - HKCU\..\Run: [mgllwuj] c:\winnt\cycqwoq.exe
O4 - HKCU\..\Run: [puwbcsm] c:\winnt\fipnleq.exe
O4 - HKCU\..\Run: [wxgoeqs] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [crocilg] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [fkmyskr] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [bekqxpb] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ufxwjtw] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [eoebxhf] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [cxibfdh] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ixijsnh] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [sumpwfy] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [gbyvokv] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [hyglnfb] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [lxhqdfk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [tmcpngy] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [vjaasef] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [mqywlbk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [drqgysc] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [uamepyw] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [tyoeruc] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nnoijgw] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [anjvivs] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [kefceao] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [fuafgxx] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [jbtppks] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [heqoqta] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [njjwaex] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [gyovrhe] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [jftryik] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [alqdgve] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [qafxcqb] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [eqlltpl] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [huttepj] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [kkcqugt] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nsvwoen] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [xkscmnv] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [utvflhx] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [kvhtqxe] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nnyokcm] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ptrfhsk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [rundccv] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [hwwysde] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nnublxk] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [awodcol] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [hmxdgrl] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [dbugudr] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [gttdiga] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [mdfjowy] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [ypjnpsl] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [prfcmyq] c:\winnt\hvdalyk.exe
O4 - HKCU\..\Run: [nhppgqa] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [fplgtdt] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [ontmkrk] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [pqrvpnp] c:\winnt\iduonpx.exe
O4 - HKCU\..\Run: [pradlra] c:\winnt\yxdoeen.exe
O4 - HKCU\..\Run: [soaqskr] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [dcmpemq] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [bbwkkpf] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [lfnrwjc] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [lddfapk] c:\winnt\bdscrts.exe
O4 - HKCU\..\Run: [ssobfmp] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [hnjnhuc] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [tjfpjow] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [syidvxj] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xjfnqig] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wsgwkqk] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [avfvtrk] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wenewlu] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ldksfip] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [oglleta] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [nfopmvo] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [simcmqg] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [dftukcv] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [syvqjjb] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [mrywnob] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [cmfnbrg] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [srfjace] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jngnomf] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [sulnafl] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [rexhluf] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xbqilpw] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [hfdbdme] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [tvqmkxb] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [tfhmjrp] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ywvuoud] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ycpahbi] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [aielcjs] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jgeqesn] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [suimeet] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wvkeihn] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xbyypky] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jmfpgey] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [maeeydh] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [lgqasgu] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [egsjnin] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [uoawycr] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [hobrfjy] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [jpfyotf] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [celtniw] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [bylnjwq] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [ptgbrwr] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xcpipou] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [wyalseb] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [cqybdfs] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [vdwgmal] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [lpfuwrm] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [iwumpkx] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [cwishwk] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [icwrhyd] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [iurbbje] c:\winnt\esqdyha.exe
O4 - HKCU\..\Run: [xnliasw] c:\winnt\tucrkiy.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\flsmngr.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O23 - Service: LogonSvc (LogonSvcID) - WiredRed Software - C:\WINNT\LogonSvc.exe


~~~~~~~~~~~~~~~

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  1. Click "Options..."
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X]Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  4. Click "OK"
  5. Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders

~~~~~~~~~~~~~~~

Reboot to Normal Mode.

Do TWO online scan from the following sites:Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.

In your next post, please include:
  • Copy of HiJackThis log
  • List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.

Tell me how your computer behaves after this onslaught.
__________________

Question - what have you done for the community today?
Last edited by sUBs; 07-01-2005 at 02:05 AM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-01-2005, 09:16 PM   #3 (permalink)
I helped the forums.
 
Join Date: Jun 2005
Posts: 12
OS: Windows 2000


Followed Your Instructions
I have followed your directions, and it appears that my IE browser is no longer getting hijacked by another site. After following your instructions, I ran the Panda and Trend Micro scans. Panda still found found files that it couldn't disinfect. Here is the result of that scan.


Incident Status Location

Adware:Adware/Findspy No disinfected C:\Documents and Settings\stangm\Favorites\ FREE Access to 800 Paid sites.url
Adware:Adware/Findspy No disinfected C:\Documents and Settings\stangm\Favorites\ Free Spy Cam - Realtime.url
Adware:Adware/Ie-Searchengine No disinfected C:\WINNT\gfkiiri.exe
Virus:Trj/Downloader.L Disinfected C:\WINNT\inf\susp.inf
Adware:Adware/Ie-Searchengine No disinfected C:\WINNT\nquckbm.exe
Spyware:Spyware/BetterInet No disinfected C:\WINNT\susp.ini
Adware:Adware/IGetNet No disinfected C:\WINNT\system\rules.dat
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\Agent.dll
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\cards.ico
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cm1.dll
Adware:Adware/Comet No disinfected C:\WINNT\system32\CometTB.dll
Adware:Adware/Comet No disinfected C:\WINNT\system32\CometTB.exe
Adware:Adware/BrowsePal No disinfected C:\WINNT\system32\ctbv2.dll
Adware:Adware/BrowsePal No disinfected C:\WINNT\system32\ctb_s.exe
Adware:Adware/DelFinMedia No disinfected C:\WINNT\system32\dp-o13m09.exe
Adware:Adware/DelFinMedia No disinfected C:\WINNT\system32\dp_o13m09.dll
Adware:Adware/KeenValue No disinfected C:\WINNT\system32\drivers\etc\hosts.bho
Adware:Adware/Ie-Searchengine No disinfected C:\WINNT\system32\fidbaaaa.exe
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\fiz1
Virus:Trj/Downloader.DGG Disinfected C:\WINNT\system32\kixaaaaa.exe
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\kyf.dat
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\mset_bbi8010.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\OMsetup.exe
Adware:Adware/RCSync No disinfected C:\WINNT\system32\pr1ze5.dll
Adware:Adware/RCSync No disinfected C:\WINNT\system32\prizesurfer_setup.exe
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\sahagent1001.exe
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\sahagent1003.exe
Virus:Bck/Agent.ZN Disinfected C:\WINNT\system32\sender.exe
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\SHAgent.dll
Virus:Bck/Agent.ZN Disinfected C:\WINNT\system32\socks.exe
Virus:W32/Smitfraud.A Disinfected C:\WINNT\system32\wininet.dll
Adware:Adware/MyWay No disinfected C:\WINNT\system32\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINNT\system32\Xcite.exe
Virus:Bck/Agent.ZN Disinfected C:\WINNT\system32\ynyfraaa.exe
Spyware:Spyware/ShopNav No disinfected C:\WINNT\unist2.exe
Adware:Adware/Ie-Searchengine No disinfected C:\WINNT\xrkcbyw.exe
Adware:Adware/Ie-Searchengine No disinfected C:\WINNT\yxdoeen.exe
The Trend Micro scan did not find any problems or viruses. After running these 2 scans, I rebooted again and then reran Hijackthis. Here is the resulting log of Hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 10:59:34 PM, on 7/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
C:\WINNT\LogonSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Host Integration Server\system\ddmserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
D:\QuickTime\qttask.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\TIREMOTE\tiremote.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINNT\eltt.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKCU\..\Run: [Track-It! Remote] C:\Documents and Settings\stangm\TIREMOTE\tiremote.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [pcaepjf] c:\winnt\tucrkiy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://orafin_ap_test.pbso.org:8892/...jinit11816.exe
O16 - DPF: {9F77A997-F0F3-11D1-9195-00C04FC990DC} - http://orafin_ap_prod.pbso.org:7004/...init115211.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pbso.org
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Quest Launcher Service (LaunchService) - Quest Software - C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
O23 - Service: LogonSvc (LogonSvcID) - WiredRed Software - C:\WINNT\LogonSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\ORANTDEV2000\BIN\ONRSD80.EXE
O23 - Service: OracleORANT8iAgent - Oracle Corporation - D:\orant8i\bin\dbsnmp.exe
O23 - Service: OracleORANT8iClientCache - Unknown owner - D:\orant8i\BIN\ONRSD.EXE
O23 - Service: OracleORANT8iDataGatherer - Oracle Corporation - D:\orant8i\bin\vppdc.exe
O23 - Service: OracleORANT8iHTTPServer - Unknown owner - D:\orant8i\Apache\Apache\Apache.exe
O23 - Service: OracleORANT8iManagementServer - Unknown owner - D:\orant8i\bin\OMSNTsrv.exe
O23 - Service: OracleORANT8iPagingServer - Unknown owner - D:\orant8i/bin/pagntsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe

You have been very helpful thus far, and I really appreciate it. This site really provides a valuable service. I look forward to hearing your response to this posting. Thanks Mark
Harleymaninwpb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-02-2005, 12:34 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,445
OS: N/A


You have done well. Most of it has been cleared. Let's continue with round #2.

~~~~~~~~~~~~~~~

Uninstall the following programs (if present) using Control Panel>Add/Remove Programs :
  • Delfin Media Viewer
    Bargain Buddy
    Navi Search
    MyWay

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINNT\eltt.dll (file missing)
O4 - HKCU\..\Run: [pcaepjf] c:\winnt\tucrkiy.exe


~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
  • C:\WINNT\nquckbm.exe
    C:\WINNT\susp.ini
    C:\WINNT\system\rules.dat
    C:\WINNT\system32\Agent.dll
    C:\WINNT\system32\cards.ico
    C:\WINNT\system32\cm1.dll
    C:\WINNT\system32\CometTB.dll
    C:\WINNT\system32\CometTB.exe
    C:\WINNT\system32\ctbv2.dll
    C:\WINNT\system32\ctb_s.exe
    C:\WINNT\system32\dp-o13m09.exe
    C:\WINNT\system32\dp_o13m09.dll
    C:\WINNT\system32\drivers\etc\hosts.bho
    C:\WINNT\system32\fidbaaaa.exe
    C:\WINNT\system32\fiz1
    C:\WINNT\system32\kixaaaaa.exe
    C:\WINNT\system32\kyf.dat
    C:\WINNT\system32\mset_bbi8010.exe
    C:\WINNT\system32\OMsetup.exe
    C:\WINNT\system32\pr1ze5.dll
    C:\WINNT\system32\prizesurfer_setup.exe
    C:\WINNT\system32\sahagent1001.exe
    C:\WINNT\system32\sahagent1003.exe
    C:\WINNT\system32\SHAgent.dll
    C:\WINNT\system32\Xcite.dll
    C:\WINNT\system32\Xcite.exe
    C:\WINNT\system32\ynyfraaa.exe
    C:\WINNT\unist2.exe
    C:\WINNT\xrkcbyw.exe
    C:\WINNT\yxdoeen.exe
    C:\WINNT\eltt.dll
    c:\winnt\tucrkiy.exe

Start KillBox.
  1. Go to the File menu, and choose "Paste from Clipboard".
    Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
  2. Select/tick the following:
    • "Delete on Reboot"
    • "End Explorer Shell While Killing File"
    • "Unregister.dll Before Deleting" if it's not grayed out.
  3. Click the RED X button.
  4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

~~~~~~~~~~~~~~~

Upon reboot, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  1. Click "Options..."
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X]Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  4. Click "OK"
  5. Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders


Post a fresh HJT log & tell me if you still have pop ups or browser hijacks
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-02-2005, 06:56 AM   #5 (permalink)
I helped the forums.
 
Join Date: Jun 2005
Posts: 12
OS: Windows 2000


Thanks for the reply. I followed your instructions
Below is the output of the hijackthis.log after following your previous instructions.


Logfile of HijackThis v1.99.1
Scan saved at 8:46:06 AM, on 7/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
C:\WINNT\LogonSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Host Integration Server\system\ddmserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
D:\QuickTime\qttask.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\TIREMOTE\tiremote.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Track-It! Remote] C:\Documents and Settings\stangm\TIREMOTE\tiremote.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://orafin_ap_test.pbso.org:8892/...jinit11816.exe
O16 - DPF: {9F77A997-F0F3-11D1-9195-00C04FC990DC} - http://orafin_ap_prod.pbso.org:7004/...init115211.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pbso.org
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Quest Launcher Service (LaunchService) - Quest Software - C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
O23 - Service: LogonSvc (LogonSvcID) - WiredRed Software - C:\WINNT\LogonSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\ORANTDEV2000\BIN\ONRSD80.EXE
O23 - Service: OracleORANT8iAgent - Oracle Corporation - D:\orant8i\bin\dbsnmp.exe
O23 - Service: OracleORANT8iClientCache - Unknown owner - D:\orant8i\BIN\ONRSD.EXE
O23 - Service: OracleORANT8iDataGatherer - Oracle Corporation - D:\orant8i\bin\vppdc.exe
O23 - Service: OracleORANT8iHTTPServer - Unknown owner - D:\orant8i\Apache\Apache\Apache.exe
O23 - Service: OracleORANT8iManagementServer - Unknown owner - D:\orant8i\bin\OMSNTsrv.exe
O23 - Service: OracleORANT8iPagingServer - Unknown owner - D:\orant8i/bin/pagntsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe

I look forward to hearing from you again. Just a further note. I have installed Norton Internet Security 2005 and it is still telling me that I have the w32.desktophijack virus in c:\winnt\system32\wininet.dll file. Please advise on this also. Thanks again, Mark
Harleymaninwpb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-02-2005, 11:03 AM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,445
OS: N/A


Please upload c:\winnt\system32\wininet.dll to this site and submit it. Post the analysis here.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-02-2005, 05:21 PM   #7 (permalink)
I helped the forums.
 
Join Date: Jun 2005
Posts: 12
OS: Windows 2000


Here is the scan of c:\winnt\system32\wininet.dll
Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: wininet.dll
Status: INFECTED/MALWARE
MD5 7a755ce0a27d04a440930af93fb15893
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Oleadm.Callgate
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found W32/Oleadm.A
Fortinet Found Nsag.A
Kaspersky Anti-Virus Found Virus.Win32.Nsag.a
NOD32 Found Win32/Oleloa.A
Norman Virus Control Found nothing
UNA Found Win32.Nsag.a
VBA32 Found Virus.Win32.Nsag.a

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, I am aware of the implications of a setup like this. I am sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). I am aware, in spite of efforts to proactively counter these, false positives might occur, for example. I do not consider this a very big issue, so please do not e-mail me about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

This service costs me money. Dedicated hosting, undonated scanner licenses etc... If you find this service useful, please consider a (small) donation to help cover expenses.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: Win32/TrojanDownloader.Kotan in KaoTan.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir Trojan.Downloader.Kotan
Avast Win32:Trojan-gen. {Other}
AVG Antivirus Downloader.Kotan.B
BitDefender BehavesLike:Trojan.Downloader
ClamAV Trojan.Downloader.Kotan.B
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan-Downloader.Win32.Kotan
NOD32 Win32/TrojanDownloader.Kotan
Norman Virus Control X
UNA X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion.


66287 files (40958 of those unique) have been uploaded & scanned since 07/06/2005, the day of the last database purge.
11384 of those 40958 files contained a virus or any other form of malware.
This page has been visited 102591 times in this time period.

If you have suggestions and/or comments, please send me them!



