Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SmitFraud or worse?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SmitFraud or worse?

Unread postby wlwood » December 31st, 2009, 12:59 am

OK...here goes. I have a IBM-based PC running Win2k professional that has acquired a smitfraud-like set of symptoms. Background now has a gooey-green color with a large black box in the center that says "YOUR SYSTEM IS INFECTED..." Occasionally there will be a small window in the lower right that appears to say something like "Click here to protect your computer from Spyware." The registry editor and the Task Manager have both been disabled. My HijackThis File follows:

=========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:59 PM, on 12/30/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\dlcicoms.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Creative\News\NewsUpd.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\winupdate86.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Utility\GetRight\getright.exe
C:\Utility\GetRight\getright.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\winlogon86.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINNT\system32\winupdate86.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Utility\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Utility\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Utility\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: dlci_device - - C:\WINNT\system32\dlcicoms.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 7771 bytes

=========================


The uninstall list from the misc tools section in HijackThis provided the following information:

=========================

3300 Software Uninstall
ABBYY FineReader 6.0 Sprint
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9
Adobe Reader 9
Adobe Shockwave Player 11.5
ATITool Overclocking Utility
Creative Jukebox Driver
Data Lifeguard Tools
Dell AIO Printer 946
Dell PC Fax
Diskeeper Lite
D-Link AirPlus
DrawPlus 3.0
Easy CD & DVD Creator 6
ExamView ActiveX Control v2
ExamView Assessment Suite
FinePixViewer Ver.2.0
FUJIFILM USB Driver
getPlus(R) for Adobe
GetRight
Grade Machine
HijackThis 2.0.2
Hotfix for MDAC 2.71 (KB911562)
Hotfix for MDAC 2.71 (KB927779)
hp deskjet 5550 series
hp deskjet 5550 series (Remove only)
Intel(R) Active Monitor
J2SE Runtime Environment 5.0 Update 4
JumpStart 6th Grade 2001
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
McAfee Virtual Technician
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 1.1 Security Update (KB971108)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Professional Edition 2003
Microsoft Rise Of Nations
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (3.0.15)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
NVIDIA Drivers
PADB Pre-Algebra
PDFCreator
pdfforge Toolbar v1.1.1
Photo Organizer
PlexTools Professional V2.12
Print to Fax
QuickTime
RollerCoaster Tycoon 3 Platinum
Roxio DVDMax Player
Roxio PhotoSuite 5
Security Update for DirectX 9.0 (KB971633)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB975025)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 6.4 (KB954600)
Security Update for Windows Media Player 6.4 (KB974112)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Media Player 9 (KB973540)
SimCity 3000
Sound Blaster AudioPCI
Sound Blaster PCI128 Drivers
SpeechRedist
Spyware Doctor 4.1
The Print Shop 22
Update Rollup 1 for Windows 2000 SP4
Warhammer 40,000: Dawn Of War - Gold Edition
WD Diagnostics
WDCSAM Driver
WebIQ Client Software
Windows 2000 Hotfix - KB833407
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923561
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938464
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB951748-V2
Windows 2000 Hotfix - KB952004
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB955069
Windows 2000 Hotfix - KB956802
Windows 2000 Hotfix - KB956844
Windows 2000 Hotfix - KB957097
Windows 2000 Hotfix - KB958470
Windows 2000 Hotfix - KB958644
Windows 2000 Hotfix - KB958687
Windows 2000 Hotfix - KB958869
Windows 2000 Hotfix - KB959426
Windows 2000 Hotfix - KB960225
Windows 2000 Hotfix - KB960803
Windows 2000 Hotfix - KB960859
Windows 2000 Hotfix - KB961371
Windows 2000 Hotfix - KB961371-V2
Windows 2000 Hotfix - KB961501
Windows 2000 Hotfix - KB967715
Windows 2000 Hotfix - KB968537
Windows 2000 Hotfix - KB969059
Windows 2000 Hotfix - KB969897
Windows 2000 Hotfix - KB969947
Windows 2000 Hotfix - KB970238
Windows 2000 Hotfix - KB971486
Windows 2000 Hotfix - KB971557
Windows 2000 Hotfix - KB971961
Windows 2000 Hotfix - KB972260
Windows 2000 Hotfix - KB973346
Windows 2000 Hotfix - KB973354
Windows 2000 Hotfix - KB973507
Windows 2000 Hotfix - KB973525
Windows 2000 Hotfix - KB973869
Windows 2000 Hotfix - KB973904
Windows 2000 Hotfix - KB974318
Windows 2000 Hotfix - KB974392
Windows 2000 Hotfix - KB974455
Windows 2000 Hotfix - KB974571
Windows 2000 Hotfix - KB976325
Windows 2000 Hotfix - KB976749
Windows 2000 Service Pack 4
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (12/05/2006 1.0.0007.0)
Windows Installer 3.0 (KB884016)
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip
World of Warcraft

=======================

This computer has been disconnected from the local network and has no connectivity to the outside world at the moment. It is stand alone. Any help would be appreciated.

Cheers,

Bill
wlwood
Active Member
 
Posts: 8
Joined: December 31st, 2009, 12:32 am
Advertisement
Register to Remove

Re: SmitFraud or worse?

Unread postby wlwood » December 31st, 2009, 8:27 am

Bump...
wlwood
Active Member
 
Posts: 8
Joined: December 31st, 2009, 12:32 am

Re: SmitFraud or worse?

Unread postby Dakeyras » December 31st, 2009, 1:17 pm

Due to Bumping your topic, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 485 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware