User Name Password Register
DaniWeb IT Discussion Community
Home
Forums
Tutorials
Blogs
Link Directory
All
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 402,753 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,490 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Join our community!
Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums
Views: 5729 | Replies: 19
Reply
Page 1 of 2 1 2 >
Join Date: Jul 2005
Posts: 6
Reputation: hburg is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
hburg hburg is offline Offline
Newbie Poster

i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #1  
Jul 11th, 2005
Hello,
I have contracted a virus or something that is giving me a blue desktop with the fatal error on my XP machine: TROJAN-SPY.HTML.SMITFRAUD.c
PSGaurd has downloaded itself to my desktop.
I have hijackthis and killbox and dont know where to go from there. Any help would be greatly appreciated.

Thanks in advance,
Hburg.
AddThis Social Bookmark Button
Reply With Quote  
Join Date: Jul 2005
Location: India
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Rep Power: 5
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #2  
Jul 12th, 2005
Hi,
Open NotePad, and copy the contents of the below "Code" box:-
Help with Code Tags 
regedit /e Info.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Double-Click on the file Test.bat, a small DOS type window should open and close immediately. After this, there would be a file called Info.txt in the same location where Test.bat was present. Open the Info.txt and post it's contents here.

Download latest HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it this Section.
Reply With Quote  
Join Date: Jul 2005
Posts: 6
Reputation: hburg is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
hburg hburg is offline Offline
Newbie Poster

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #3  
Jul 12th, 2005
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000000
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001


Logfile of HijackThis v1.99.1
Scan saved at 8:10:56 AM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\intel32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\combop.exe
C:\WINDOWS\System32\combo.exe
C:\PROGRA~1\AIMcrap\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\windows\kytjsyy.exe
C:\WINDOWS\System32\w?nword.exe
C:\Program Files\nrpn\osoa.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.allmusic.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe,pagemled.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\pagemled.exe,C:\Documents and Settings\ilovemymuther\Application Data\Explorer\pagemled.exe
O2 - BHO: (no name) - {012E84C6-163E-4EB4-B6F8-4C3671292BCA} - C:\WINDOWS\mm.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nikizu] C:\WINDOWS\System32\qxoqlg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Services] scmsg.exe
O4 - HKLM\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIMcrap\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKCU\..\Run: [krtfvnj] c:\windows\kytjsyy.exe
O4 - HKCU\..\Run: [Pdb] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [xbdcjqm] c:\windows\bmprwxf.exe
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - HKCU\..\Run: [uftlvbs] c:\windows\bmprwxf.exe
O4 - HKCU\..\Run: [iicutqx] c:\windows\bmprwxf.exe
O4 - HKCU\..\Run: [jabtcej] c:\windows\pgdcbvd.exe
O4 - HKCU\..\Run: [xyfdnct] c:\windows\hsrcdio.exe
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIMcrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pwa...b/pwlninst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Windows Media - {14CAE4B5-36CD-433D-8A1B-BE7B288AE9E9} - C:\WINDOWS\System32\msido404.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Reply With Quote  
Join Date: Jul 2005
Location: India
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Rep Power: 5
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #4  
Jul 12th, 2005
Open NotePad, and copy the contents of the below "Code" box:-
Help with Code Tags 
Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"SpecifyDefaultButtons"=-
"Btn_Search"=-
"NoBandCustomize"=-
"NoToolbarCustomize"=-
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-
Go to File Menu > Save As, and save the file with the name Fix.reg and exit from NotePad.


Download these Tools and Install them:-
CleanUp!
TrojanHunter Trial

Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.


Please print or save this Webpage.

Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.allmusic.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe,pagemled.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\pagemled.exe,C:\Documents and Settings\ilovemymuther\Application Data\Explorer\pagemled.exe
O2 - BHO: (no name) - {012E84C6-163E-4EB4-B6F8-4C3671292BCA} - C:\WINDOWS\mm.dll (file missing)
O4 - HKLM\..\Run: [nikizu] C:\WINDOWS\System32\qxoqlg.exe
O4 - HKLM\..\Run: [Windows Services] scmsg.exe
O4 - HKLM\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\RunServices: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKCU\..\Run: [krtfvnj] c:\windows\kytjsyy.exe
O4 - HKCU\..\Run: [Pdb] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [xbdcjqm] c:\windows\bmprwxf.exe
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - HKCU\..\Run: [uftlvbs] c:\windows\bmprwxf.exe
O4 - HKCU\..\Run: [iicutqx] c:\windows\bmprwxf.exe
O4 - HKCU\..\Run: [jabtcej] c:\windows\pgdcbvd.exe
O4 - HKCU\..\Run: [xyfdnct] c:\windows\hsrcdio.exe
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O21 - SSODL: Windows Media - {14CAE4B5-36CD-433D-8A1B-BE7B288AE9E9} - C:\WINDOWS\System32\msido404.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Delete these files:-
C:\WINDOWS\System32\combop.exe
C:\WINDOWS\System32\combo.exe
C:\windows\kytjsyy.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\System32\pagemled.exe
C:\Documents and Settings\ilovemymuther\Application Data\Explorer\pagemled.exe
C:\WINDOWS\System32\qxoqlg.exe
C:\WINDOWS\System32\intel32.exe
c:\windows\bmprwxf.exe
C:\Program Files\nrpn\osoa.exe
c:\windows\pgdcbvd.exe
c:\windows\hsrcdio.exe
C:\WINDOWS\System32\msido404.dll
C:\WINDOWS\System32\w?nword.exe
C:\WP.BMP

scmsg.exe <-- Use Windows Search feature to find this file.

Delete this folder:-
C:\Program Files\nrpn


Run these applications in the following order and remove the bad things they may find.
CleanUp!
  • Click "Options" button, move the "Quick Setup" slider to "Thorough CleanUp!" and click "Yes" for the warning message and exit from Options.
  • Click "CleanUp!" to start cleaning.
  • After cleaning, click "Close", and choose "Yes" to restart the PC.

TrojanHunter
  • Select all the Hard Disk partitions.
  • Click "Full Scan".

Ewido
  • Click on the "Scanner" button in the left menu, then click on the "Start" button.
  • If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file.


Double-Click on the file Fix.reg, and choose "Yes" to merge it with Registry.


Reboot to Normal Mode. Peform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan.

Run HijackThis again. Then click Do a System scan and save log,and post the fresh log along with Panda ActiveScan and Ewido log.
Reply With Quote  
Join Date: Jul 2005
Posts: 6
Reputation: hburg is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
hburg hburg is offline Offline
Newbie Poster

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #5  
Jul 12th, 2005
I could not locate to delete these files:

C:\WINDOWS\System32\pagemled.exe
C:\Documents and Settings\ilovemymuther\ApplicationData\Explorer\pagemled.exe
C:\WINDOWS\System32\qxoqlg.exe
C:\WP.BMP
scmsg.exe



Logfile of HijackThis v1.99.1
Scan saved at 8:08:06 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AIMcrap\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
F2 - REG:system.ini: Shell=explorer.exe,pagemled.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\pagemled.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIMcrap\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [pedsiqk] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [caeobgm] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [dklhwdp] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [upawrub] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [ibqtxef] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [wgifoof] c:\windows\jjrocpk.exe
O4 - HKCU\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIMcrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pwa...b/pwlninst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Windows Media - {67D9CC29-6A3A-420A-9B80-4172AD3553AE} - C:\WINDOWS\System32\msido404.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Incident Status Location

Adware:Adware/SaveNow No disinfected C:\Program Files\Save
Adware:Adware/nCase No disinfected Windows Registry
Spywarepyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\bridge.???
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.in?
Adware:Adware/SideFind No disinfected Windows Registry
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
Adware:Adware/CWS No disinfected C:\WINDOWS\colors.txt
Spywarepyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\bridge.inf
Virus:Trj/Runet.A Disinfected C:\WINDOWS\home.htm
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/CWS.Flsmngr No disinfected C:\WINDOWS\SYSTEM32\djggaaaa.exe
Virus:Trj/Downloader.DGG Disinfected C:\WINDOWS\SYSTEM32\papmnkcj.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Virus:Bck/Pidor.A Disinfected C:\WINDOWS\SYSTEM32\thn32.dll.tcf
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:36:57 PM, 7/12/2005
+ Report-Checksum: D6AB559B

+ Scan result:

C:\WINDOWS\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\jjrocpk.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\jgpshsqa.exe -> TrojanDropper.Agent.ka : Cleaned with backup
C:\WINDOWS\SYSTEM32\oleadm.dll -> Trojan.Agent.ff : Cleaned with backup
C:\WINDOWS\SYSTEM32\pagemled.exe -> Backdoor.PPdoor.az : Cleaned with backup
C:\WINDOWS\SYSTEM32\pauuojaa.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\sender.exe -> Worm.Bagz.j : Cleaned with backup
C:\WINDOWS\SYSTEM32\socks.exe -> Trojan.Small.ej : Cleaned with backup
C:\WINDOWS\SYSTEM32\syivoaaa.exe -> Trojan.Delf.ly : Cleaned with backup
C:\WINDOWS\SYSTEM32\vqaaqsvm.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\WINDOWS\uninstIU.exe -> Trojan.Agent.ff : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End
Reply With Quote  
Join Date: Jul 2005
Location: India
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Rep Power: 5
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #6  
Jul 13th, 2005
Download CWShredder and AboutBuster.

Download AdAware and install it.

Open NotePad, and copy the contents of the below "Code" box:-
Help with Code Tags 
cd %windir%
attrib -s -r -h colors.txt
del colors.txt
attrib -s -r -h hsrcdio.exe
del hsrcdio.exe
attrib -s -r -h jjrocpk.exe
del jjrocpk.exe
cd inf
attrib -s -r -h alchem.inf
attrib -s -r -h conscorr.inf
del conscorr.inf
del alchem.inf
cd %windir%
cd system32
attrib -s -r -h djggaaaa.exe
del djggaaaa.exe
attrib -s -r -h Shex.exe
del Shex.exe
attrib -s -r -h pagemled.exe
del pagemled.exe
attrib -s -r -h msido404.dll
del msido404.dll
attrib -s -r -h bridge.dll
del bridge.dll
Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.



