Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RedTamCey03 Smitfraud


  • Please log in to reply
9 replies to this topic

#1 RedTamCey03

RedTamCey03

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 13 May 2005 - 10:49 PM

HI! I was directed here after trying almost everything to get rid of Trojan-Spy.HtML.Smitfraud.c, I hope that I am posting in the right place and that someone can help! :thumbsup:

Whatever this is has not only taken over my screen with the blue warning, but my start menu and task bar are gone too.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:00 PM, on 5/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tammie Stacey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kdnnr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kdnnr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kdnnr.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp949E.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [sworqrm] c:\WINDOWS\System32\sworqrm.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ajctqsfwvaeao] C:\WINDOWS\System32\lbkmjmfe.exe
O4 - HKLM\..\Run: [qaJtJE9] C:\documents and settings\tammie stacey\local settings\temp\qaJtJE9.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [SzvC] C:\documents and settings\tammie stacey\local settings\temp\SzvC.exe
O4 - HKLM\..\Run: [2sgnQ] C:\documents and settings\tammie stacey\local settings\temp\2sgnQ.exe
O4 - HKLM\..\Run: [dm28zs] C:\documents and settings\tammie stacey\local settings\temp\dm28zs.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oFoS35O] odbloc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [Zo72RRi6W] oakpsp.exe
O4 - HKCU\..\Run: [Tdc] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Uatm] C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC...otDateTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/148637b2dd420697e017/...ip/RdxIE601.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...stx/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B04A6598-2CA1-450E-972E-B1DE816CC389}: NameServer = 206.74.254.2 204.116.57.2
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netgl.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe


Thanks ahead for any help!

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:20 AM

Posted 14 May 2005 - 10:35 AM

Please run two online virus scans:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://www.kaspersky.com/service?chapter=161739400#betatest

Then let us know if its working better and what the scans found.

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#3 RedTamCey03

RedTamCey03
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 14 May 2005 - 04:20 PM

OK, First Thanks alot for the help! Second,everything is still same. I tried to copy all the results and hope I got what was asked.

2sgnQ.exe Win32.Maddle.B infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ 4giv.dll Win32.Maddle.B infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ dm28zs.exe Win32.Maddle.B infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ pJBNf2M5w.dll Win32.Maddle.B infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ polmx2.cab Win32.SillyDl.DM!CAB infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ qaJtJE9.exe Win32.WinFetch.A infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ randreco.exe Win32.BettInet.J infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ suBtbxh.dll Win32.Maddle.B infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ SzvC.exe Win32.Maddle.C infected C:\Documents and Settings\Tammie Stacey\Local Settings\Temp\ appgv32.dll Win32.Winshow.BW infected C:\WINDOWS\ appnw32.dll Win32.Winshow.BW infected C:\WINDOWS\ atlcx32.dll Win32.Winshow.BW infected C:\WINDOWS\ ipku.dll Win32.Winshow.BW infected C:\WINDOWS\ javaed.dll Win32.Winshow.BW infected C:\WINDOWS\ javasu32.dll Win32.Winshow.BW infected C:\WINDOWS\ javave.dll Win32.Winshow.BW infected C:\WINDOWS\ netcg32.dll Win32.Winshow.BW infected C:\WINDOWS\ ntfa.dll Win32.Winshow.BW infected C:\WINDOWS\ syshp32.dll Win32.Winshow.BW infected C:\WINDOWS\ appmq32.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ atlja.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ biM.exe Win32.BettInet.F infected C:\WINDOWS\system32\ crdg32.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ crdl.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ d3hj.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ d3xk32.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ mfcpp.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ msmv32.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ nethe.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ ntep32.dll Win32.Winshow.BW infected C:\WINDOWS\system32\ sdkvu32.dll Win32.Winshow.BW infected C:\WINDOWS\system32\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kaspersky Anti-Virus.. ..I didnt delete any of these
C:\Documents and Settings\All use...ecovery\DyFulCalnternetOptimizer2.zip...Password-protected-exe
C:\Program Files\Maxis\The Sims\Expansion Pack 7\Sound\Sound. far....Password-Protected-exe
C:\Windows\system 32\ActiveScan\imscan.dill : "Virus.DOS.Terronia.2538"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
**** Run Keys ****

RUN: [SoundMan] SOUNDMAN.EXE
RUN: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
RUN: [sworqrm] c:\WINDOWS\System32\sworqrm.exe
RUN: [CARPService] carpserv.exe
RUN: [ajctqsfwvaeao] C:\WINDOWS\System32\lbkmjmfe.exe
RUN: [qaJtJE9] C:\documents and settings\tammie stacey\local settings\temp\qaJtJE9.exe
RUN: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
RUN: [SzvC] C:\documents and settings\tammie stacey\local settings\temp\SzvC.exe
RUN: [2sgnQ] C:\documents and settings\tammie stacey\local settings\temp\2sgnQ.exe
RUN: [dm28zs] C:\documents and settings\tammie stacey\local settings\temp\dm28zs.exe
RUN: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
RUN: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
RUN: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
RUN: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [oFoS35O] odbloc.exe
RUN: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
RUN: [msci] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcinfo.exe /insfin
RUN: [Cleanup] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcappins.exe /v=3 /cleanup
RUN: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
RUN: [] c:\WINDOWS\System32\
RUN: [Zo72RRi6W] oakpsp.exe
RUN: [Tdc] C:\WINDOWS\System32\??rss.exe
RUN: [Uatm] C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
RUN: [WindowsFY] c:\bsw.exe
RUN: [Spyware Begone] C:\freescan\freescan.exe -FastScan


**** Browser Helper Objects ****

BHO: [] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
BHO: [VMHomepage Class] C:\WINDOWS\System32\hp949E.tmp


**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx


**** IE Extensions ****

IEExt: [AOL Toolbar]


**** Hosts File Entries ****



**** IE Settings ****

Default Page: about:blank
Default Search:
Local Page: http://www.quicknavigate.com/
Search Page: http://www.quicknavigate.com/search.php?qq=%1


**** IE Context Menu (Right click) ****

IEContext: [&AOL Toolbar search] res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML


**** Layered Service Providers ****

LSP: New.net UDP Chain
LSP: New.net TCP Chain
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9436D8B-4EF9-4F6F-A5DF-0AF9590CC599}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9436D8B-4EF9-4F6F-A5DF-0AF9590CC599}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{148B9CA3-CDD0-4139-B0BA-6597A669A48B}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{148B9CA3-CDD0-4139-B0BA-6597A669A48B}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F5999A8-3B73-40B0-B15F-AD3736984562}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F5999A8-3B73-40B0-B15F-AD3736984562}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5A0F4125-749F-4ECD-9A7E-0212ACC0B9B8}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5A0F4125-749F-4ECD-9A7E-0212ACC0B9B8}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B04A6598-2CA1-450E-972E-B1DE816CC389}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B04A6598-2CA1-450E-972E-B1DE816CC389}] DATAGRAM 3


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [http://www.kaspersky.com/downloads/kws/kavwebscan.cab] C:\WINDOWS\System32\mfc42.dll C:\WINDOWS\kavwebscan.ico C:\WINDOWS\Downloaded Program Files\kavwebscan.reg C:\WINDOWS\Downloaded Program Files\kavwebscan.dll C:\WINDOWS\Downloaded Program Files\kavuninstall.bat C:\WINDOWS\Downloaded Program Files\0009AB83.key C:\WINDOWS\Downloaded Program Files\ipc.dll C:\WINDOWS\Downloaded Program Files\kavss.exe C:\WINDOWS\Downloaded Program Files\kavss.dll C:\WINDOWS\Downloaded Program Files\kavssi.dll C:\WINDOWS\Downloaded Program Files\kavssd.dll C:\WINDOWS\Downloaded Program Files\kavssdi.dll C:\WINDOWS\Downloaded Program Files\kavupd.dll C:\WINDOWS\Downloaded Program Files\kaveula.txt
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab]
{1671869C-25B3-4C80-9446-8AE6111F8765} [http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab]
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} [http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab]
{37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} [http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab]
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} [http://207.188.7.150/148637b2dd420697e017/netzip/RdxIE601.cab]
{76D90D08-EAB7-46D8-BF99-87445BF59E72} [http://directv.direcway.com/dwayready/dpcsysinfo.cab]
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} [http://www3.ca.com/securityadvisor/virusinfo/webscan.cab]
{89D75D39-5531-47BA-9E4F-B346BA9C362C} [http://www.callwave.com/include/cab/CWDL_DownLoad.CAB]
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://www.pandasoftware.com/activescan/as5/asinst.cab]
{A44B714B-EE0F-453E-9300-A69B321FEF6C} [http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab]
{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} [http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab]
{B8BE5E93-A60C-4D26-A2DC-220313175592} [http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab]
{B9191F79-5613-4C76-AA2A-398534BB8999} [http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab]
{CA034DCC-A580-4333-B52F-15F98C42E04C} [https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]
{FA13A9FA-CA9B-11D2-9780-00104B242EA3} [file://D:\games\WebDriverFullInstall.exe]


**** Windows Services ****

[ 11F#`I] C:\WINDOWS\netgl.exe /s
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{B75C6DCE-AEF8-4A08-A019-33FBAB0024FE}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSp] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %SystemRoot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant_bak] http://search.searchenhancement.com/nph-en...d=sesm&sstring=
SEARCH: [CustomizeSearch] http://www.quicknavigate.com/search.php?qq=%1
SEARCH: [SearchAssistant]
SEARCH: [CustomizeSearch]
SEARCH: [CustomSearch] http://red.clientapps.yahoo.com/customize/...rch/search.html


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] http://www.quicknavigate.com/
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page]
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.quicknavigate.com/search.php?qq=%1
IEOPT: [Check_Associations] yes
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] no
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Save Directory] C:\Documents and Settings\Tammie Stacey\Desktop\
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Print_Background] no
IEOPT: [Start Page_bak] http://start.earthlink.net
IEOPT: [Search Bar_bak] http://websearch.drsnsrch.com/sidesearch.cgi?id=
IEOPT: [Search Page_bak] http://websearch.drsnsrch.com/sidesearch.cgi?id=
IEOPT: [Use Search Assistant] no
IEOPT: [Use Search Asst]
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [AutoSearch]
IEOPT: [Window Title] www.google.com
IEOPT: [HistoryTopNSitesView]
IEOPT: [HistoryViewType]
IEOPT: [Default_Page_URL]
IEOPT: [Default_Search_URL] http://www.quicknavigate.com/search.php?qq=%1
IEOPT: [Default_Page_URL] about:blank
IEOPT: [Default_Search_URL]
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] http://www.qfind.net/
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page]
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [Check_Associations] yes
IEOPT: [FullScreen] no
IEOPT: [gsi]
IEOPT: [Search Bar]
IEOPT: [wsi]
IEOPT: [SearchAssistant]
IEOPT: [IEWatsonEnabled]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 5:12:45 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Tammie Stacey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp949E.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [sworqrm] c:\WINDOWS\System32\sworqrm.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ajctqsfwvaeao] C:\WINDOWS\System32\lbkmjmfe.exe
O4 - HKLM\..\Run: [qaJtJE9] C:\documents and settings\tammie stacey\local settings\temp\qaJtJE9.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [SzvC] C:\documents and settings\tammie stacey\local settings\temp\SzvC.exe
O4 - HKLM\..\Run: [2sgnQ] C:\documents and settings\tammie stacey\local settings\temp\2sgnQ.exe
O4 - HKLM\..\Run: [dm28zs] C:\documents and settings\tammie stacey\local settings\temp\dm28zs.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oFoS35O] odbloc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [Zo72RRi6W] oakpsp.exe
O4 - HKCU\..\Run: [Tdc] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Uatm] C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC...otDateTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/148637b2dd420697e017/...ip/RdxIE601.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...stx/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B04A6598-2CA1-450E-972E-B1DE816CC389}: NameServer = 206.74.254.2 204.116.57.2
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netgl.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:20 AM

Posted 15 May 2005 - 12:39 PM

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
WinTools
Spyware Begone


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

items to fix

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

#5 RedTamCey03

RedTamCey03
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 15 May 2005 - 03:05 PM

Incident Status Location

Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_38.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
Adware:Adware/PurityScan No disinfected C:\DOCUME~1\TAMMIE~1\APPLIC~1\cmnr.exe
Spyware:Spyware/CommonName No disinfected C:\WINDOWS\System32\winnet.ini
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Adware:Adware/DownloadWare No disinfected C:\Program Files\Downloadware*
Adware:Adware/FlashTrack No disinfected C:\Program Files\Flt
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lsp_.dll
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/StatBlaster No disinfected C:\Program Files\Media\Media
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\System32\SWRT??.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\System32\swrt01.dll
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Tammie Stacey\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/BlazeFind No disinfected Windows Registry
Adware:Adware/Comet No disinfected C:\WINDOWS\System32\CometTB.dll
Adware:Adware/MSView No disinfected C:\WINDOWS\System32\nostalgia.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\System32\eXactSetup.dll
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\System32\stlb2.xml
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\Cards.ico
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/IGuard No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Online Pharmacy.url
Adware:Adware/Virmaid No disinfected C:\WINDOWS\System32\perfcii.ini
Adware:Adware/MBKWBar No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Start Menu\Online Casino.url
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Tammie Stacey\Favorites\Spyware Removal.url
Adware:Adware/Trymedia No disinfected C:\Documents and Settings\Tammie Stacey\My Documents\Destop Icons\OregonTrail-dm.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/Popuper No disinfected C:\Online Pharmacy.url
Adware:Adware/MBKWBar No disinfected C:\Program Files\MBKWBar\MBKWBar.exe
Adware:Adware/StatBlaster No disinfected C:\Program Files\Media\Media\SBRegister.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_38(2).dll
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_38.dll
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\uninstall6_38.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\bxtou.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\cjkhj.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lsp_.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\fwtis.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\gaesl.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/EasySearch No disinfected C:\WINDOWS\hlpuy.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biM.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/EasySearch No disinfected C:\WINDOWS\jbzvv.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\jtvip.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\lapmb.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\lrpjm.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_80.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_94.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_20.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_40.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_10.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\prnsa.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\Agent.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\cards.ico
Adware:Adware/Comet No disinfected C:\WINDOWS\system32\CometTB.dll
Adware:Adware/Comet No disinfected C:\WINDOWS\system32\CometTB.exe
Adware:Adware/BrowsePal No disinfected C:\WINDOWS\system32\ctbv2.dll
Adware:Adware/BrowsePal No disinfected C:\WINDOWS\system32\ctb_s.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\cttxw.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\ehrca.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\eXacctSetup3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exactsetup.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\exdqc.dll
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezStubi.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\fwmiz.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\gohjn.dll
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\hhk.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\hstdv.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\ibcrg.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\idbze.dll
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\in6bMs.dll
Adware:Adware/Iagold No disinfected C:\WINDOWS\system32\jjj.exe
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\maxai.dll
Adware:Adware/MSView No disinfected C:\WINDOWS\system32\nostalgia.dll
Adware:Adware/MSView No disinfected C:\WINDOWS\system32\nostalgia1.dll
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\ptoas.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SHAgent.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SHAgent1007.dll
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Spyware:Spyware/CommonName No disinfected C:\WINDOWS\system32\winnet.ini
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsx.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsx.ocx
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Xcite.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\xcvio.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll_tobedeleted
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll_tobedeleted
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\xxkvl.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\zqgby.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\ztwrp.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\tojrs.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\vgpxe.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\vhdvr.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\ygpfh.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\zqqya.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\zufhg.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:03:00 PM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tammie Stacey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [sworqrm] c:\WINDOWS\System32\sworqrm.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ajctqsfwvaeao] C:\WINDOWS\System32\lbkmjmfe.exe
O4 - HKLM\..\Run: [qaJtJE9] C:\documents and settings\tammie stacey\local settings\temp\qaJtJE9.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [SzvC] C:\documents and settings\tammie stacey\local settings\temp\SzvC.exe
O4 - HKLM\..\Run: [2sgnQ] C:\documents and settings\tammie stacey\local settings\temp\2sgnQ.exe
O4 - HKLM\..\Run: [dm28zs] C:\documents and settings\tammie stacey\local settings\temp\dm28zs.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oFoS35O] odbloc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [Zo72RRi6W] oakpsp.exe
O4 - HKCU\..\Run: [Tdc] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Uatm] C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC...otDateTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/148637b2dd420697e017/...ip/RdxIE601.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...stx/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B04A6598-2CA1-450E-972E-B1DE816CC389}: NameServer = 206.74.254.2 204.116.57.2
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netgl.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:20 AM

Posted 15 May 2005 - 11:49 PM

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

LSP-Fix Download Link

To remove New.net. please go to Start | Settings | Control Panel | Add/Remove Programs, look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [sworqrm] c:\WINDOWS\System32\sworqrm.exe
O4 - HKLM\..\Run: [ajctqsfwvaeao] C:\WINDOWS\System32\lbkmjmfe.exe
O4 - HKLM\..\Run: [qaJtJE9] C:\documents and settings\tammie stacey\local settings\temp\qaJtJE9.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [SzvC] C:\documents and settings\tammie stacey\local settings\temp\SzvC.exe
O4 - HKLM\..\Run: [2sgnQ] C:\documents and settings\tammie stacey\local settings\temp\2sgnQ.exe
O4 - HKLM\..\Run: [dm28zs] C:\documents and settings\tammie stacey\local settings\temp\dm28zs.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [oFoS35O] odbloc.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [Zo72RRi6W] oakpsp.exe
O4 - HKCU\..\Run: [Tdc] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Uatm] C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/148637b2dd420697e017/...ip/RdxIE601.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...stx/install.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://D:\games\WebDriverFullInstall.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netgl.exe (file missing)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

c:\WINDOWS\System32\sworqrm.exe
C:\WINDOWS\System32\lbkmjmfe.exe
C:\documents and settings\tammie stacey\local settings\temp\qaJtJE9.exe
C:\WINDOWS\System32\wsxsvc\
C:\documents and settings\tammie stacey\local settings\temp\SzvC.exe
C:\documents and settings\tammie stacey\local settings\temp\2sgnQ.exe
C:\documents and settings\tammie stacey\local settings\temp\dm28zs.exe
C:\PROGRAM FILES\COMMON FILES\WinTools\
c:\WINDOWS\System32\D0CE0C16B1
c:\WINDOWS\System32\odbloc.exe
C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcinfo.exe
C:\DOCUME~1\TAMMIE~1\LOCALS~1\Temp\20055131575_mcappins.exe
c:\WINDOWS\System32\oakpsp.exe
C:\Documents and Settings\Tammie Stacey\Application Data\cmnr.exe
c:\bsw.exe
C:\WINDOWS\netgl.exe

Reboot your computer to go back to normal mode and post a new log.

If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

#7 RedTamCey03

RedTamCey03
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 16 May 2005 - 08:03 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:53:51 AM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tammie Stacey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC...otDateTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netgl.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe



Just like to add !Thanks! again for all your help. I will tell everyone i can about this board and program. :thumbsup: OK, the blue warining mesage is gone, but I still dont have my desktop, start menu or task bar. right-click wont work on the desk-top either.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:20 AM

Posted 16 May 2005 - 12:45 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFA54208-F1D8-4CD9-95CB-C0B0CDD8B76B} - (no file) (HKCU)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netgl.exe (file missing)


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\Program Files\Ebates_MoeMoneyMaker\
C:\WINDOWS\netgl.exe

Reboot your computer to go back to normal mode.


Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on 11F#`I and delete it.

Reboot.

Download http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save it to your desktop. Then double-click on that file and allow it to merge the data. Then reboot and see if you can change your desktop. And post a new hjt log

#9 RedTamCey03

RedTamCey03
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 16 May 2005 - 07:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:03:13 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tammie Stacey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC...otDateTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe



okay, by going in the control panel I can now change the picture. It is cool! :thumbsup: I was beginning to hate the color blue :flowers: computer is running much faster now too. I bow to your genius. still missing my taskbar and start menu, I saw a folder (taskbar and start menu) in the control panel but it wont open for me.

Edited by RedTamCey03, 16 May 2005 - 10:19 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:20 AM

Posted 16 May 2005 - 10:18 PM

Your log is clean! Great job!

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users