HELP w/ Trojan

iSelf · Oct 11, 2006

Hello everyone, Ive been fighting w/ this trojan for 2 days..and it won, haha. Can someone please help me out ? Atteached are my logs of Hijackthis and Spyware doctor:

Spyware doctor=

Scan Results:
scan start: 10/11/2006 4:02:09 PM
scan stop: 10/11/2006 4:16:56 PM
scanned items: 126147
found items: 17
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Data High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32 High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Asynchronous High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##DllName High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Impersonate High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Shutdown High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjrs32##Startup High

Hijackthis=

Logfile of HijackThis v1.99.1
Scan saved at 4:48:34 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\BayGenie\ProEdition\BayGenie.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Common Files\{DCA5E3CE-06FC-1033-0318-030409020001}\Update.exe
C:\WINDOWS\system32\ismini.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3CA5E3CE-06FC-1033-0318-030409020001}\MyToolBar.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [Outpost Firewall main module] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O4 - HKCU\..\Run: [NOD32 Control Center GUI] C:\Program Files\ESET\nod32kui.exe
O4 - HKCU\..\Run: [Xoftspy] C:\Program Files\XoftSpySE\XoftSpy.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Obi_JuaN\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: postcon.bat
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O16 - DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} (InstallShield Setup Player V11.5) - http://www.nextelnoob.com/Nunlock/setup.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thank you

Niobis · Oct 12, 2006

Go here to download the trial version of AVG Anti-spyware.
Install and update.
Do not run a scan, will later in safe mode.

Download SmitfraudFix.zip to the desktop from here
* Extract the files to the desktop.

Note: print or copy these instructions to Notepad and save them. You'll be in safe mode and can't access them.

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
* Open the SmitfraudFix folder.
* Double-click smitfraudfix.cmd
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt.

Open AVG AS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report".
Click "Save report as" and save it to the desktop.
Restart in normal mode.

Post back with the contents of rapport.txt, the AVG report and a new HijackThis log.

iSelf · Oct 13, 2006

Niobis, thanks for help first and foremost

I cant get smitfraudfix.cmd to run..it says it cant be found. I got avg as you said but I cant continue with your instructions w/o smitfraudfix.cmd running

Niobis · Oct 13, 2006

Did you unzip it?

iSelf · Oct 13, 2006

Yes..extracted to the desktop...when I try to run smitfraudfix.cmd it either says "the file C: etc etc etc smitfraudfix cannot be found..click start and perform a search..." or it'll open but in viewer as text

Niobis · Oct 13, 2006

Download smitRem from here
* Open smitRem and extract to its own folder.
* Restart in safe mode.
* Open the smitRem folder.
* Double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to complete.
* The log will go to C:\smitfiles.txt

Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

Post back with the contents of smitfiles.txt and a new HijackThis log.

iSelf · Oct 14, 2006

I cannot get either to run Niobis, these are the messages I get when trying to run them in safe mode:

This thing is wicked...comp is opening and closing windows, crashing (due to windrvnt.sys) etc, hopefully you have an alternate route other than throwing my HD as far away as I can

Niobis · Oct 14, 2006

We'll have to delete it manually.

Open HijackThis.
Click "Open the misc tools section".
Click "Open Uninstall Manager".
Click "Save list".

Run a new scan and save a new log.
Post back with the uninstall list and the new log.

iSelf · Oct 14, 2006

when i click "save list" hijackthis just closes...I dont see the list in the HJT folder...

if you have aim..my s/n is Gwritaz

Niobis · Oct 14, 2006

WTF?

Ok, show all files.
Control Panel > Folder Options > View tab > check "Show hidden files and folders".

Restart in safe mode and delete these files:
C:\WINDOWS\system32\[bold]ismini.exe[/bold]
C:\WINDOWS\system32\[bold]ishost.exe[/bold]

Then follow directions for AVG AS.
Restart in normal mode and post back with the AVG report and a new HijackThis.

iSelf · Oct 14, 2006

did everything you said..took a bit to get back online since after the HJT scan it kept crashing because of windrvnt.sys, well, heres the info:

AVGAS:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:41:59 PM 10/14/2006

+ Scan result:

C:\System Volume Information\_restore{F4B6C150-F916-4238-ADB1-569563146A49}\RP348\A0095655.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4B6C150-F916-4238-ADB1-569563146A49}\RP348\A0095656.dll -> Adware.Softomate : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.59:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.60:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.64:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.15:C:\Documents and Settings\Obi_JuaN\Application Data\Mozilla\Firefox\Profiles\3gwgj6r4.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Obi_JuaN\Cookies\obi_juan@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.

::Report end

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:15:04 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Agnitum\Outpost Firewall\feedback.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154077225\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [Outpost Firewall main module] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O4 - HKCU\..\Run: [NOD32 Control Center GUI] C:\Program Files\ESET\nod32kui.exe
O4 - HKCU\..\Run: [Xoftspy] C:\Program Files\XoftSpySE\XoftSpy.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: postcon.bat
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O16 - DPF: {804F9BC5-0EAB-4150-8065-0DF485420670} (InstallShield Setup Player V11.5) - http://www.nextelnoob.com/Nunlock/setup.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Niobis · Oct 14, 2006

Copy all of the following [bold]bold[/bold] text into Notepad.

[bold]REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"ishost.exe"=-[/bold]

Name the file as [bold]fix.reg[/bold]
Change the "Save as Type" to [bold]All Files[/bold].
Save it to the desktop.
Open fix.reg and click Yes when prompted.

Run a scan only with HijackThis, check these:

[bold]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =[/bold]

Click "Fix checked".

Go here and download [bold]ATF Cleaner[/bold].

Open AFT Cleaner.
Check "Select All".
Click "Empty Selected".

Turn of System Restore.
Right click My Computer > Properties > System Restore tab > check "Turn off System Restore".

Restart and turn System Restore back on.

How are things?

iSelf · Oct 14, 2006

Everything seems good so far..Thanks Niobis, I truly appreciate your help

Niobis · Oct 14, 2006

Glad to hear and you're welcome!

Good luck.

Edit: I'm curious if you can run Option 1 with SmitfraudFix or smitRem...?

iSelf · Oct 16, 2006

Neither open up still...I dont understand why

Niobis · Oct 16, 2006

That's odd, but may be because your using WinNT. I've read it has happened to others. Oh well, it's gone anyway, I was just curious if the malware was stopping it.

iSelf · Oct 17, 2006

Hey Niobis, thanks again....btw, Apparently the malware wasnt the cause of the "smit" programs from running, maybe it is WinNT. I'm just glad its all gone

iSelf · Oct 21, 2006

I dont mean to double post...

Niobis: Ever since that Trojan Im not recognized as having administrator privilages..yet Im the ONLY account on this PC...any ideas ?

Niobis · Oct 21, 2006

lol, just noticed you are in fact running WinXP. I was seeing this in the log ([bold]WinNT[/bold] 5.01.2600). My eyes must had crossed that day.

Anyway, on to the problem. What prompts you don't have the privileges? Is your account set to Computer Administrator? Something may have changed it and needs changing back.

Log in or Sign up

HELP w/ Trojan

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

iSelf Guest

Niobis Active member

Share This Page

Log in or Sign up

HELP w/ Trojan

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

Niobis Active member

iSelf Guest

iSelf Guest

Niobis Active member

Share This Page

Useful Searches