Reboot in Safe Mode. Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKCU\..\Run: [pedsiqk] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [caeobgm] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [dklhwdp] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [upawrub] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [ibqtxef] c:\windows\hsrcdio.exe
O4 - HKCU\..\Run: [wgifoof] c:\windows\jjrocpk.exe
O4 - HKCU\..\Run: [Windows Component] C:\WINDOWS\System32\pagemled.exe
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O21 - SSODL: Windows Media - {67D9CC29-6A3A-420A-9B80-4172AD3553AE} - C:\WINDOWS\System32\msido404.dll (file missing)


Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Delete this file:-
C:\WINDOWS\Downloaded Program Files\bridge.inf

And delete this folder:-
C:\Program Files\Save


Run CWShredder, and click "Fix". Next, run AboutBuster and click "Begin Removal".

Run AdAware, click "Scan Now" button in the left pane. Select the radio button "Perform full system scan". Click "Start", and remove any malware it may find.


Reboot to Normal Mode. Run HijackThis again. Then click Do a System scan and save log, and post the fresh log.

Did you got your Desktop background back to normal?
Reply With Quote  
Join Date: Jul 2005
Posts: 6
Reputation: hburg is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
hburg hburg is offline Offline
Newbie Poster

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #7  
Jul 14th, 2005
swatkat,

Thank you so much for your help. I could'nt have fixed this without you.
My desktop is back to normal and everything sems to be running fine. The PSGaurd is still in the hijackthis file. Should that be deleted too?

Thanks a ton,
Hburg


Logfile of HijackThis v1.99.1
Scan saved at 5:47:53 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AIMcrap\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://

www.dellnet.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:

\WINDOWS\System32\pagemled.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program

Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.

dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.

exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common

Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32

\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /

background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIMcrap\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~

1\AIMcrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:

\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:

\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/

1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http

://www.platoweb.com/pathways/pway_iis.dll/pwln/02020003/fullcab/pwlninst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:

\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32

\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:

\WINDOWS\System32\nvsvc32.exe
Reply With Quote  
Join Date: Jul 2005
Location: India
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Rep Power: 5
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #8  
Jul 14th, 2005
Hi,
Yes, it needs to be removed!
Boot in safe mode, run HijackThis and select these two entries:-

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\pagemled.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

Close all other programs and click "Fix Checked" in HijackThis.

Delete this file:-
C:\Program Files\PSGuard\PSGuard.exe

and this folder:-
C:\Program Files\PSGuard

Also, do a search for this file pagemled.exe and when the search result is displayed, select the file and press "Delete" to delete it.

Reboot in safe mode, and run HijackThis and post a fresh log.
Reply With Quote  
Join Date: Jul 2005
Posts: 6
Reputation: hburg is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
hburg hburg is offline Offline
Newbie Poster

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #9  
Jul 15th, 2005
Logfile of HijackThis v1.99.1
Scan saved at 4:39:16 PM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AIMcrap\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIMcrap\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIMcrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pwa...b/pwlninst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Reply With Quote  
Join Date: Jul 2005
Posts: 6
Reputation: hburg is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
hburg hburg is offline Offline
Newbie Poster

Re: i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c

  #10  
Jul 15th, 2005
Something drasticly wrong has happened. I was downloading the update to Adaware and everything went haywire.
My desktop background reads:

"WARNING!
YOU'RE IN DANGER!
ALLYOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAIL... ALL YOUR ACTIONS ARE LOGGED. AND IT IS NOT POSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILIBLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened your browser, with all im ages, and all downloaded and maybe later removed movies and mp3 songs - ARE STILL THERE and could brke your live!

SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!"

the entire thing is a link. by homepage has once again been changed to something different. It now reads: http:///

I have no idea whats going on.
I deleted the links form my desktpo that it installed including files called date, network, pharm, spyware, and a few others.

This is what my Hijackthis file is as follows. I'm sorry i've been such a hassle.

Logfile of HijackThis v1.99.1
Scan saved at 5:12:49 PM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CleanUp!\Cleanup.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpBAEC.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIMcrap\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIMcrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {63584091-84F0-567A-3FD8-637142B43610} - http://66.246.197.126/1/gdnUS1865.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121460318265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pwa...b/pwlninst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Reply With Quote  
Reply
Page 1 of 2 1 2 >

Only community members can participate in forum threads. You must register or log in to contribute.

Register
DaniWeb Viruses, Spyware and other Nasties Marketplace
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 

Thread Tools Display Modes
Linear Mode Linear Mode

apple botnet code complete information css defender desktop development div dreamweaver firefox google checkout hotmail html html api javascript leopard linux mac malware mcafee microsoft mp3 new folder new viruses news nhatquanglan phishing reliability satnav search security software spam spyware survey svchost symantec tables trojan virus viruses vista w3c web windows wysiwyg xml yahoo
Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum

Advertising Opportunities on DaniWeb
Contact Us - Newsletter Archive - Sitemap - Privacy Statement
All times are GMT -4. The time now is 8:23 am.
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC