PDA

View Full Version : WARNING: Your computer is infected



Cold_Viking
2007-04-12, 02:54
I now have a piece of malware that creates an icon in the right hand side of my task bar. When moused over, it reads, "WARNING: Your computer is infected'
Win

If it is clicked on, it reads, "WARNING: Your computer is infected -- Windows has detected spyware infection! Click this message to install the last update of Windows security software.."

Also, the bubble with this text pops up QUITE frequently, and if there's a way to stop that BEFORE removing the malware, I would like to know that first, because it is highly annoying.

HijackThis log follows.

THANK YOU!

Logfile of HijackThis v1.99.1
Scan saved at 7:51:22 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\WinMsg\SCLICK.EXE
D:\Program Files\WinMsg\SYSMONMS.EXE
D:\Program Files\WinMsg\UINST.EXE
D:\Program Files\AIM6\aim6.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
D:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
D:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theonlybookmark.com/in.cgi?2
O2 - BHO: StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - D:\PROGRA~1\WinMsg\notepad.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] D:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sclick] D:\Program Files\WinMsg\SCLICK.EXE
O4 - HKLM\..\Run: [bal] D:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKLM\..\Run: [StUnInst] D:\Program Files\WinMsg\UINST.EXE
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

pskelley
2007-04-12, 16:50
Welcome to the forum, You know the only thing I can say for sure is that it appears you missed the directions:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance http://forums.spybot.info/showthread.php?t=288
Please read and follow those directions. You can wait on the online scan, I can see probable Smitfraud and also Wareout, so we have our work cut out for us. Expect it to be hard and to take a while, this would be one other option:
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

If you wish to proceed, then do so by following these instructions carefully.

1) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from that link and follow ONLY these directions:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

2 Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your Desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

Post the C:\rapport.txt from Smitfraudfix, the report.txt from Fixwareout and a new HJT log.

Thanks

Cold_Viking
2007-04-12, 19:26
Very sorry I didn't follow procedure, and thank you for taking the time to help me out. I thought I read the right "READ ME FIRST" but I guess not.

Anyway, here is the correct information you need.

SmartFraudFix - Rapport.txt

SmitFraudFix v2.166

Scan done at 12:00:00.78, Thu 04/12/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\WinMsg\SCLICK.EXE
D:\Program Files\WinMsg\SYSMONMS.EXE
D:\Program Files\WinMsg\UINST.EXE
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Ben


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Ben\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Ben\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 85.255.113.115
DNS Server Search Order: 85.255.112.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: DhcpNameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: DhcpNameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: DhcpNameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: DhcpNameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: DhcpNameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: DhcpNameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: NameServer=85.255.113.115,85.255.112.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.113.115 85.255.112.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.113.115 85.255.112.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.113.115 85.255.112.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

report.txt - Fixwareout


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
D:\WINDOWS\Temp\kdibi.ren 65892 08/04/2004



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="\"D:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"ATICCC"="\"D:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"
"SoundMan"="SOUNDMAN.EXE"
"LiveMonitor"="D:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"C-Media Mixer"="Mixer.exe /startup"
"WorksFUD"="D:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="D:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="D:\\Program Files\\Microsoft Works\\WkDetect.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""
"sclick"="D:\\Program Files\\WinMsg\\SCLICK.EXE"
"bal"="D:\\Program Files\\WinMsg\\SYSMONMS.EXE"
"StUnInst"="D:\\Program Files\\WinMsg\\UINST.EXE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="\"D:\\Program Files\\Ares\\Ares.exe\" -h"
"BitTorrent"="\"D:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Aim6"="\"D:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
@=""
"ATI Launchpad"=""
"ATI DeviceDetect"="D:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Hijackthis logfile

Logfile of HijackThis v1.99.1
Scan saved at 12:26:20 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
D:\Program Files\WinMsg\SCLICK.EXE
D:\Program Files\WinMsg\SYSMONMS.EXE
D:\Program Files\WinMsg\UINST.EXE
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theonlybookmark.com/in.cgi?2
O2 - BHO: StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - D:\PROGRA~1\WinMsg\notepad.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] D:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sclick] D:\Program Files\WinMsg\SCLICK.EXE
O4 - HKLM\..\Run: [bal] D:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKLM\..\Run: [StUnInst] D:\Program Files\WinMsg\UINST.EXE
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

pskelley
2007-04-12, 20:13
Thanks for returning your information, I need your help here, some of this stuff is scanning as Smitfraud, see this:
O4 - HKLM\..\Run: D:\Program Files\WinMsg\SYSMONMS.EXE
http://www.castlecops.com/s14232-bal.html

and this: O2 - BHO: StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - D:\PROGRA~1\WinMsg\notepad.dll
http://www.castlecops.com/CLSID.html
StrangeBho Class {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} X BHO notepad.dll Parasite, detected by AntiVir antivirus as TR/FakeAlert.DO.1 - a member of the SmitFraud malware family

It is[B] rare for CastleCops to make an error, but when I scan this: WinMsg <<< I get this link: http://www.novell.com/coolsolutions/tools/14471.html
If you know anything about this stuff then please do not follow these directions, if you have no idea why it is on your computer, then do this:

How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theonlybookmark.com/in.cgi?2
O2 - BHO: StrangeBho Class - {0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B} - D:\PROGRA~1\WinMsg\notepad.dll
O4 - HKLM\..\Run: [sclick] D:\Program Files\WinMsg\SCLICK.EXE
O4 - HKLM\..\Run: D:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKLM\..\Run: [StUnInst] D:\Program Files\WinMsg\UINST.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C1623A-70F3-4EAA-A6FC-406B2FBC609B}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B78FC6-EEED-447B-82F7-FDDCA8CD2B23}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D4356C-FA88-4FD7-8015-F83AC30F7ED7}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

D:\Program Files\WinMsg\ <<< delete that folder

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a [B]new HJT log, let me know how the computer is running.

Thanks

Cold_Viking
2007-04-14, 00:22
Just to let you know I work weekends..so I'm a little away from the home PC these days. I received your help and I'm going to act on it in the next day or so - thanks you, I won't disappear before this is resolved.

Thanks again..I'll repost ASAP.

Cold_Viking
2007-04-15, 19:21
It is rare for CastleCops to make an error, but when I scan this: WinMsg <<< I get this link: http://www.novell.com/coolsolutions/tools/14471.html
If you know anything about this stuff then please do not follow these directions, if you have no idea why it is on your computer, then do this:

Restart the computer and post a new HJT log, let me know how the computer is running.

Thanks

Honestly I have no idea why that stuff was on the PC. I therefore followed all instructions, and the computer is running like it did before the infection. New HJT to follow.

I think you zapped it, but I don't want to jinx it. Take a look if you would please.

Logfile of HijackThis v1.99.1
Scan saved at 12:18:58 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\WINDOWS\Mixer.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] D:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

pskelley
2007-04-15, 19:38
Thanks for returning your information, your HJT log looks good, just a little information for you and I will turn you loose.

1) You Java Program needs to be updated, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) You are running at least on p2p program and while the programs are not, many of the files are illegal or dangerous, you may want to view some of this information:
http://www.google.com/search?hl=en&q=p2p+file+sharing+dangers&btnG=Google+Search

3) Please remove programs we download for this fix, the exception is ATF-Cleaner, you may keep that nice little tool if you wish.

4) System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

5) Some valuable information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2007-04-23, 14:26
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks