Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 23.1.2025 / 04:53
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help w/ trojan
Show topics
 
Forums
Forums
HELP w/ Trojan
  Jump to:
 
Posted Message
iSelf
Suspended due to non-functional email address
_ 		11. October 2006 @ 16:13 _ Link to this message    Send private message to this user   
Hello everyone, Ive been fighting w/ this trojan for 2 days..and it won, haha. Can someone please help me out ? Atteached are my logs of HijackThis and Spyware doctor:

Spyware doctor=

Scan Results:
scan start: 10/11/2006 4:02:09 PM
scan stop: 10/11/2006 4:16:56 PM
scanned items: 126147
found items: 17
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Data High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32 High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Asynchronous High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##DllName High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Impersonate High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Shutdown High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Startup High

Hijackthis=

Logfile of HijackThis v1.99.1
Scan saved at 4:48:34 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\BayGenie\ProEdition\BayGenie.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Common Files\{DCA5E3CE-06FC-1033-0318-030409020001}\Update.exe
C:\WINDOWS\system32\ismini.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3CA5E3CE-06FC-1033-0318-030409020001}\MyToolBar.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [Outpost firewall main module] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O4 - HKCU\..\Run: [NOD32 Control Center GUI] C:\Program Files\ESET\nod32kui.exe
O4 - HKCU\..\Run: [Xoftspy] C:\Program Files\XoftSpySE\XoftSpy.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Obi_JuaN\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: postcon.bat
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O16 - DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} (InstallShield Setup Player V11.5) - http://www.nextelnoob.com/Nunlock/setup.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thank you
[ + quote]
::Knowledge Is Key::
Advertisement
_ 		__
Niobis
Senior Member
_ 		12. October 2006 @ 13:32 _ Link to this message    Send private message to this user   
Go here to download the trial version of AVG Anti-spyware.
Install and update.
Do not run a scan, will later in safe mode.

Download SmitfraudFix.zip to the desktop from here
* Extract the files to the desktop.

Note: print or copy these instructions to Notepad and save them. You'll be in safe mode and can't access them.

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
* Open the SmitfraudFix folder.
* Double-click smitfraudfix.cmd
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt.

Open AVG AS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report".
Click "Save report as" and save it to the desktop.
Restart in normal mode.

Post back with the contents of rapport.txt, the AVG report and a new HijackThis log.

[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		13. October 2006 @ 11:04 _ Link to this message    Send private message to this user   
Niobis, thanks for help first and foremost

I cant get smitfraudfix.cmd to run..it says it cant be found. I got AVG as you said but I cant continue with your instructions w/o smitfraudfix.cmd running
[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		13. October 2006 @ 16:17 _ Link to this message    Send private message to this user   
Did you unzip it?
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		13. October 2006 @ 17:04 _ Link to this message    Send private message to this user   
Yes..extracted to the desktop...when I try to run smitfraudfix.cmd it either says "the file C: etc etc etc smitfraudfix cannot be found..click start and perform a search..." or it'll open but in viewer as text
[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		13. October 2006 @ 18:56 _ Link to this message    Send private message to this user   
Download smitRem from here
* Open smitRem and extract to its own folder.
* Restart in safe mode.
* Open the smitRem folder.
* Double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to complete.
* The log will go to C:\smitfiles.txt

Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

Post back with the contents of smitfiles.txt and a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		14. October 2006 @ 10:31 _ Link to this message    Send private message to this user   
I cannot get either to run Niobis, these are the messages I get when trying to run them in safe mode:







This thing is wicked...comp is opening and closing windows, crashing (due to windrvnt.sys) etc, hopefully you have an alternate route other than throwing my HD as far away as I can :)

[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		14. October 2006 @ 11:02 _ Link to this message    Send private message to this user   
We'll have to delete it manually.

Open HijackThis.
Click "Open the misc tools section".
Click "Open Uninstall Manager".
Click "Save list".

Run a new scan and save a new log.
Post back with the uninstall list and the new log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		14. October 2006 @ 11:58 _ Link to this message    Send private message to this user   
when i click "save list" HijackThis just closes...I dont see the list in the HjT folder...

if you have aim..my s/n is Gwritaz
[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		14. October 2006 @ 12:10 _ Link to this message    Send private message to this user   
WTF?

