Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Peter Bennett


  • This topic is locked This topic is locked
17 replies to this topic

#1 Peter Bennett

Peter Bennett

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 07 July 2005 - 03:49 AM

This is my second post to this forum. I sent my first post to the wrong place! Sorry. I located the forum through Google. I searched for Trojan-Spy.HTML.Smitfraud.c and up you popped.

I’m trying to remove an infection from a laptop belonging to a friend of mine. He knows even less about computers than I do!

Initially, the warning on booting the machine was:

Security Warning
A fatal error in IE has occurred at 0028:C0011E36 in VXD VMM(01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System can not function in normal mode.
Please check your security settings.
* Scan your PC with any availabel antivirus / spyware remover
program fix the problem.

I carried out a search for Trojan-Spy.HTML.Smitfraud.c on the forum and found many entries and advice on how to delete it. I followed the advice of one of your experts. Unfortunately, I didn’t make a note of which post I followed. It might have been Grinler <Apr 29 2005 11.57am>. I was very thorough. I succeeded, I think, in removing Trojan-Spy.HTML.Smitfraud.c. I also scanned the machine with Ad-Aware and with Spybot Search & Destroy and deleted everything they found. However the machine is still not clean. There are at least two remaining problems:

1. A red circle with an explanation mark in the centre. Hover the mouse pointer over the circle casues the following message to be displayed: “Your computer is infected. Right clicking on the circle displays the following: “Your computer is infected!” Click here to protect your computer from spyware / virus threat” .This keeps popping up and advising that I should scan for a virus. If I click on the icon, the laptop attempts to connect to the internet. The url is: http://www.psguard.com/?aff=1&sub=0.
2. The machine keeps attempting to connect to the internet. (Obviously, it’s not connected to a phone line.)
3. Occasionally I get an error message to the effect that there is a problem with kernel32.dll. Haven’t a clue what this means. And it is intermittent, so I don’t know what causes it.

The laptop is not connected to the internet and I have a fully working computer on which I’m typing this message.

There is a version of McAfee Antivirus on the laptop, but it is out of date. Once I get the thing clean I will install the latest copy of Norton Antivirus 2005. It’s the one I’m familiar with.

The following is a copy of the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 09:37:07, on 7/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\GGLIB.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\GERRY PARK\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wanadoo.fr/go/qqo/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {1A450C59-8168-4631-BA77-CA928D0426C5} - C:\WINDOWS\SYSTEM\OMFG.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O18 - Filter: text/html - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL
O18 - Filter: text/plain - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL


Many thanks. I hope someone can help.

PeterB
PeterB

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 08 July 2005 - 07:03 PM

If you still need help, could you post a fresh log please?

#3 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 09 July 2005 - 12:12 PM

Dear Groovicus,

Many thanks for your mail. Here is a new HijackThis Log. Hopefully someone can make sense of this.

Logfile of HijackThis v1.99.1
Scan saved at 18:07:50, on 7/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\GGLIB.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wanadoo.fr/go/qqo/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {1A450C59-8168-4631-BA77-CA928D0426C5} - C:\WINDOWS\SYSTEM\OMFG.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O18 - Filter: text/html - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL
O18 - Filter: text/plain - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL

Regards,

PeterB
PeterB

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 09 July 2005 - 04:05 PM

It's been quite awhile since I have fixed this variant, so I am probably a little rusty :thumbsup:

=== Step 1 ===
Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.zip

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

#5 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 09 July 2005 - 06:48 PM

Dear Groovicus,

Many thanks. I've tried the URL listed in your reply and it does not appear to direct me to Startdreck.zip.

It sends me to a web site, which is in either German or Dutch - don't know which, called Blackbox. I need a user name and password to get in to it. Maybe I'm doing something wrong. I've tried clicking on the link in the email you send me, and also clicking on the link in your reply in this forum. I reach a dead end! I'd really appreciate if you would check the URL for StartDreck.

Again, many thanks.

PeterB
PeterB

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 09 July 2005 - 08:03 PM

Sorry about that. I didn't realize the author had moved it. Try this one instead.
http://www.niksoft.at/php/dl.php?f=startdreck.zip

#7 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 10 July 2005 - 02:32 AM

Thanks, Groovicus.

I located StartDreck. The only options selected in the Config Screen are Registry > Run Keys; System Drivers > Running Processes. All others were de-selected. Here is the StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-07-10 @ 08:29:47 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as Gerry Park at COMPUTER

»Registry
»Run Keys
»Current User
»Run
*MSMSGS=C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*AtiPTA=Atiptaab.exe
*Ati2cwxx=Ati2cwxx.exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*CPQEASYACC=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
*EACLEAN=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
*AvconsoleEXE=C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
*PCHealth=c:\windows\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Vshwin32EXE=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*VsStatEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
*VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
*vmtuner=gglib.exe
*Service Connection=c:\cpqs\bwtools\sccenter.exe
*intel32.exe=C:\WINDOWS\SYSTEM\intel32.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*ATIPOLAB=ati2plab.exe
*CPQInet Runtime Service=c:\compaq\CPQInet\CpqInet.exe
*CPQDFWAG=C:\WINDOWS\cpqdiag\CpqDfwAg.exe
*isdbdc=c:\compaq\internet\isdbdc.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Vshwin32EXE=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunServicesOnce
**r=rundll32 C:\WINDOWS\SCANDSIW.EXE,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FFEF8B7D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFC191=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE61D1=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE6415=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEAF01=C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
+FFFE992D=C:\COMPAQ\CPQINET\CPQINET.EXE
+FFFEE695=C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
+FFFED10D=C:\COMPAQ\INTERNET\ISDBDC.EXE
+FFFD1F5D=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFD0A59=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
+FFFD6D15=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFD6389=C:\WINDOWS\RUNDLL32.EXE
+FFFD8E69=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
+FFFC7699=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
+FFFC9FD9=C:\WINDOWS\EXPLORER.EXE
+FFFB6E11=C:\WINDOWS\TASKMON.EXE
+FFFBB8B1=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB436D=C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
+FFFB06A9=C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
+FFFBDBED=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFA3B65=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFBF71D=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
+FFFA4B95=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
+FFFAF875=C:\WINDOWS\SYSTEM\GGLIB.EXE
+FFF92991=C:\CPQS\BWTOOLS\SCCENTER.EXE
+FFFA1B91=C:\WINDOWS\SYSTEM\INTEL32.EXE
+FFF9538D=C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
+FFFA6BF5=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF9F8CD=C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
+FFF896F1=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
»Application specific

Thanks again Groovicus.

PeterB
PeterB

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 10 July 2005 - 09:22 AM

Ok, onward....

This one should go easy. First, we need to download CWShredder from here:
http://www.trendmicro.com/cwshredder/

Install, run, let it fix everything it finds.

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wanadoo.fr/go/qqo/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {1A450C59-8168-4631-BA77-CA928D0426C5} - C:\WINDOWS\SYSTEM\OMFG.DLL (file missing)
O18 - Filter: text/html - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL
O18 - Filter: text/plain - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL
********************************************************

Reboot and post a new log please. :thumbsup:

#9 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 10 July 2005 - 03:30 PM

Dear Groovicus,

I ran CSShredder V2.15. I found the following entry: CWS:HiddenDLL. I deleted it. and then ran HijackThis. It found all of the entried in you mail, except the following:

O2 - BHO: (no name) - {1A450C59-8168-4631-BA77-CA928D0426C5} - C:\WINDOWS\SYSTEM\OMFG.DLL (file missing)
O18 - Filter: text/html - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL
O18 - Filter: text/plain - {5C56F947-90B2-4B8B-BDD3-008D1F478453} - C:\WINDOWS\SYSTEM\OMFG.DLL

They did not appear in the HijackThis screen. All of the others were found bu HijackThis and fixed. I rebooted. CWShredder found nothing. And the above entried did not appear in HiJackThis. I have posted the HijackThis Log and also the StartDreck log. The red circle with the explaination mark in the centre is still in the system tray. HijackThis log is posted first followed by StartDreck. Hope this all makes sense.

HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 21:22:11, on 7/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\GGLIB.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\GERRY PARK\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

StartDreck Log:
StartDreck (build 2.1.7 public stable) - 2005-07-10 @ 21:29:11 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as Gerry Park at COMPUTER

»Registry
»Run Keys
»Current User
»Run
*MSMSGS=C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*AtiPTA=Atiptaab.exe
*Ati2cwxx=Ati2cwxx.exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*CPQEASYACC=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
*EACLEAN=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
*AvconsoleEXE=C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
*PCHealth=c:\windows\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Vshwin32EXE=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*VsStatEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
*VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
*vmtuner=gglib.exe
*Service Connection=c:\cpqs\bwtools\sccenter.exe
*intel32.exe=C:\WINDOWS\SYSTEM\intel32.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*ATIPOLAB=ati2plab.exe
*CPQInet Runtime Service=c:\compaq\CPQInet\CpqInet.exe
*CPQDFWAG=C:\WINDOWS\cpqdiag\CpqDfwAg.exe
*isdbdc=c:\compaq\internet\isdbdc.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Vshwin32EXE=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunServicesOnce
**f=rundll32 C:\WINDOWS\SCANDSIW.EXE,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FFEF86ED=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFCC01=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE6921=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEA3D9=C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
+FFFE9139=C:\COMPAQ\CPQINET\CPQINET.EXE
+FFFED6D1=C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
+FFFEC34D=C:\COMPAQ\INTERNET\ISDBDC.EXE
+FFFD3C15=C:\WINDOWS\RUNDLL32.EXE
+FFFD2295=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFD1725=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
+FFFD7301=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFEA865=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDEE99=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
+FFFC4ADD=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
+FFFC7965=C:\WINDOWS\EXPLORER.EXE
+FFFB6329=C:\WINDOWS\TASKMON.EXE
+FFFB50D9=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFBB8C9=C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
+FFFB91F5=C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
+FFFA2D75=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFA18E9=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFA65D1=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
+FFFA8389=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
+FFFAC855=C:\WINDOWS\SYSTEM\GGLIB.EXE
+FFFBEF8D=C:\CPQS\BWTOOLS\SCCENTER.EXE
+FFFBCDDD=C:\WINDOWS\SYSTEM\INTEL32.EXE
+FFF97881=C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
+FFF9FA65=C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
+FFF85E5D=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
»Application specific


Hope this all makes sense.

Many thanks Groovicus.

PeterB
PeterB

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 10 July 2005 - 03:37 PM

That's it. I don't see anything else in your log. Are you having any further problems?

#11 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 10 July 2005 - 04:17 PM

Dear Groovicus,

Yes. I still have the problem. The red circle with the yellow exclaimation mark is still in the system tray.

If I hover the curser over the icon I get the following message: "Your computer is infected. Click here to protect you computer from spyware / virus threats". Occasionally the text associated with the icon automatically pops up.

If I click on the icon the machine attempts to dial an internet connection and connect to the following site: http://psguard.com/?aff=1&sub=0.

A scan with Spybot Search & Destroy, and with Ad-Aware finds nothing.

When I close Spybot Search & Destroy the following messag is generated: Spybot has caused an error in KERNAL32.DLL.

This thing is obviously very persistent.

Regards,

PeterB
PeterB

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 10 July 2005 - 04:44 PM

When you did the smitfraud fix, did you run the bat file aslo? The symptoms that you are describing has to do with smitfraud, which apparently is not gone. And I don't know how well that works for your Operating System.

#13 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 10 July 2005 - 04:56 PM

Dear Groovicus,

I've no knowledge of a "bat file aslo" and I haven't run it.

Thanks, again.

PeterB
PeterB

#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:11:25 AM

Posted 10 July 2005 - 05:04 PM

I'm sorry. I meant did you run a .reg fix file? What set of directions did you use to remove yor initial infection?

#15 Peter Bennett

Peter Bennett
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 10 July 2005 - 05:13 PM

Groovicus,

I'm really sorry about this, but I didn't keep a record of the set of instructions I followed. In my first post to the forum I said:

I carried out a search for Trojan-Spy.HTML.Smitfraud.c on the forum and found many entries and advice on how to delete it. I followed the advice of one of your experts. Unfortunately, I didn’t make a note of which post I followed. It might have been Grinler <Apr 29 2005 11.57am>.


I don't think I used a utility to clean the registary. If you would be so kind as to direct me to a new set of instructions for the removal of smitfraud I'll redo the process, and then follow the instruction you sent me earlier.

Thanks again.

PeterB
PeterB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users