Help with smithfraudc and others!!

**CDaddy** · 2007-08-01, 05:46

Here is my hjt log I cant get the online antivirus to work sorry, any help with this would be great thanks to all i advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:19 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Updater.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\TEMP\win27.tmp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian2\Local Settings\Temporary Internet Files\Content.IE5\6VB26QDV\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://s2.truth-is-out-there.org/?pi...&dt=2007-07-30
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3545915B-477B-4FCE-B158-FEF9692CF16C} - C:\Program Files\MSN\meqoca3.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\ddcbxxv.dll
O2 - BHO: (no name) - {3b1b4f8e-7a4f-4e94-80ec-4ac6e0efa5dc} - C:\WINDOWS\system32\ucjnkii.dll
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~2\PopUp.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {82025E5F-76E7-43F6-9AE3-BF5E25474507} - C:\Program Files\MSN\meqoca83122.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\dirftrpo.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O2 - BHO: (no name) - {C8E35A52-42C3-49F9-82BC-89E3CA043C4F} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: (no name) - {D8704C80-5E14-4BDE-BA6D-23DCAF1B38E6} - C:\Program Files\MSN\meqoca1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [ServicesNotify] C:\Program Files\Defender Pro\Defender Pro Anti-Scam\ServicesNotify.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win27.tmp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\sdafvgco.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/...ad/ppcwebi.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: ddcbxxv - C:\WINDOWS\SYSTEM32\ddcbxxv.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: nnnomnk - C:\WINDOWS\SYSTEM32\nnnomnk.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8646 bytes

**random/random** · 2007-08-01, 23:06

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

**CDaddy** · 2007-08-03, 23:26

Sorry it has taken me so long to get back. I work a crazy schedual...... I would like to try to clean this one if that is ok with you. I have got the online scanner to work and also a new residential computer scan system. I didn't get a print out of the online one but I will go and do a new one now and get a report and post it next. Here is a new hjt log though

Thanks for all your help sincerly,

CDaddy

Logfile of HijackThis v1.99.1
Scan saved at 5:19:02 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Updater.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian2\Local Settings\Temporary Internet Files\Content.IE5\LBCER3HE\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://s2.truth-is-out-there.org/?pi...&dt=2007-07-30
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3545915B-477B-4FCE-B158-FEF9692CF16C} - C:\Program Files\MSN\meqoca3.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\ddcbxxv.dll
O2 - BHO: (no name) - {3b1b4f8e-7a4f-4e94-80ec-4ac6e0efa5dc} - C:\WINDOWS\system32\ucjnkii.dll
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~2\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {67F0C2D4-077F-4E60-BC20-5327BFF92D8F} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: (no name) - {82025E5F-76E7-43F6-9AE3-BF5E25474507} - C:\Program Files\MSN\meqoca83122.dll
O2 - BHO: (no name) - {85E739F5-DBC8-4182-8EE8-6E36712B11D1} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\dirftrpo.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O2 - BHO: (no name) - {D8704C80-5E14-4BDE-BA6D-23DCAF1B38E6} - C:\Program Files\MSN\meqoca1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [ServicesNotify] C:\Program Files\Defender Pro\Defender Pro Anti-Scam\ServicesNotify.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win27.tmp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cvwovpda.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/...ad/ppcwebi.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddcbxxv - C:\WINDOWS\SYSTEM32\ddcbxxv.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: nnnomnk - C:\WINDOWS\SYSTEM32\nnnomnk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

**CDaddy** · 2007-08-04, 01:19

Here are the online results

Thanks so much

File Infection Status Path
ddcbxxv.dll Win32/Chisyne!generic cannot delete C:\WINDOWS\SYSTEM32\
fccywww.dll Win32/Chisyne!generic deleted C:\WINDOWS\SYSTEM32\
geeby.dll Win32/Vundo!generic cannot delete C:\WINDOWS\SYSTEM32\
jkkifgg.dll Win32/Chisyne!generic deleted C:\WINDOWS\SYSTEM32\
jkklmlm.dll Win32/Chisyne!generic deleted C:\WINDOWS\SYSTEM32\
ljjkhge.dll Win32/Chisyne!generic deleted C:\WINDOWS\SYSTEM32\
nnnomnk.dll Win32/Chisyne!generic cannot delete C:\WINDOWS\SYSTEM32\
vtuvtsq.dll Win32/Chisyne!generic deleted C:\WINDOWS\SYSTEM32\
xxyawvv.dll Win32/Chisyne!generic deleted C:\WINDOWS\SYSTEM32\
is the online results

**random/random** · 2007-08-04, 13:26

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum

Download the latest version of ComboFix from Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**CDaddy** · 2007-08-05, 00:00

Here is the sdfix log, I will do the combo next

Thanks so much for helping me with this...

SDFix: Version 1.95

Run by Brian2 on Sat 08/04/2007 at 05:45 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
aspimgr
ICF

ImagePath:
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\system32\svchost.exe:exe.exe

aspimgr - Deleted
ICF - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\D.EXE - Deleted
C:\128909~1 - Deleted
C:\WINDOWS\SYSTEM32\125023~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\244505~1.DLL - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun20.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun21.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun23.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\csrss.exe - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\CONFIG\SYSTEM~1\APPLIC~1\INSTALL.DAT - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\windows_log.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\TISKY009.exe - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\ws386.ini - Deleted

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\WINDOWS\system32\b06FdUe - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"
"C:\\WINDOWS\\Kernel32.exe"="C:\\WINDOWS\\Kernel32.exe:*:Enabled:Kernel32.exe"
"C:\\WINDOWS\\system32\\vedxga3me2.exe"="C:\\WINDOWS\\system32\\vedxga3me2.exe:*:Enabled:msiexe"
"C:\\DOCUME~1\\Brian\\LOCALS~1\\Temp\\19.tmp.taras"="C:\\DOCUME~1\\Brian\\LOCALS~1\\Temp\\19.tmp.taras:*:Enabled:BillGatesLoh.exe"
"C:\\WINDOWS\\BillGatesLoh.exe"="C:\\WINDOWS\\BillGatesLoh.exe:*:Enabled:BillGatesLoh.exe"
"C:\\DOCUME~1\\Brian\\LOCALS~1\\Temp\\1C.tmp.taras"="C:\\DOCUME~1\\Brian\\LOCALS~1\\Temp\\1C.tmp.taras:*:Enabled:BillGatesLoh.exe"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\DELL\PRIMOSDK.DLL
C:\DELL\PX.DLL
C:\DELL\PXDRV.DLL
C:\DELL\PXMAS.DLL
C:\DELL\PXWAVE.DLL
C:\DELL\VXBLOCK.DLL
C:\DELL\MEDIAEXE\PRIMOSDK.DLL
C:\DELL\MEDIAEXE\PX.DLL
C:\DELL\MEDIAEXE\PXDRV.DLL
C:\DELL\MEDIAEXE\PXMAS.DLL
C:\DELL\MEDIAEXE\PXWAVE.DLL
C:\DELL\MEDIAEXE\VXBLOCK.DLL
C:\DELL\PXCPYA64.EXE
C:\DELL\PXCPYI64.EXE
C:\DELL\PXHPINST.EXE
C:\DELL\PXINSA64.EXE
C:\DELL\PXINSI64.EXE
C:\DELL\PXSETUP.EXE
C:\DELL\MEDIAEXE\PXCPYA64.EXE
C:\DELL\MEDIAEXE\PXCPYI64.EXE
C:\DELL\MEDIAEXE\PXHPINST.EXE
C:\DELL\MEDIAEXE\PXINSA64.EXE
C:\DELL\MEDIAEXE\PXINSI64.EXE
C:\DELL\MEDIAEXE\PXSETUP.EXE
C:\Program Files\PopCap Games\BookWorm Deluxe\game.exe
C:\Program Files\PopCap Games\BookWorm Deluxe\game2.exe
C:\DELL\PXHELP20.SYS
C:\DELL\PXHELP64.SYS
C:\DELL\PXHELPER.SYS
C:\DELL\PXHLPA64.SYS
C:\DELL\MEDIAEXE\PXHELP20.SYS
C:\DELL\MEDIAEXE\PXHELP64.SYS
C:\DELL\MEDIAEXE\PXHELPER.SYS
C:\DELL\MEDIAEXE\PXHLPA64.SYS
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\Brian2\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp
C:\Documents and Settings\Brian2\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp
C:\Documents and Settings\Brian2\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp
C:\Documents and Settings\Brian2\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp
C:\Documents and Settings\Missy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp
C:\Documents and Settings\Missy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp
C:\Documents and Settings\Missy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp
C:\Documents and Settings\Missy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp
C:\WINDOWS\SYSTEM32\ybeeg.tmp

Finished

**CDaddy** · 2007-08-05, 00:15

ComboFix 07-08-04.3 - "Brian2" 2007-08-04 18:03:22.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Brian\APPLIC~1\.rdr.ini
C:\DOCUME~1\Brian\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
C:\Program Files\Image ActiveX Access
C:\Program Files\MSN\meqoca1.dll
C:\Program Files\MSN\meqoca3.dll
C:\Program Files\MSN\meqoca83122.dll
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\tn3
C:\WINDOWS\g32.txt
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\ddcbxxv.dll
C:\WINDOWS\system32\dirftrpo.dll
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G1\kmhp83122.exe
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G5
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\G9
C:\WINDOWS\system32\G9\wb720.exe
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\nnnomnk.dll
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\SYSTEM32\ybeeg.bak1
C:\WINDOWS\SYSTEM32\ybeeg.bak2
C:\WINDOWS\SYSTEM32\ybeeg.ini
C:\WINDOWS\SYSTEM32\ybeeg.ini2
C:\WINDOWS\SYSTEM32\ybeeg.tmp

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_FOPN
-------\LEGACY_RIN36
-------\LEGACY_RUNTIME

((((((((((((((((((((((((( Files Created from 2007-07-04 to 2007-08-04 )))))))))))))))))))))))))))))))

2007-08-04 18:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-04 17:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-04 17:44 125,504 --a------ C:\WINDOWS\SYSTEM32\bggykgce.dll
2007-08-04 17:37 125,504 --a------ C:\WINDOWS\SYSTEM32\dtsjqiib.dll
2007-08-04 13:07 125,504 --a------ C:\WINDOWS\SYSTEM32\skeyoxma.dll
2007-08-04 12:59 125,504 --a------ C:\WINDOWS\SYSTEM32\kijlkhpe.dll
2007-08-03 18:07 125,504 --a------ C:\WINDOWS\SYSTEM32\ivydmbha.dll
2007-08-03 17:59 125,504 --a------ C:\WINDOWS\SYSTEM32\nbpyogmj.dll
2007-08-03 17:52 125,504 --a------ C:\WINDOWS\SYSTEM32\oxhatswj.dll
2007-08-03 16:53 125,504 --a------ C:\WINDOWS\SYSTEM32\cvwovpda.dll
2007-08-02 23:33 125,504 --a------ C:\WINDOWS\SYSTEM32\nqeobnky.dll
2007-08-02 23:09 125,504 --a------ C:\WINDOWS\SYSTEM32\kdleedns.dll
2007-08-02 23:01 125,504 --a------ C:\WINDOWS\SYSTEM32\ekfoiaca.dll
2007-08-02 22:08 125,504 --a------ C:\WINDOWS\SYSTEM32\iitlflcc.dll
2007-08-02 09:59 574,508 --a------ C:\WINDOWS\SYSTEM32\cpkfdrjo.exe
2007-08-01 22:58 125,504 --a------ C:\WINDOWS\SYSTEM32\vveevovt.dll
2007-08-01 10:46 125,504 --a------ C:\WINDOWS\SYSTEM32\lcohbamv.dll
2007-08-01 10:39 125,504 --a------ C:\WINDOWS\SYSTEM32\hgnemdjd.dll
2007-08-01 10:30 125,504 --a------ C:\WINDOWS\SYSTEM32\ovffnubl.dll
2007-08-01 10:14 125,504 --a------ C:\WINDOWS\SYSTEM32\lqtnapsb.dll
2007-07-31 23:59 125,504 --a------ C:\WINDOWS\SYSTEM32\vksstnvs.dll
2007-07-31 23:49 125,504 --a------ C:\WINDOWS\SYSTEM32\nxfypwfe.dll
2007-07-31 23:45 125,504 --a------ C:\WINDOWS\SYSTEM32\vpcvlbox.dll
2007-07-31 23:37 <DIR> d-------- C:\DOCUME~1\Brian2\.housecall6.6
2007-07-31 23:32 125,504 --a------ C:\WINDOWS\SYSTEM32\sdafvgco.dll
2007-07-31 23:22 125,504 --a------ C:\WINDOWS\SYSTEM32\dgwytkjx.dll
2007-07-31 23:15 125,504 --a------ C:\WINDOWS\SYSTEM32\skbnutig.dll
2007-07-31 23:01 125,504 --a------ C:\WINDOWS\SYSTEM32\xdrmshgs.dll
2007-07-31 09:58 <DIR> d-------- C:\DOCUME~1\Brian2\APPLIC~1\AdobeUM
2007-07-30 22:53 125,504 --a------ C:\WINDOWS\SYSTEM32\gkxwugdp.dll
2007-07-30 21:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-07-30 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Defender Pro Anti-Virus
2007-07-30 21:12 <DIR> d-------- C:\Program Files\Analog Devices
2007-07-30 14:48 1,835,008 --ah----- C:\DOCUME~1\Brian2\NTUSER.DAT
2007-07-30 14:48 <DIR> d--h----- C:\DOCUME~1\Brian2\APPLIC~1\GTek
2007-07-30 14:48 <DIR> d-------- C:\DOCUME~1\Brian2\APPLIC~1\Sonic
2007-07-30 14:48 <DIR> d-------- C:\DOCUME~1\Brian2\APPLIC~1\Creative
2007-07-30 11:29 <DIR> d-------- C:\DOCUME~1\Missy\APPLIC~1\s?mbols
2007-07-30 00:34 <DIR> d-------- C:\Program Files\DefenderPro AntiSpy
2007-07-29 23:01 126,016 --a------ C:\WINDOWS\SYSTEM32\pxgrquxe.dll
2007-07-29 22:54 <DIR> d-------- C:\Program Files\Common Files\Defender Pro Firewall
2007-07-29 22:52 <DIR> d-------- C:\Program Files\Defender Pro
2007-07-29 22:50 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-07-29 22:50 64 --a------ C:\WINDOWS\tsiwinfile.dat
2007-07-29 22:43 168,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Rin36.sys
2007-07-29 20:20 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-29 20:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-07-29 20:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-07-29 20:12 <DIR> d-------- C:\Program Files\McAfee
2007-07-29 20:11 32,768 --a------ C:\WINDOWS\SYSTEM32\instlsp.exe
2007-07-29 20:11 114,688 --------- C:\WINDOWS\SYSTEM32\mclsp.dll
2007-07-29 20:11 11,264 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2007-07-29 20:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\mclsphlr
2007-07-29 19:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-29 06:16 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-07-27 22:59 126,016 --------- C:\WINDOWS\SYSTEM32\mijiojsv.dll
2007-07-27 22:48 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2007-07-27 08:38 171,520 --a------ C:\WINDOWS\SYSTEM32\ucjnkii.dll
2007-07-27 08:38 <DIR> d-------- C:\Temp
2007-07-23 19:55 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2007-07-23 19:55 <DIR> d-------- C:\Program Files\The Learning Company
2007-07-23 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\The Learning Company

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-04 18:08 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2007-08-04 18:08 384 --a------ C:\WINDOWS\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2007-08-01 23:47 14336 --a------ C:\WINDOWS\system32\SVCHOST.EXE
2007-08-01 23:47 14336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-07-30 19:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 22:39 --------- d-------- C:\Program Files\McAfee.com
2007-06-25 09:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-21 20:21 --------- d-------- C:\Program Files\NH MOD Launcher 2
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 05:24 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2005-09-24 00:33:26 848 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3b1b4f8e-7a4f-4e94-80ec-4ac6e0efa5dc}]
2007-07-27 08:38 171520 --a------ C:\WINDOWS\system32\ucjnkii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 13:23]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 03:00]
"CTHelper"="CTHELPER.EXE" [2004-03-11 11:50 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20]
"ServicesNotify"="C:\Program Files\Defender Pro\Defender Pro Anti-Scam\ServicesNotify.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"DPAS"="C:\Program Files\DefenderPro AntiSpy\DPASNT.exe" [2005-04-29 06:17]
"DPASUpdate"="C:\Program Files\DefenderPro AntiSpy\DPASAutoUpdate.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" [2006-03-27 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\Brian2\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Defender Pro Firewall.lnk - C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe [2006-03-27 09:20:02]
DESKTOP.INI [2004-08-10 15:04:12]

R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R0 IFP800;iriver Internet Audio Player IFP-800;C:\WINDOWS\system32\drivers\ifp800.sys
R0 Klpf;Klpf;C:\WINDOWS\system32\drivers\Klpf.sys
R0 Klpid;Klpid;C:\WINDOWS\system32\drivers\Klpid.sys
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Autorun.exe

Contents of the 'Scheduled Tasks' folder
2007-07-28 20:04:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-04 18:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-04 18:12:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-04 18:11

--- E O F ---

**CDaddy** · 2007-08-05, 00:20

Logfile of HijackThis v1.99.1
Scan saved at 6:18:44 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Updater.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Brian2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://s2.truth-is-out-there.org/?pi...&dt=2007-07-30
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3b1b4f8e-7a4f-4e94-80ec-4ac6e0efa5dc} - C:\WINDOWS\system32\ucjnkii.dll
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~2\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [ServicesNotify] C:\Program Files\Defender Pro\Defender Pro Anti-Scam\ServicesNotify.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/...ad/ppcwebi.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

**random/random** · 2007-08-05, 20:48

Then please upload this file:

C:\WINDOWS\SYSTEM32\sporder.dll

To either jotti or virustotal

Repeat for each of these files:

C:\WINDOWS\system32\SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys

Copy & Paste the jotti/virustotal results as a reply to this topic

**CDaddy** · 2007-08-06, 01:00

Here is the first one. Once again thanks so much for helping me with this issue.

File sporder.dll received on 08.06.2007 00:50:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window untill scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or do not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.03 -
AntiVir 7.4.0.57 2007.08.05 -
Authentium 4.93.8 2007.08.03 -
Avast 4.7.1029.0 2007.08.05 -
AVG 7.5.0.476 2007.08.05 -
BitDefender 7.2 2007.08.06 -
CAT-QuickHeal 9.00 2007.08.04 -
ClamAV 0.91 2007.08.06 -
DrWeb 4.33 2007.08.05 -
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5032 2007.08.04 -
Ewido 4.0 2007.08.05 -
FileAdvisor 1 2007.08.06 -
Fortinet 2.91.0.0 2007.08.06 -
F-Prot 4.3.2.48 2007.08.03 -
F-Secure 6.70.13030.0 2007.08.03 -
Ikarus T3.1.1.8 2007.08.05 -
Kaspersky 4.0.2.24 2007.08.06 -
McAfee 5090 2007.08.03 -
Microsoft 1.2704 2007.08.06 -
NOD32v2 2438 2007.08.05 -
Norman 5.80.02 2007.08.03 -
Panda 9.0.0.4 2007.08.05 -
Prevx1 V2 2007.08.06 -
Rising 19.34.40.00 2007.08.03 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.04 -
Symantec 10 2007.08.05 -
TheHacker 6.1.7.162 2007.08.04 -
VBA32 3.12.2.2 2007.08.04 -
VirusBuster 4.3.26:9 2007.08.05 -
Webwasher-Gateway 6.0.1 2007.08.05 -
Additional information
File size: 11264 bytes
MD5: 471789f182c0b60304ce19f023d8911d
SHA1: 2c5e44949734650d50a6b8a47a73ee2296eb1bf7

ATENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

Thread: Help with smithfraudc and others!!

Thread Tools

Display

Help with smithfraudc and others!!

Posting Permissions