Ok, show all files.
Control Panel > Folder Options > View tab > check "Show hidden files and folders".

Restart in safe mode and delete these files:
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\ishost.exe

Then follow directions for AVG AS.
Restart in normal mode and post back with the AVG report and a new HijackThis.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		14. October 2006 @ 18:13 _ Link to this message    Send private message to this user   
did everything you said..took a bit to get back online since after the HjT scan it kept crashing because of windrvnt.sys, well, heres the info:

AVGAS:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:41:59 PM 10/14/2006

+ Scan result:



C:\System Volume Information\_restore{F4B6C150-F916-4238-ADB1-569563146A49}\RP348\A0095655.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4B6C150-F916-4238-ADB1-569563146A49}\RP348\A0095656.dll -> Adware.Softomate : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.59:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.60:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.64:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.15:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.


::Report end

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:15:04 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Agnitum\Outpost Firewall\feedback.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [Outpost firewall main module] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O4 - HKCU\..\Run: [NOD32 Control Center GUI] C:\Program Files\ESET\nod32kui.exe
O4 - HKCU\..\Run: [Xoftspy] C:\Program Files\XoftSpySE\XoftSpy.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: postcon.bat
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Outpost firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O16 - DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} (InstallShield Setup Player V11.5) - http://www.nextelnoob.com/Nunlock/setup.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		14. October 2006 @ 18:50 _ Link to this message    Send private message to this user   
Copy all of the following bold text into Notepad.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"ishost.exe"=-


Name the file as fix.reg
Change the "Save as Type" to All Files.
Save it to the desktop.
Open fix.reg and click Yes when prompted.

Run a scan only with HijackThis, check these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Click "Fix checked".

Go here and download ATF Cleaner.

Open AFT Cleaner.
Check "Select All".
Click "Empty Selected".

Turn of System Restore.
Right click My Computer > Properties > System Restore tab > check "Turn off System Restore".

Restart and turn System Restore back on.

How are things?

[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		14. October 2006 @ 19:48 _ Link to this message    Send private message to this user   
Everything seems good so far..Thanks Niobis, I truly appreciate your help
[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		14. October 2006 @ 19:59 _ Link to this message    Send private message to this user   
Glad to hear and you're welcome!

Good luck. :)

Edit: I'm curious if you can run Option 1 with SmitfraudFix or smitRem...?
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related

This message has been edited since posting. Last time this message was edited on 14. October 2006 @ 20:00
iSelf
Suspended due to non-functional email address
_ 		16. October 2006 @ 07:50 _ Link to this message    Send private message to this user   
Neither open up still...I dont understand why
[ + quote]
::Knowledge Is Key::
Niobis
Senior Member
_ 		16. October 2006 @ 11:34 _ Link to this message    Send private message to this user   
That's odd, but may be because your using WinNT. I've read it has happened to others. Oh well, it's gone anyway, I was just curious if the malware was stopping it.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
iSelf
Suspended due to non-functional email address
_ 		17. October 2006 @ 19:23 _ Link to this message    Send private message to this user   
Hey Niobis, thanks again....btw, Apparently the malware wasnt the cause of the "smit" programs from running, maybe it is WinNT. I'm just glad its all gone :)
[ + quote]
::Knowledge Is Key::
iSelf
Suspended due to non-functional email address
_ 		21. October 2006 @ 21:06 _ Link to this message    Send private message to this user   
I dont mean to double post...

Niobis: Ever since that Trojan Im not recognized as having administrator privilages..yet Im the ONLY account on this PC...any ideas ?
[ + quote]
::Knowledge Is Key::
Advertisement
_ 		__
 
_
Niobis
Senior Member
_ 		21. October 2006 @ 21:15 _ Link to this message    Send private message to this user   
lol, just noticed you are in fact running WinXP. I was seeing this in the log (WinNT 5.01.2600). My eyes must had crossed that day. :D

Anyway, on to the problem. What prompts you don't have the privileges? Is your account set to Computer Administrator? Something may have changed it and needs changing back.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related

This message has been edited since posting. Last time this message was edited on 21. October 2006 @ 21:16
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help w/ trojan
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork