I somehow go this virus on my computer that stole my desktop, and wont let me chang it. I think it's called "Trojan-Spy.HTML.Snitfraud.c"....I've tried everything to remove it. I've ran avg, adaware, and spyware doctor, and neither one could remove it. What else should I do?
server_crash 64 Postaholic
DMR 152 Wombat At Large Team Colleague
That sounds like a smitfraud symptom.
There are a couple of variants of that infection, and it also tends to bring a few "friends" along with it, so the first thing we should do is get a HijackThis log from you.
You probably know the drill already, but:
Download the (free) HijackThis utility from here.
Once downloaded, follow these instructions to install and run the program:
Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.
server_crash 64 Postaholic
Thanks for offering some help. I got this resolved a little after posting that. I hope I didn't waste your time.
Here is what worked for me:
http://www.wilderssecurity.com/showthread.php?t=75890
I'll certainly give you some rep for the help though.
dlh6213 27 Posting Maven Team Colleague
As a precaution, I suggest you boot into Safe Mode and do a search for these files and delete any instances found:
param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe
If any could not be deleted -- most likely param32.dll -- run Pocket Killbox
(http://bleepingcomputer.com/files/spyware/KillBox.zip) and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)
HelpMeh 0 Newbie Poster
Hi, I have the same thing, but I don't quite understand how to remove it. I got this from hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 2:00:34 PM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\sys32.exe
C:\PROGRA~1\AIM95\AIMWDI~1.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\System32\combo.exe
C:\WINDOWS\System32\msxct.exe
C:\WINDOWS\System32\n?svc32.exe
C:\WINDOWS\stubinstaller4292.exe
C:\WINDOWS\DKQPP.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
c:\wp.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Roy Hsieh\My Documents\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=500
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.maxifiles.com/toolbar/sidebar.php?tid=%toolbar_id&aid=%AffiliateID
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://out.true-counter.com/a/?101 about:blank (obfuscated)
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: (no name) - {C21B6409-A4E1-811E-E46E-887AE3C70E97} - C:\WINDOWS\System32\zuhj.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\System32\wer8274.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {F1262C22-1EC6-466B-A597-1A6C26AB082C} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\System32\bootconf.exe
O4 - HKLM\..\Run: [oxpovywx] C:\WINDOWS\wtduixan.exe
O4 - HKLM\..\Run: [yNcXTqu] C:\documents and settings\roy hsieh\local settings\temp\yNcXTqu.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [ns5ENW7] C:\documents and settings\roy hsieh\local settings\temp\ns5ENW7.exe
O4 - HKLM\..\Run: [UNN] C:\documents and settings\roy hsieh\local settings\temp\UNN.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [s8h] C:\documents and settings\roy hsieh\local settings\temp\s8h.exe
O4 - HKLM\..\Run: [sys32] C:\WINDOWS\sys32.exe
O4 - HKLM\..\Run: [Igx29S4] C:\documents and settings\roy hsieh\local settings\temp\Igx29S4.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [p7] C:\documents and settings\roy hsieh\local settings\temp\p7.exe
O4 - HKLM\..\Run: [0] C:\documents and settings\roy hsieh\local settings\temp\0.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM95\AIMWDI~1.EXE
O4 - HKLM\..\Run: [Z1ts9WeLe] C:\documents and settings\roy hsieh\local settings\temp\Z1ts9WeLe.exe
O4 - HKLM\..\Run: [tn0] c:\documents and settings\roy hsieh\local settings\temp\tn0.exe
O4 - HKLM\..\Run: [OVKsfrQ] c:\documents and settings\roy hsieh\local settings\temp\OVKsfrQ.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Roy Hsieh\Local Settings\Temporary Internet Files\Content.IE5\89QROH6B\delf061225[1].exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [M03tRUdtV] cscgfat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Mjvcd] C:\WINDOWS\System32\n?svc32.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000081.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller4292.exe"
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [QKBETVLX] C:\WINDOWS\UEWOQPK.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {20EA0D31-EFE1-4658-BF06-D8D0384BF7CF} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {20EA0D31-EFE1-4658-BF06-D8D0384BF7CF} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {213A2C51-5ECA-4314-8056-E31E4C6026BB} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {213A2C51-5ECA-4314-8056-E31E4C6026BB} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {5664E896-D8A0-483C-B9F3-D1E8C2E8FF2B} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5664E896-D8A0-483C-B9F3-D1E8C2E8FF2B} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {89EC0512-B7C9-41E3-B9C9-232312CAFA2D} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {89EC0512-B7C9-41E3-B9C9-232312CAFA2D} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {20EA0D31-EFE1-4658-BF06-D8D0384BF7CF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {20EA0D31-EFE1-4658-BF06-D8D0384BF7CF} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {213A2C51-5ECA-4314-8056-E31E4C6026BB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {213A2C51-5ECA-4314-8056-E31E4C6026BB} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {533EC535-6AB4-431D-82AE-093189408987} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {533EC535-6AB4-431D-82AE-093189408987} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5664E896-D8A0-483C-B9F3-D1E8C2E8FF2B} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5664E896-D8A0-483C-B9F3-D1E8C2E8FF2B} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {772C2DB9-7305-4EC3-A294-905134C80FDC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {772C2DB9-7305-4EC3-A294-905134C80FDC} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7BB2346A-4B41-4C42-A51D-E558B114F2F0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BB2346A-4B41-4C42-A51D-E558B114F2F0} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {89EC0512-B7C9-41E3-B9C9-232312CAFA2D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {89EC0512-B7C9-41E3-B9C9-232312CAFA2D} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c17.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9EAC0186-5F5A-4362-B120-15C312CE012D} - http://www.awmdabest.com/cabl/500/tb.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaybox.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
What to do now?
server_crash 64 Postaholic
Did you follow the link I posted?
DMR 152 Wombat At Large Team Colleague
Hi HelpMeh,
First of all- welcome to TechTalk!
We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.
Please start your own thread and post your questions and your HijackThis log there.
For a full description of our posting guidelines and general rules of conduct, please see this page:
http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules
Thanks for understanding.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.