Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

tryed to clean my self but cant

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

tryed to clean my self but cant

Unread postby Eliza » July 22nd, 2005, 10:15 am

Hi all
I got some nasty stuff on my comp, tryed to clean my self it wont go away..
I get an error msg "Internet Explorer can not find the Active Desktop HTML file. To turn off Active Desktop click Ok"
Im clicking and clicking but it comes back and my desktop flashes, it dosent help if i turn it off in the folder options.
I have scanned with microtrend it find nothing, Panda online scan did find
hhk.dll (c:\winnt\system32\hhk.dll) but did not fix it.
Scanned with Spybot and Ad-awere they both find some stuff and deleted it but i still have something going on here.
Here is my log file.

Sorry for spelling im from Sweden :)

Logfile of HijackThis v1.99.1
Scan saved at 16:01:08, on 2005-07-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\msole32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Dennis1\My Documents\Hijack\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am
Advertisement
Register to Remove

Unread postby Susan528 » July 22nd, 2005, 3:15 pm

Hello and Welcome Eliza,

Please go here: Jotti Virus Scan at http://virusscan.jotti.org/

Click the "browse" button and locate this file:
C:\WINNT\system32\internat.exe


Click "Open", then click the "Submit" button. Copy the results and paste them here.
Download and install CCleaner from http://www.ccleaner.com/. Don't run it yet.

===============

Download mwav.exe from MicroWorld, then:

1. Double-click the mwav.exe icon to run it (it'll self extract).
2. Click "Scan".
3. Highlight the text in the 'virus log information' pane and use the Ctrl + C keys to copy the highlighted text.
4. When it completes, post back the results from the 'Virus log information' pane.

===============

Trojan Hunter
-
Download TrojanHunter free trial from http://www.trojanhunter.com/
Update and install,
Select Full Scan and let the scan complete. Please note that this scan takes awhile to complete so allow some time. On the tool bar go to File => Save the scan report.

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

c:\winnt\system32\hhk.dll
C:\WINNT\system32\msole32.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".
Empty your Recycle Bin. Run CCleaner
===============

Post back a MVAV results, and Trojan Hunter results, new hijackthis log know how everything goes.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Eliza » July 22nd, 2005, 4:10 pm

Hi and thanx for help.

I did all you said, i still have a big problem my desktop is set to
Active Desktop and i can not change it, the web tab missing from display and when i change it in the folder propertis it goes back.
My screen are flickering and from time to time i get some kind of msg on the desktop that my comp is infected and there is a link they want me to
to click on.

here i the log files

From H.J

Logfile of HijackThis v1.99.1
Scan saved at 22:08:11, on 2005-07-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Dennis1\My Documents\Hijack\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

From Jotti scan

Service load: 0% 100%

File: internat.exe
Status: OK
MD5 f4206fca3b1d2feab50738ec2485d5f3
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

From Mwav scan

Object "isearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04F3168F-5AFC-4531-B3B4-16CA93720415}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{187A8428-BD94-470D-A178-A2347F940519}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2865930B-4588-4FF3-8227-6D4F66C92C7A}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2FE2EDC0-9E62-4F34-8A73-BC66DAE48EF3}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3A3A8C24-8FF0-4140-9731-54D9483EA70B}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3A906593-B4BD-48ED-84B0-3249BED65EF9}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{49B72A72-01F5-4AE8-BBD7-DAA67F1E303B}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{53707962-6F74-2D53-2644-206D7942484F}" refers to invalid object "C:\PROGRA~1\SPYBOT~1\SDHelper.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6AE3ACA6-1BE3-4443-98DD-EFFCFA793D35}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{787DEC39-69D0-40B3-B173-E0411C59B300}" refers to invalid object "C:\Program Files\PSGuard\WndLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{79DDF2EF-D881-464B-B2AF-5AF8816A3964}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{813C8E86-4C90-4617-B59E-E130CC068140}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{89133BCE-57D0-4D2B-AFAF-A97B74AD704E}" refers to invalid object "C:\Program Files\PSGuard\WndLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8F40CC34-FE77-4618-AA3D-BD2EFACAA8DC}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9F89E240-06A6-4E1C-BA84-F267DE7DB391}" refers to invalid object "C:\Program Files\PSGuard\WndLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B60A0E56-548D-40AE-9383-D752531F653F}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B67B0756-2528-4996-B4BD-C993614CC0B6}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BCC51EA9-6340-4EBE-8736-13A752ECB0BE}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E9719D38-EC55-4C8B-9DF0-080ADE95A9FA}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F4B3E25A-33B4-4647-9A78-B627DDE211A6}" refers to invalid object "C:\Program Files\PSGuard\AVECore.dll". Action Taken: No Action Taken.

From Hunter scan

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINNT\system32\intell32.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
1 possible trojan files found


i hope you can help me.

And onesagain sorry for spelling in from Sweden :)
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Susan528 » July 22nd, 2005, 4:45 pm

Hello again Eliza,

Let's see what information Jotti will give about the intell32.exe. Meanwhile I will be checking on a few things and will get back to you.

Please go here: Jotti Virus Scan at http://virusscan.jotti.org/

Click the "browse" button and locate this file:
C:\WINNT\system32\intell32.exe


Click "Open", then click the "Submit" button. Copy the results and paste them here.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Eliza » July 22nd, 2005, 4:59 pm

Jotti scan log

Service load: 0% 100%

File: intell32.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 ea74c6fa4440666db5d77fa7ab8f122e
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Fakealert
F-Prot Antivirus Found nothing
Fortinet Found W32/Small.EV-tr
Kaspersky Anti-Virus Found Trojan.Win32.Small.ev
NOD32 Found a variant of Win32/Oleloa
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.Win32.Small.ev
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Susan528 » July 22nd, 2005, 5:47 pm

When running an Ewido scan no windows or programs should be open!. Do not use the Computer while the Ewido scan is running!


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINNT\system32\intell32.exe

Then please run Ewido, run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Eliza » July 22nd, 2005, 6:42 pm

Ewido scan log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 00:29:56, 2005-07-23
+ Report-Checksum: 13C1C5F8

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
C:\WINNT\system32\intmon.exe -> Trojan.Puper.af : Cleaned with backup


::Report End


H.J scan log

Logfile of HijackThis v1.99.1
Scan saved at 00:34:41, on 2005-07-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Dennis1\My Documents\Hijack\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Active Desktop is gone and i got back the web tab in display propertis,
but i have a ico in systray looks like a stop sigh with an ! in it if i tuch it with my mouse it say "Your computer is infected!"

And the intell32.exe is back SpyBot asked if i allow reg. changes that intell32.exe was trying to do i dident allow that
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Susan528 » July 22nd, 2005, 7:50 pm

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/folders:

files...

C:\WINNT\system32\intell32.exe

Try going into safe mode if you cannot delete this in normal mode.

You will have to register name and email address but this is free too.
Download a2 from
http://www.softpedia.com/get/Antivirus/ ... Free.shtml
and run. Post the results please.

Run Trojan Hunter and let’s see if anything reappears. Please post the results.

Run hijackthis
“Open the Misc Tools sectionâ€
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Eliza » July 23rd, 2005, 12:50 pm

Hi sorry for the delay
Here is A-squared scan log

a² Report
Filename Diagnosis
C:\Documents and Settings\Dennis1\Cookies\dennis1@burstnet[2].txt

Trace.TrackingCookie
C:\Documents and Settings\Dennis1\Cookies\dennis1@please[1].txt

Trace.TrackingCookie

Trojan Hunter dident find anything
H.J "Open ADS Spy" dident find anything

New H.J scan log

Logfile of HijackThis v1.99.1
Scan saved at 18:53:48, on 2005-07-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Dennis1\My Documents\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Can i ask you if you could recomend a good free reg.cleaner?

Thanx Eliza
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Susan528 » July 23rd, 2005, 3:17 pm

Hi Eliza,

Now I know that you have a Smithfraud infection. Although many infected files may have been deleted and cleared up, I am posting the complete fix. Going through the complete fix will mean that we did not miss anything. So please do the steps. This does have a registry fix which should clear up your problem you are experiencing now.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please download Grinler’s reg file from http://www.bleepingcomputer.com/files/reg/smitfraud.reg . Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* http://www.xtra.co.nz/help/0,,4155-1916458,00.html CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox from http://www.bleepingcomputer.com/files/s ... illBox.zip . In the event you already have Killbox, this is a new version that I need you to download.

* Unzip to your desktop.
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete red if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

1.) Download The Hoster from http://www.funkytoad.com/download/hoster.zip . Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download DelDomains.inf from http://www.mvps.org/winhelp2002/DelDomains.inf and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp from http://www.spywareaid.com/index.php?fil ... tware&id=1

4.) Run this Panda ActiveScan at http://www.pandasoftware.com/activescan/
Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
Last edited by Susan528 on July 25th, 2005, 11:06 am, edited 2 times in total.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Eliza » July 25th, 2005, 6:48 am

Sorry cant download the Smitfraud.reg or KillBox.zip im getting this msg

404 ERROR: Page Not Found!

The requested page http://www.bleepingcomputer.com/files/reg/smitfraud.reg. could not be found on this server.
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Susan528 » July 25th, 2005, 11:12 am

I am so sorry. I had a period at the end of those links which messed things up! You can see I edited the post and added a space. I checked the links and the links now worked for me. So proceed with the above fix.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Eliza » July 26th, 2005, 6:15 am

Never mind i copyied them one by one im onit now ill post logs when im done :)





I must be stupit but when i try to paste from clipboard nothing happens,
and when you say"

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

what do you mean by earlier? I must have missed somethig.
Im trying to copy this files but when i try to paste from clipboard nothing shows up, when i just paste it in the window only the first file comes up.
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Eliza » July 26th, 2005, 7:45 am

Hi
Active scan log

Incident Status Location

Adware:adware/virmaid No disinfected C:\WINNT\SYSTEM32\ole32vbs.exe
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

H.J log

Logfile of HijackThis v1.99.1
Scan saved at 13:55:16, on 2005-07-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dennis1\My Documents\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Eliza
Active Member
 
Posts: 11
Joined: March 8th, 2005, 8:15 am

Unread postby Susan528 » July 26th, 2005, 3:49 pm

Hello Eliza,

what do you mean by earlier? I must have missed something.
Im trying to copy this files but when i try to paste from clipboard nothing shows up, when i just paste it in the window only the first file comes up.


You did not miss anything. The way Killbox works is that it scans your PC for the files you copied and are trying to delete. If the files are not on your pc, they disappear. So evidently the files were not present on your pc. You had done a good job of getting rid of infected files before you first posted. But we are about to finish up the job and get rid of the few remaining! Good work!

Remember that you may have to disable TeaTimer, TrojanGuard, and A2 to allow the registry fix. If you get any pop-ups asking if you want to allow this script, etc. please allow the fix to take place.

Launch Notepad (not wordpad), and copy and paste the Bolded below into a new text file.
Save it as file name: "regfix.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET]


Now double-click on the regfix.reg file you saved and click on the Yes button when it asks if you would like to merge the information.

Now run Killbox
1. select "Action | Delete on reboot".
2. copy/paste the following file name(s), one at a time, in the "Paste Path of File to Delete" field:

C:\WINNT\SYSTEM32\ole32vbs.exe

3. click "Kill File".
4. when prompted to "Reboot Now" select "Yes".

The above should take care of these three entries.
Adware:adware/virmaid No disinfected C:\WINNT\SYSTEM32\ole32vbs.exe
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET

The TrojanHunter one is benign.

Please run the Active scan one more time and post the results and a new hijackthis log and we will make sure these remaining entries were eliminated.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware