trojan-spy.html.smitfraud.c hijackthis log - please help

Question

Logfile of HijackThis v1.99.1 Scan saved at 3:27:17 PM, on 5/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\hpdll	empdl\RAS012505.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\System32\Vcgmjm.exe C:\windows	jvhwgm.exe C:\wp.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\WINDOWS\system32\system.mcm C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\abrownlee\Desktop\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://officeupdate.microsoft.com/office/redirect/10/MSOfficeOnTheWeb.asp?DPC={91120409-6000-11D3-8CFE-0050048383C9}&DCC={5572D282-F5E5-11D3-A8E8-0060083FD8D3}&AppName=Microsoft%20Excel&CLCID=1033 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file) O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll O2 - BHO: (no name) - {46CC610E-5923-2C5A-BAC6-159449FB7606} - (no file) O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Visual Element Fx] C:\Program Files\hpdll	empdl\RAS012505.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [Music Communication Module] system.mcm O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Vcgmjm.exe O4 - HKLM\..\Run: [bnnjmf] C:\WINDOWS\System32\bnnjmf.exe O4 - HKLM\..\Run: [Agent Browser] C:\WINDOWS\System32\c_86pwsx.exe O4 - HKLM\..\Run: [FlnCPY] 'C:\Program Files\Common Files\Java\flncpy.exe' O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\Run: [wydcddp] c:\windows	jvhwgm.exe O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe O4 - HKCU\..\Run: [brufwqh] c:\windowssbctbk.exe O4 - HKCU\..\Run: [iyhuixd] c:\windowssbctbk.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Music Communication Module.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin
pjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin
pjpi150_02.dll O9 - Extra button: Microsoft AntiSpyware helper - {12B565A9-9B90-4BC3-929D-7704F3192C35} - C:\WINDOWS\System32\wldr.dll O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {12B565A9-9B90-4BC3-929D-7704F3192C35} - C:\WINDOWS\System32\wldr.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm O9 - Extra button: Microsoft AntiSpyware helper - {12B565A9-9B90-4BC3-929D-7704F3192C35} - C:\WINDOWS\System32\wldr.dll (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {12B565A9-9B90-4BC3-929D-7704F3192C35} - C:\WINDOWS\System32\wldr.dll (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://www.neededware.com O16 - DPF: {075568FF-975C-7155-ABBE-7AC4106B5908} - http://69.50.182.94/1/rdgUS1882.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Domain1.IISI O17 - HKLM\Software\..\Telephony: DomainName = Domain1.IISI O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Domain1.IISI O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Domain1.IISI O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O21 - SSODL: WebControl Browser - {94F66970-0E4F-4178-BCD6-DFF70542E61A} - C:\WINDOWS\System32\igfxauth.dll O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Ramos840 · Answer

I was searching for that 'troajan - spy ....' didn't get no results for it .. May be the 'Pros' are working on it but I did see few tings on your log ... the following entries you would have to remove: HEY REMOVE THESE ENTRIES IN SAFE MODE :) C:\wp.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll The Following entries are unecassary: O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file) O2 - BHO: (no name) - {46CC610E-5923-2C5A-BAC6-159449FB7606} - (no file) Good Luck!

ky331 · Answer

*NOT* taking ownership of this thread   Ramos:   i noticed you offering some 'partial advice' postings in this forum.   specifically, on this log, be advised that using HJT to remove O10 entries is potentially dangerous:  Winsock Hijackers, also known as LSPs (Layered Service Providers), are 'chained' or 'stacked' together...  if an entry is removed from the middle of the chain, that chain becomes 'broken', which can result in loss of internet access.   In some special cases, SpyBot Search & Destroy can properly resolve O10 problems... but in general, another approach, called LSPfix, is necessary.   Therefore, it is best to leave this matter for one of the forum experts to make the decision.  (to BCShellfish:  I am NOT advising you which of these approaches to follow --- there may even be other procedures... but  I do strongly advise you to wait for one of the forum experts before you attempt to fix these things)   on another general matter:  because it's been so busy in this forum, many of the experts are now specifically looking for the counter showing zer0 replies, to decide which threads they need to consider.   while your comments may be well intended, please be advised that by replying to a thread, with only partial ideas, the experts may then overlook these threads, so the person seeking help may not get it.    Message Edited by ky331 on 05-12-2005 01:11 PM

Bertha2 · Answer

Hey, I will look at your Hijackthis Log tomorrow (its late here) and get back to you as soon as possible, Nice one Ky331 about the O10 very important is that Bertha2

zbestwun2001 · Answer

sorry bertha Message Edited by zbestwun2001 on 05-13-2005 12:16 PM

Bertha2 · Answer

bc..,

Hello! and welcome to the DELL forums.

Sorry for the wait I have been real busy not just with HJT but also college

Download LSPFix and unzip to your desktop, then run it. Now, we need to:

1. check(tick) " I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:

      flsmngr.dll

3. then click " >>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove'pane.)
5. click " Finish >>"

Go to www.trendmicro.com, and then:

1. Click " Free Online Scan".
2. Click " Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Download the Backdoor Agent cleanup utility from Symantec and follow the instructions on their page.

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Related

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

Run HiJackThis then:

1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"

-

Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:

C:\WINDOWS\System32\Vcgmjm.exe
C:\windows\tjvhwgm.exe
C:\wp.exe

Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.

Run HiJackThis and click " Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {46CC610E-5923-2C5A-BAC6-159449FB7606} - (no file)

O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Vcgmjm.exe
O4 - HKLM\..\Run: [bnnjmf] C:\WINDOWS\System32\bnnjmf.exe
O4 - HKLM\..\Run: [Agent Browser] C:\WINDOWS\System32\c_86pwsx.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [wydcddp] c:\windows\tjvhwgm.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [brufwqh] c:\windows\rsbctbk.exe
O4 - HKCU\..\Run: [iyhuixd] c:\windows\rsbctbk.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: {075568FF-975C-7155-ABBE-7AC4106B5908} - http://69.50.182.94/1/rdgUS1882.exe

O21 - SSODL: WebControl Browser - {94F66970-0E4F-4178-BCD6-DFF70542E61A} - C:\WINDOWS\System32\igfxauth.dll

Now, with all windows closed except HiJackThis, click " Fix checked".

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: see here - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

files...

    C:\WINDOWS\System32\Vcgmjm.exe
    C:\windows\tjvhwgm.exe
    C:\wp.exe
    C:\WINDOWS\System32\bnnjmf.exe
    C:\WINDOWS\System32\c_86pwsx.exe
    C:\WINDOWS\System32\spoolsrv32.exe
    c:\windows\rsbctbk.exe
    c:\windows\system32\flsmngr.dll
    C:\WINDOWS\System32\igfxauth.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from "Safe Mode" see here - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Now go here and download/Run:

Smitfraud registry fix

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Run Cleanup to empty all your
Temporary Internet Folders as Hijackthis and other programs
leave a lot of junk behind:

http://cleanup.stevengould.org

Post back a new log, and let me know how everything goes.

-

Bertha2

Message Edited by Bertha2 on 05-13-2005 12:23 PM

ky331 · Answer

msg removed Message Edited by ky331 on 05-13-2005 08:30 PM

zbestwun2001 · Answer

oooops

Bertha2 · Answer

Hey, Steve please edit/remove your post here Pleas dont get confused my Steve's mistake here ONLY FOLLOW THE FIX I ADVISED Bertha2

bcshellfish · Answer

All set!! Thanks!!

Virus & Spyware

trojan-spy.html.smitfraud.c hijackthis log - please help

Was this post helpful?