Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SmithFraud - C


  • Please log in to reply
7 replies to this topic

#1 angrymonkey

angrymonkey

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 29 July 2005 - 08:47 AM

I am not a computer expert, but I´m currently in a place where there aren´t any experts to help me out. I have all kinds of weird pop-ups, many of them telling me that I have a virus and need to pay money for software - I have used Spybot - S&D, and Ad-Aware SE, and they removed a lot of things, but there are still 43 files that Spybot detects that are called Smithfraud - C that it can´t delete. Spybot says that they are still being used or in the memory and therefore cannot be deleted. Then it says to restart the computer, but the result is always the same. I continue to have pop-ups and sometimes my homepage changes. I´m just writing this because the HijackThis page said to get information here. Thanks for any help that anyone might have. I don´t know what I´m doing.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:44 PM

Posted 30 July 2005 - 12:30 AM

Hello angrymonkey and welcome to the BC malware forum. We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe
Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ folder by default.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 angrymonkey

angrymonkey
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 30 July 2005 - 10:52 AM

OldTimer,

Hi. Thank you so much for helping me out!!! Here´s the results from the Hijackthis scan:

Logfile of HijackThis v1.99.1
Scan saved at 5:47:40 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msole32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mouseutils.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\System32\svehost.exe
C:\WINDOWS\iijjpg.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\ft15.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F3 - REG:win.ini: run=fieattcyvbc.exe, hgojolehnejhc.exe, edbxfass.exe, yuqtsaelio.exe, ppla.exe, vkawkxbiijcn.exe, iijjpg.exe
O3 - Toolbar: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - C:\ARCHIV~1\quickbar\quickbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MCAgentExe] C:\Archivos de programa\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [WinLoader] iijjpg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [ft15] C:\WINDOWS\System32\ft15.exe
O4 - HKLM\..\Run: [ll1] C:\WINDOWS\System32\ll1.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WinLoader] iijjpg.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [tool] command.com /c del c:\command.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickSMS] C:\Archivos de programa\Sitconsulting.biz\PRMQuickSMS\QuickSMS.exe
O4 - HKCU\..\Run: [DW4] "C:\Archivos de programa\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: AMSN.lnk = C:\Archivos de programa\AMSN\amsn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: style2 - C:\WINDOWS\q220328_disk.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Archivos de programa\McAfee.com\VSO\mcshield.exe (file missing)

I hope that helps. Thank you again for any advice!
angrymonkey

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:44 PM

Posted 30 July 2005 - 02:07 PM

Hi angrymonkey. Yes, we have some bad stuff in here but I don't think we are seeing it all. Let's run a different scan to see if we ccan find the rest.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 angrymonkey

angrymonkey
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 31 July 2005 - 09:23 AM

OldTimer,

Hi. Thank you again. Here are the results of the results of the WinPFind:


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\9ö
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\diybmcikuftb.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\dwitgdyjifo.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\edbxfass.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\eejuymbnevpgn.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\enwqghqdkygv.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\fhgcun.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\fieattcyvbc.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\focrawrtbjavw.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\gafoppqoh.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\gjucpusu.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\hgojolehnejhc.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\iijjpg.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\kwya.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\mqoittasuyu.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\nglr.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\pdflotyvbvf.exe
FSG! 8/29/2005 12:59:32 AM 17273 C:\WINDOWS\popuper.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\ppla.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\qdom.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\qnci.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\qpfj.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\smfrf.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\ttae.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\ubncvbsjus.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\vgcbroktedi.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\vjghiwbod.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\vkawkxbiijcn.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\vstp.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\wivp.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\wsvpgs.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\xekcdfuuwj.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\yptcjsytkis.exe
UPX! 1/28/2005 6:35:08 PM 372131 C:\WINDOWS\yuqtsaelio.exe

Checking %System% folder...
PEC2 8/24/2001 12:00:00 PM 41129 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 11/11/2003 4:08:40 PM 238080 C:\WINDOWS\SYSTEM32\DivXdec.ax
aspack 7/18/2005 3:45:36 PM 205824 C:\WINDOWS\SYSTEM32\ft15.exe
UPX! 8/31/2005 3:44:32 PM 6144 C:\WINDOWS\SYSTEM32\intell32.exe
aspack 5/3/2005 1:43:56 AM 197120 C:\WINDOWS\SYSTEM32\La Intérprete.scr
UPX! 11/26/2004 11:08:46 PM 69120 C:\WINDOWS\SYSTEM32\msconfg.exe
FSG! 8/29/2005 12:59:08 AM 7257 C:\WINDOWS\SYSTEM32\msole32.exe
FSG! 8/29/2005 1:00:58 AM 4649 C:\WINDOWS\SYSTEM32\ole32vbs.exe
UPX! 9/9/2002 1:51:20 PM 23552 C:\WINDOWS\SYSTEM32\oleext.dll
Umonitor 9/9/2002 1:51:08 PM 651264 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/24/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 6/24/2003 4:14:08 PM 194048 C:\WINDOWS\SYSTEM32\xvid.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
8/31/2005 4:04:18 PM 8192 C:\WINDOWS\system32\config\default.LOG
8/31/2005 4:04:52 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/31/2005 4:04:26 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
8/31/2005 4:05:32 PM 81920 C:\WINDOWS\system32\config\software.LOG
8/31/2005 4:04:26 PM 724992 C:\WINDOWS\system32\config\system.LOG
8/28/2005 11:30:06 PM 2580 C:\WINDOWS\system32\config\systemprofile\Datos de programa\Microsoft\Internet Explorer\Desktop.htt
7/12/2005 5:55:10 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\944ce0b6-44e2-4f1a-a872-8986fe178cd4
7/12/2005 5:55:10 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/31/2005 4:03:34 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/28/2005 11:12:24 PM 1792 C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Reader Speed Launch.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/8/2005 11:57:30 PM 687 C:\Documents and Settings\equipo\Menú Inicio\Programas\Inicio\AMSN.lnk

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Elemento anclado al menú Inicio = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCAgentExe C:\Archivos de programa\McAfee.com\Agent\mcagent.exe
MCUpdateExe C:\ARCHIV~1\McAfee.com\Agent\mcupdate.exe
VirusScan Online C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
WinLoader dwitgdyjifo.exe
QuickTime Task "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
SoundMan SOUNDMAN.EXE
TkBellExe "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
Windows Mouse Utilities mouseutils.exe
WinampAgent C:\Archivos de programa\Winamp\winampa.exe
Intel system tool C:\WINDOWS\System32\svehost.exe
ft15 C:\WINDOWS\System32\ft15.exe
ll1 C:\WINDOWS\System32\ll1.exe
RegSvr32 C:\WINDOWS\System32\msmsgs.exe
PSGuard spyware remover C:\Archivos de programa\PSGuard\PSGuard.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SpybotSnD "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
tool command.com /c del c:\command.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MsnMsgr "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
Skype "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
Yahoo! Pager C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
QuickSMS C:\Archivos de programa\Sitconsulting.biz\PRMQuickSMS\QuickSMS.exe
DW4 "C:\Archivos de programa\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
winlogon.exe msole32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\ARCHIV~1\ARCHIV~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style2
= C:\WINDOWS\q220328_disk.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/31/2005 4:10:52 PM


Thank you again for your help!!!
angrymonkey

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:44 PM

Posted 31 July 2005 - 11:58 AM

Hi angrymonkey. Ok, let's get to work. Please print these directions and then proceed with the followind steps in order.

Step #1

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Step #2

Place a shortcut to Panda ActiveScan on your desktop.

Step #3

Download the trial version of Ewido Security Suite.

Follow these Ewido Setup Instructions for installing it, and updating the definitions to the newest files.

Do NOT run a scan yet.

Step #4

If you already have Ad-Aware SE 1.06 then check for updates. Otherwise follow these Ad-Aware SE Setup Instructions.

Do NOT run a scan yet.

Step #5

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F3 - REG:win.ini: run=fieattcyvbc.exe, hgojolehnejhc.exe, edbxfass.exe, yuqtsaelio.exe, ppla.exe, vkawkxbiijcn.exe, iijjpg.exe
O3 - Toolbar: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - C:\ARCHIV~1\quickbar\quickbar.dll (file missing)
O4 - HKLM\..\Run: [WinLoader] iijjpg.exe
O4 - HKLM\..\Run: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [ft15] C:\WINDOWS\System32\ft15.exe
O4 - HKLM\..\Run: [ll1] C:\WINDOWS\System32\ll1.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WinLoader] iijjpg.exe
O4 - HKLM\..\RunServices: [Windows Mouse Utilities] mouseutils.exe
O4 - HKLM\..\RunOnce: [tool] command.com /c del c:\command.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q220328_disk.dll

Step #7

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Step #8

Open Ad-aware SE and do a full scan. Remove all it finds.

Step #9

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Step #10

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Step #11

Reboot normally and click the Panda ActiveScan shortcut on your desktop. Do a full system scan and make sure the autoclean box is checked! Save the scan log when finished.

Step #12

Post the following information back here using the Add Reply button (note any problems encountered):
  • A new HijackThis log
  • A new WinPFind log
  • The contents of the Smitfiles.txt file
  • The log from ewido
  • The log from the Panda ActiveScan
  • Note: you might not be able to get all of the information into 1 post so feel free to post them separately.

Edited by OldTimer, 31 July 2005 - 12:03 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 angrymonkey

angrymonkey
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 03 August 2005 - 01:39 PM

OldTimer,

Hi. Sorry for taking so long to reply. I had to be out of town. Anyway, I started to follow your instructions and I have two questions that are probably retarted, but, anyway - The files that you said the put checks by after the Highjack this scan (in safe mode), am I supposed to click the "Fix checked files" or whatever after I check them? I thought so, but I wasn´t sure and didn´t want to kill my computer forever. Also, as soon as I added the Ewido, it said that it detected Malware and, since you said not to run a scan yet, I really didn´t know what to do. My options were to "allow access" "block" or "clean and block," so I hit the block button, because I didn´t know what to do and there was no way to close the window - the Ewido all loaded in Spanish, so I´m a little shakey on some of the translations (because my two options that resemble "scan"(for when I actually will need it) are the words for "analyse" and "explore"). Ok, I think the main problem was the retarted not knowing what to do in the Highjack this scan though, because I think I´ll at least be able to figure the Ewido out. Thank you once again for all of your help!!!

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:44 PM

Posted 03 August 2005 - 02:51 PM

Hi angrymonkey. I'm sorry, I didn't put the line in there to fix with HijackThis. Yes, after all of the items are checked then click the Fix Checked button.

I can't help you with Spanish :thumbsup:

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users