Frequently asked questions - Feedback



Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>
Harleymaninwpb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-02-2005, 11:51 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,445
OS: N/A


Reboot into Safe Mode.
  • Go to the directory - c:\winnt\system32\
  • Rename the file wininet.dll to wininet.old
  • Click Start, Search, and For Files Or Folders to try to locate other instances of wininet.dll.
  • If you find more than one copy of the file, check the version information for each file (you can find this information by right-clicking the file, selecting Properties, and selecting the Version tab).
  • Copy the most recent version to the C:\WINNT\SYSTEM32 directory.
If you don't find Wininet.dll, visit Microsoft's Internet Explorer home page (www.microsoft.com/windows/ie) to download the latest version of IE, which includes the Wininet.dll file.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-03-2005, 09:46 AM   #9 (permalink)
I helped the forums.
 
Join Date: Jun 2005
Posts: 12
OS: Windows 2000


Grin You da man!!!!!!!
When I first discovered that I had the Trojan-Spy.HTML. Smitfraud.c virus, one of the first things that I tried to do was to delete or rename the c:\winnt\system32\wininet.dll file. Every time that I tried to do that, I got the "Access Denied" message, even in Safe Mode. After following your instructions and getting my machine completely cleaned up, I was able to rename wininet.dll (In Safe Mode). After renaming it to wininet.old, I copied wininet.dll from my PC at work (same operating system) to this machine. I rebooted and ran both Norton Antivirus 2005 and Xoftspy. I'm not finding any viruses anywhere on my machine now!

Thanks very much for providing me with such expert advice and for responding in such a timely fashion. This site rocks!!!

I'll be sure to make a donation to Tech Support Forum!!

Just to be on the safe side though, I'm including one more hijackthis.log file to make sure that I'm comletely clean.

Thanks, Mark

Logfile of HijackThis v1.99.1
Scan saved at 11:42:29 AM, on 7/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
C:\WINNT\LogonSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Host Integration Server\system\ddmserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
D:\QuickTime\qttask.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\TIREMOTE\tiremote.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Track-It! Remote] C:\Documents and Settings\stangm\TIREMOTE\tiremote.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://orafin_ap_test.pbso.org:8892/...jinit11816.exe
O16 - DPF: {9F77A997-F0F3-11D1-9195-00C04FC990DC} - http://orafin_ap_prod.pbso.org:7004/...init115211.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E355BC3-FEA2-4862-972F-FE646E20B5A2}: NameServer = 172.22.22.250 172.22.22.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbso.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pbso.org
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Quest Launcher Service (LaunchService) - Quest Software - C:\Program Files\Common Files\Quest Shared\Launcher\quest_launcher.exe
O23 - Service: LogonSvc (LogonSvcID) - WiredRed Software - C:\WINNT\LogonSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\ORANTDEV2000\BIN\ONRSD80.EXE
O23 - Service: OracleORANT8iAgent - Oracle Corporation - D:\orant8i\bin\dbsnmp.exe
O23 - Service: OracleORANT8iClientCache - Unknown owner - D:\orant8i\BIN\ONRSD.EXE
O23 - Service: OracleORANT8iDataGatherer - Oracle Corporation - D:\orant8i\bin\vppdc.exe
O23 - Service: OracleORANT8iHTTPServer - Unknown owner - D:\orant8i\Apache\Apache\Apache.exe
O23 - Service: OracleORANT8iManagementServer - Unknown owner - D:\orant8i\bin\OMSNTsrv.exe
O23 - Service: OracleORANT8iPagingServer - Unknown owner - D:\orant8i/bin/pagntsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
Harleymaninwpb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-03-2005, 10:23 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,445
OS: N/A


Your log is clean. Unless you have any more problems, you should be good to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-04-2005, 04:11 PM   #11 (permalink)
I helped the forums.
 
Join Date: Jun 2005
Posts: 12
OS: Windows 2000


Grin Thanks for all your help
I took your advice and downloaded the free anti-spy/ anti-virus software applications. With the addition of a router, I think that that my PC is now well protected.

Thanks again for all your help. I made a contribution through PayPal.
Harleymaninwpb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:59 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85