Hello - I am having a problem with a program called smtogmsg.exe. I have OnceCare Anti-Virus and Windows Defender (both by Microsoft in Beta) installed and the OneCare firewall keeps poping up asking me if I want to block smtogmsg.exe from accessing the internet. I have done a search on the internet withouth any success, there is nothing at all on it. It says it is located in C:\WINDOWS\SYSTEM32, but when I go to that directory there is nothing there, I did do a search on my computer and I found it in C:\WINDOWS\Prefetch and the file name in that directory is SMTOGMSG.EXE-261FF95F.pf. I am not sure if I should allow to access the internert since I cannot find any information on it. I am including the Hijackthis log.
Any help would be greatly appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 8:07:05 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\LSDYNA\run\Intel\lmgrd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\LSDYNA\run\Intel\ansyslmd.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WinGO\WinGO.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Easy2Sync\Easy2Sync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Bud\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinGO] C:\PROGRA~1\WinGO\WinGO.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogSessionName] stdout
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Easy2Sync.lnk = C:\Program Files\Easy2Sync\Easy2Sync.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
O4 - Global Startup: MonacoReminder.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase7617.cab
O18 - Protocol: G7PS - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\WINDOWS\system32\G7PS.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXlm Service 1 - GLOBEtrotter Software Inc. - C:\LSDYNA\run\Intel\lmgrd.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: sasrfc Service (sasrfcService) - Unknown owner - C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe (file missing)
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe
O23 - Service: XBWWW - Unknown owner - C:\DOCUME~1\Bud\LOCALS~1\Temp\XBWWW.exe (file missing)
1
HJT log analysis
Started by azaouk, Mar 23 2006 01:10 PM
1 reply to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 24 March 2006 - 03:33 PM
Hi azaouk 
You have some signs of infections so its best we run some scanners. Can you set Windows to show hidden files then upload the below files to a virus scan site.
Click Start. Goto MyComputer then c:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back later by opening the same page and pressing the restore defaults button.
Search for these files:
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter these
stdout
msupdate32.dll
WinGO.exe
smtogmsg.exe
If found make a note of the folder and then upload them all at either of these sites:
http://virusscan.jotti.org/
http://www.virustotal.com/
You can copy and paste the results from jotti and on virus total you left click and cover the text then press Control & C together to copy to clipboard, Once its copied to clipboard you can right click into the reply here and choose Paste.
Thanks
You have some signs of infections so its best we run some scanners. Can you set Windows to show hidden files then upload the below files to a virus scan site.
Click Start. Goto MyComputer then c:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back later by opening the same page and pressing the restore defaults button.
Search for these files:
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter these
stdout
msupdate32.dll
WinGO.exe
smtogmsg.exe
If found make a note of the folder and then upload them all at either of these sites:
http://virusscan.jotti.org/
http://www.virustotal.com/
You can copy and paste the results from jotti and on virus total you left click and cover the text then press Control & C together to copy to clipboard, Once its copied to clipboard you can right click into the reply here and choose Paste.
- Next download and run Blacklight from Here
Run the program, accept statement > click next then scan
Do not rename "wbemtest.exe" as its a windows file. If there are any other files you THINK may be valid don't rename them for now as Blacklight will create a log that can be post back if needed called fsbl-<date/time>.log . If you wanted to rename files left click each and choose 'Rename' then Blacklight will ask you to reboot and change the extention to .ren so they can be found when the system restarts.
- Download, install, and update Ewido Anti-Malware. When installing, under Additional Options uncheck Install background guard and Install scan via context menu. Run Ewdio and click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display Update successful)
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. When ewido finds something, it will pop up a notification. Select Remove and check the boxes Perform action with all infections and Create encrypted backup then click on ok.When the scan finishes, click on Save Report and save it to your desktop or c:/drive then post it back in your next reply.
- Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Thanks
