Skip to main content

Got isamonitor trojan



  • Customer

    Okay, I did it but might have goofed by not 'saving as' the rapport.text file from smit fraud the first time I did it. Hence, here is the text file after I ran smit fraud a second time. I beleive it's clean. Also HJT log. Bobalu


    SmitFraudFix v2.131


    Scan done at 17:48:42.54, Mon 12/25/2006

    Run from C:\Documents and Settings\bob\Desktop\SmitfraudFix

    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

    The filesystem type is NTFS

    Fix run in safe mode


    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

    !!!Attention, following keys are not inevitably infected!!!


    SrchSTS.exe by S!Ri

    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process



    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


    GenericRenosFix by S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files



    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

    !!!Attention, following keys are not inevitably infected!!!


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


    Registry Cleaning done.


    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

    !!!Attention, following keys are not inevitably infected!!!


    SrchSTS.exe by S!Ri

    Search SharedTaskScheduler's .dll



    »»»»»»»»»»»»»»»»»»»»»»»» End


    Logfile of HijackThis v1.99.1

    Scan saved at 6:14:04 PM, on 12/25/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Running processes:









    c:\program files\\agent\mcdetect.exe





    C:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe


    C:\Program Files\\VSO\mcvsshld.exe

    C:\Program Files\\VSO\oasclnt.exe



    C:\Program Files\IE New Window Maximizer\iemaximizer.exe

    C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe






    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\\vso\mcvsshl.dll

    O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

    O4 - HKLM\..\Run: [WinPatrol System Monitor] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\\VSO\mcmnhdlr.exe" /checktask

    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\\VSO\mcvsshld.exe

    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\\VSO\oasclnt.exe

    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe

    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\agent\mcupdate.exe

    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\\PERSON~1\MpfTray.exe

    O4 - HKCU\..\Run: [iE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe

    O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe

    O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html

    O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html

    O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O9 - Extra button: - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\WINDOWS\system32\shdocvw.dll (HKCU)

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -

    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -,0,

    O17 - HKLM\System\CCS\Services\Tcpip\..\{37CBB603-8C91-41A5-9BB6-27AE01755D02}: NameServer =,

    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\\agent\mcdetect.exe

    O23 - Service: McShield (McShield) - McAfee Inc. - c:\PROGRA~1\\vso\mcshield.exe

    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\\agent\mctskshd.exe

    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\\Agent\mcupdmgr.exe

    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\\PERSON~1\MpfService.exe


    That's it!








    Please delete the one you have on your Desktop and run this one

    here it's the updated ver.

    Download SmitfraudFix (by S!Ri) to your Desktop.

    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    ( Do not run just YET )

    Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.


    Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.


    Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

    Select option #2 - Clean by typing 2 and press Enter.

    Wait for the tool to complete and disk cleanup to finish.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.


    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.


    When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.


    Please post the newrapport.txt log along with a new HijackThis Log in your next reply.

    Then come back here give me some feedback.

    @ Raiz


    Please start your own Thread/Topic do not post in someone else's

    thread and we will be more then happy to have a look for you.


  • Customer



    Log looks good are you having any problems if no

    update Ad-Aware, run a scan see how it looks. if all

    good then come back here with feedback and to take

    are last steps here.



  • Customer

    Looks good no problems thank you very much..anything else I should do?




    Log looks good are you having any problems if no

    update Ad-Aware, run a scan see how it looks. if all

    good then come back here with feedback and to take

    are last steps here.



  • Customer



    As i said if you are having no more problmes do this here.



    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.



    Next, let's clean your restore points and set a new one



    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)


    1. Turn off System Restore.

    * On the Desktop, right-click My Computer.

    * Click Properties.

    * Click the System Restore tab.

    * CHECK Turn off System Restore.

    * Click Apply, and then click OK.

    2. Restart your computer.

    3. Turn ON System Restore.

    * On the Desktop, right-click My Computer.

    * Click Properties.

    * Click the System Restore tab.

    * UN-Check Turn off System Restore.

    * Click Apply, and then click OK.


    System Restore will now be active again.



    Then create a new restore point once you have System Restore back on.

    To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.

    When the System Restore Utility opens, click "Create a Restore Point" then click Next.

    Enter a name for this Restore Point, and click Create.




    Clean out your Temporary Internet files.

    Internet Explorer

    Close Internet Explorer and close any instances of Windows Explorer.

    Click Start -> Control Panel and then double-click Internet Options.

    On the General tab, click Delete Files under Temporary Internet Files.

    In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

    On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

    Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

    Click OK.


    Firefox (In case you also have Firefox installed)

    Open Firefox and go to Tools -> Options.

    Click Privacy in the menu on the left side of the Options window.

    Click the Clear button located to the right of each option (History, Cookies, Cache).

    Click OK to close the Options window.

    Alternatively, you can clear all information stored while browsing by clicking Clear All.

    A confirmation dialog box will be shown before clearing the information.



    Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.

    2. Click once on the Security tab

    3. Click once on the Internet icon so it becomes highlighted.

    4. Click once on the Custom Level button.

    a. Change the Download signed ActiveX controls to Prompt

    b. Change the Download unsigned ActiveX controls to Disable

    c . Change the Initialize and script ActiveX controls not marked as safe to Disable

    d. Change the Installation of desktop items to Prompt

    e. Change the Launching programs and files in an IFRAME to Prompt

    f. Change the Navigate sub-frames across different domains to Prompt

    g. When all these settings have been made, click on the OK button.

    h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

    5. Next press the Apply button and then the OK to exit the Internet Properties page.


    And please have a look at the great info by Mr,TK

    So how did I get infected in the first place




  • Support

    Since these issues appear to be resolved, I'll go ahead and archive this topic in the *Resolved* section (read only).


    Should you have any further issues, please feel free to start a new topic


    For anyone with similar issues that needs help - please start your own new topic.


Please sign in to leave a comment.