smitfreud problems?

**TVIRUS** · 2007-03-01, 17:50

i have problems with my pc.. its slower than usual and the other threads here didint help..
+ teatimer registers a registry change which i must accept or else it pops up again instantly, and minutes after it is changed it gets deleted and added again...
my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:47:05, on 01.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\PowerISO\PWRISOVM.EXE
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - Default URLSearchHook is missing
O1 - Hosts: AmsServer
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Administrator\Skrivebord\Ikoner\utorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

**pskelley** · 2007-03-03, 14:08

Welcome to the forum, you have a couple of real nasty trojans running on your computer.
NTLOAD X ntsrv.exe Flagged as Backdoor.Iroffer / Backdoor.Noer
NTSVCMGR X ntsrv.exe Flagged as Backdoor.Iroffer / Backdoor.Noer
http://www.pcreview.co.uk/startup/CS...E/.svchost.php

Here they are on the computer:
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe

Here is information: http://www3.ca.com/securityadvisor/p....aspx?id=55409
Backdoor : A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker
and the google: http://www.google.com/search?q=+Back...e7&rlz=1I7GGLG

While I may be able to help you remove these worms, your security has been compromised and I need to give you this information:
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks

**TVIRUS** · 2007-03-05, 21:13

hi, i used hjt to fix the entries:
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
but i dont think csrss.exe is a trojan cus i ran some tests on a site to see if i sent out any info and i didnt.. besides i cant terminate the proscess in task manager.

but for the 023 entry i thank you but i still have the problem with something about adding "winlogon notifiers" in spybot-sd "resident" constantly if i deny..

thanks for the help so far!! best forum ever!!

PS: what is a "icmp 11 echo recuest" and time "ecceeded for datagram"
evry program is trying to send something like that now and then, i see it on my firewall..

**TVIRUS** · 2007-03-05, 21:17

"time ecceeded for datagram"

**pskelley** · 2007-03-05, 21:24

If you are saying you would like me to help you clean the computer, post another HJT log. I will respond as soon as possible after you post.

Thanks

**TVIRUS** · 2007-03-10, 00:31

Logfile of HijackThis v1.99.1
Scan saved at 00:26:55, on 10.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Ares\Ares.exe
C:\Programfiler\uTorrent\uTorrent.exe
C:\Programfiler\TuneUp Utilities 2007\SystemOptimizer.exe
C:\Programfiler\TuneUp Utilities 2007\RegistryCleaner.exe
C:\Programfiler\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - Default URLSearchHook is missing
O1 - Hosts: AmsServer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ares] "C:\Programfiler\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [µTorrent] "C:\Programfiler\uTorrent\uTorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programfiler\Ares\chatServer.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

**TVIRUS** · 2007-03-10, 00:34

but please what is "time ecceeded for datagram" and "icmp echo (8/11) request"

**pskelley** · 2007-03-10, 01:11

I apologize, I did not understand that was a question earlier. Here is your own google:
http://www.google.com/ (careful to use the correct spelling)
http://www.google.com/search?hl=en&s...tagram&spell=1
http://www.google.com/search?hl=en&q...st&btnG=Search
I personally do not know either term, you may wish to discuss those with your Internet Service Provider.

Logfile of HijackThis v1.99.1 Scan saved at 00:26:55, on 10.03.2007

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Use these instructions > http://russelltexas.com/malware/teatimer.htm
Turn off TeaTimer until we are done, it will block changes we must make.

Appears you were able to remove the real problems, nothing but a little cleaning to do.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
(if you placed this in the Hosts file you may leave it)
O1 - Hosts: AmsServer

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Let me know about any malware issues along with a new HJT log for a final check.

Thanks

**TVIRUS** · 2007-03-10, 14:23

hi and thanks for a quick reply..
i have discovered something, i have all these winlogon notifiers in a list in spybot.. among them iifccdd.dll which i KNOW is a virus of some kind...
what should i do??

here is the spybot SD list:

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2007-02-07 TeaTimer.exe (1.5.0.6)
2007-01-02 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-07 Includes\Beta.sbi
2005-02-16 Includes\Beta.uti
2007-03-07 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-03-07 Includes\DialerC.sbi
2007-02-07 Includes\Hijackers.sbi
2007-03-07 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-03-07 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-02-14 Includes\Malware.sbi
2007-03-07 Includes\MalwareC.sbi
2007-01-19 Includes\PUPS.sbi
2007-03-07 Includes\PUPSC.sbi
2007-03-07 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-03-07 Includes\SecurityC.sbi
2007-02-02 Includes\Spybots.sbi
2007-03-07 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-03-07 Includes\Trojans.sbi
2007-03-07 Includes\TrojansC.sbi

Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8b4cbba1ea526830c7f97e7822e2493a

Located: HK_LM:Run, AlcWzrd
command: ALCWZRD.EXE
file: C:\WINDOWS\ALCWZRD.EXE
size: 2805248
MD5: 986e16d223eeaf13ed30e6c0c576982c

Located: HK_LM:Run, DiskeeperSystray
command: "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
file: C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe
size: 184408
MD5: 1cc38090c948ba34ac7d0cc17af3f4b4

Located: HK_LM:Run, High Definition Audio Property Page Shortcut
command: HDAudPropShortcut.exe
file: C:\WINDOWS\system32\HDAudPropShortcut.exe
size: 61952
MD5: bdb806c747c5257b9919e1a64b2db67b

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: 303557c7f562e667b66fa406b7fa07bd

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 94208
MD5: 41e653a8852072673e9fa230d360f7a9

Located: HK_LM:Run, IntelliPoint
command: "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
file: C:\Programfiler\Microsoft IntelliPoint\point32.exe
size: 217088
MD5: 997dd02e4b8f43795e90391b5e4266e6

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: b3a06b00d56f3253f1f59c1f1f090d4f

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: b3a06b00d56f3253f1f59c1f1f090d4f

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1622016
MD5: 0294e2a5e89bf786f24a9cc2fd753191

Located: HK_LM:Run, Persistence
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 114688
MD5: 614ba6b76f922a4924c26a80cdec376d

Located: HK_LM:Run, PWRISOVM.EXE
command: C:\Programfiler\PowerISO\PWRISOVM.EXE
file: C:\Programfiler\PowerISO\PWRISOVM.EXE
size: 200704
MD5: 63ff498268fed7262753f3975fd04860

Located: HK_LM:Run, SmcService
command: C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
file: C:\PROGRA~1\Sygate\SPF\smc.exe
size: 2577632
MD5: 8eca9578bfc7da42d6d24c862224c5db

Located: HK_LM:Run, Sony Ericsson PC Suite
command: "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
file: C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
size: 159744
MD5: f0b9213ad99e77fc481c24c9023aa9c6

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 90112
MD5: 1319df88f588709d13ac701c39745705

Located: HK_LM:Run, SW20
command: C:\WINDOWS\system32\sw20.exe
file: C:\WINDOWS\system32\sw20.exe
size: 208896
MD5: 7eedd0c922b320a4dafaca25ab980179

Located: HK_LM:Run, SW24
command: C:\WINDOWS\system32\sw24.exe
file: C:\WINDOWS\system32\sw24.exe
size: 69632
MD5: 3549b1a6b0aebef06b576591306c8af1

Located: HK_CU:Run, µTorrent
command: "C:\Programfiler\uTorrent\uTorrent.exe"
file: C:\Programfiler\uTorrent\uTorrent.exe
size: 177152
MD5: e3013175d75cb6abbb55f61fdfef7f50

Located: HK_CU:Run, 3COM
command: "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
file: C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
size: 409600
MD5: f656d94ff17a517ca1a1b9bba53d7b2d

Located: HK_CU:Run, ares
command: "C:\Programfiler\Ares\Ares.exe" -h
file: C:\Programfiler\Ares\Ares.exe
size: 969728
MD5: 9d452ef96110f68a113af0895c77c62a

Located: HK_CU:Run, AWMON
command: "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
file: C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107af2de3af10d6d09c1b36fe9ef9156

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: ddc0e7a20f0f77bec5108c265c4ae435

Located: HK_CU:Run, MsnMsgr
command: "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Programfiler\MSN Messenger\MsnMsgr.Exe
size: 5674352
MD5: c4281ad865739e71fd1e4dac19a68d60

Located: Startup (user), ASUS Smartdoctor.lnk
command: C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
file: C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
size: 1073152
MD5: f0af728a7096f9b343e14d51c11f6f69

Located: WinLogon, awtqq
command: C:\WINDOWS\system32\awtqq.dll
file: C:\WINDOWS\system32\awtqq.dll
size: 282212
MD5: ea70704d54347567b8d28f49a0930af1

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, iifccdd

command: iifccdd.dll
file: iifccdd.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll

++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 14:08:49, on 10.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\uTorrent\uTorrent.exe
C:\Programfiler\Fellesfiler\Teleca Shared\CapabilityManager.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ares] "C:\Programfiler\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [µTorrent] "C:\Programfiler\uTorrent\uTorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programfiler\Ares\chatServer.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe

**pskelley** · 2007-03-10, 16:38

Let me first say that your HJT log appears to be clean of malware. While I will try to help, I prefer you ask questions dealing with Spybot here:
http://forums.spybot.info/forumdisplay.php?f=4
DO NOT post HJT log there.

Using Google: http://www.google.com/ to search for this: iifccdd.dll returns this information:
http://www.google.com/search?q=iifcc...e7&rlz=1I7GGLG
The second link provides this information:
http://spywaredlls.prevx.com/RRAHHH2...CCCCD.DLL.html
I am guessing it is a leftover in the registry that was not removed, It is rare all of the infection is ever removed without a good cleaning of the registry. I would see what the folks in the Spybot forum have to say.

Here are scanners if you wish to scan any files:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\awtqq.dll <<< no doubt this is a Vundo infection, and it may be a leftover? To see if you have a hidden vundo infection, please return to:
C:\Programfiler\Hijackthis\HijackThis.exe <<< rename the file to TVIRUS.exe or whatever you wish, restart the computer and post a new HJT log. If the infections is present, we should be able to see it.

Thanks

Thread: smitfreud problems?

Thread Tools

Display

smitfreud problems?

thanks

oops

I want help if im not clean

8 / 11

Help!!!

Posting Permissions