View Full Version : can't remove smitfraud.c!!!
I can't seem to remove this pesky little thing...
heres my hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 12:48:43 AM, on 1/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\dsrss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Documents and Settings\Brad Harris\Desktop\hiJackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8CA5EB0C-70B9-6F16-CE18-79E5586A16B0} - C:\WINDOWS\System32\mazagzwu.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166858419171
O20 - AppInit_DLLs: C:\WINDOWS\System32\win_cw2.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Angelfire777
2007-01-01, 13:45
Hi, welcome to Safer Networking Forums!
*Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
IMPORTANT: Do NOT run any other options except for Option # 1.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
*I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
C:\WINDOWS\System32\win_cw2.dll
Then click submit.
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
On your next reply, please include the smitfraudfix log and the results of the jotti scan..
SmitFraudFix v2.132
Scan done at 15:27:02.81, Mon 01/01/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brad Harris
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brad Harris\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRADHA~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\win_cw2.dll"
"AppInit_DLLs_BAK"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Scan taken on 01 Jan 2007 23:26:37 (GMT)
AntiVir
Found nothing
ArcaVir
Found Trojan.Downloader.Small.Cyn
Avast
Found nothing
AVG Antivirus
Found Downloader.Small
BitDefender
Found Trojan.Downloader.Small.BXW
ClamAV
Found Trojan.Downloader.Small-3016
Dr.Web
Found Trojan.DownLoader.14310
F-Prot Antivirus
Found unknown virus (probable variant)
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Small.cyn
Fortinet
Found W32/Small.BXW!tr.dldr
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Small.cyn
NOD32
Found Win32/TrojanDownloader.Small.CYN
Norman Virus Control
Found W32/DLoader.gen5
VirusBuster
Found Trojan.DL.Small.Gen.22
VBA32
Found nothing
Angelfire777
2007-01-02, 01:21
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
DO NOT USE IT YET!!
_____________________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R3 - URLSearchHook: (no name) - {8CA5EB0C-70B9-6F16-CE18-79E5586A16B0} - C:\WINDOWS\System32\mazagzwu.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\win_cw2.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000272 (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delservices.bat in the File name and save it to your desktop.
@echo off
sc stop "COM+ Messages"
sc delete "COM+ Messages"
Do not use it yet!
______________________________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Locate delservices.bat on your Desktop and double-click on it.
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these files:
C:\WINDOWS\System32\mazagzwu.dll
C:\WINDOWS\System32\ntos.exe
C:\Windows\dsrss.exe
C:\WINDOWS\System32\win_cw2.dll
C:\WINDOWS\System32\svchosts.exe <<IMPORTANT: There is a legit file called svchost.exe found in the same folder. The infected file we want to delete it svchosts.exe (It has an extra s in its name). Please be very careful in deleting the file.
Empty your Recycle bin.
* Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
On your next reply, please include a fresh HijackThis log along with the AVG Antispyware log and a description on how your machine is running.
Hello!
Couple problems I ran into, I wasn't able to delete ntos.exe, it was in process while in safemode, and I wasn't able to locate svshosts just the legit file. Also, when I went to start up windows, I was given an error before I logged onto my account, saying the winlogon.exe was not able to run because of a missing .dll but I was able to load windows fine, it seemed a little slow at first, but then after everything loaded, it worked fine. Heres the logs.
Logfile of HijackThis v1.99.1
Scan saved at 6:20:24 PM, on 1/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Brad Harris\Desktop\hiJackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166858419171
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:14:34 PM 1/1/2007
+ Scan result:
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142025.exe -> Adware.Maxifiles : Ignored.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP181\A0160677.dll -> Adware.PurityScan : Ignored.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP174\A0144427.exe -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP176\A0145529.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP181\A0157672.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP172\A0143311.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP172\A0143312.exe -> Adware.WebHancer : Ignored.
C:\WINDOWS\csrss.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\7898 -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP169\A0141973.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0141978.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0141980.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0141981.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0141982.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0141983.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0143180.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0143194.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP172\A0143294.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP173\A0144372.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP173\A0144375.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP173\A0144376.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\regapi.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142153.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe -> Downloader.PurityScan.dy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sfc_os.dll -> Downloader.SFC.os : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP181\A0160678.dll -> Downloader.Small.cyn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142026.dll -> Downloader.Small.ece : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142134.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142136.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142137.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142138.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP176\A0145531.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP181\A0160679.exe -> Dropper.Delf.aal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142027.exe -> Dropper.DollarR.b : Cleaned with backup (quarantined).
C:\WINDOWS\system32\3029 -> Logger.Goldun.ms : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msvcrl.dll -> Logger.Goldun.ms : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP176\A0145530.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvsoh.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Ignored.
:mozilla.164:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.169:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.170:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.191:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.199:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.30:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.58:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.59:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.60:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.61:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.62:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.63:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.64:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.87:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.88:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.89:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.90:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.19:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.20:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.35:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.36:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.117:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.118:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.119:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.120:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.184:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.185:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.186:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.187:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.53:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.17:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.18:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.21:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.143:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.144:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.145:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.146:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.147:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.13:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.73:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.74:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.75:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.76:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.77:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.78:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.52:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.79:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.68:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.69:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.70:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.47:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.48:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.49:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.50:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.149:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.150:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.151:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.152:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.103:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.104:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.105:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.10:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.14:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.15:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.94:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.95:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.96:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.97:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.98:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.99:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.34:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.39:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.41:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.43:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.44:C:\Documents and Settings\Brad Harris\Application Data\Mozilla\Firefox\Profiles\v70ara8b.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0142029.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP172\A0144342.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\Documents and Settings\Brad Harris\Local Settings\Temp\~ds39990.tmp -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0141979.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP170\A0143182.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP172\A0143295.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP173\A0144374.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32\druidy_a4m.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32\druidy_redux.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32\durvily.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\iexplore.exe -> Trojan.Patched.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wtssvcc.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7CF1A455-4952-4FCF-A5D5-18D6267B400B}\RP174\A0144450.exe -> Trojan.Small.ia : Cleaned with backup (quarantined).
::Report end
How am I lookin?
As well, I just ran Spybot SnD and it found smitfraud.c and the smitfraud.c toolbar...
heres the information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan
thats the toolbar and smitfraud.c is
C:\WINDOWS\system32\drv32dta\
Angelfire777
2007-01-02, 06:46
Also, when I went to start up windows, I was given an error before I logged onto my account, saying the winlogon.exe was not able to run because of a missing .dll
Do you know what is the exact name of the dll?
How am I lookin?
not very good..It is possible that you have a nasty rootkit in your system...Moreover, it's a good thing you have Firefox there..AVG just deleted your internet explorer because of an infection. Have you tampered with your iexplore.exe before?
We still have a lot to do but as of now, we must deal with the rootkit first or else our efforts may be wasten if we try to fix the other infections..The rootkit may be protecting it..
Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe)
and save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
On your next reply please include a fresh HijackThis log and the haxfix log
When I tried to install HaxFix, I got this error.. the dll seems familiar to the winlogon.exe one... the dll is sfc_os.dll
HAXFIX logfile - by Marckie
version 4.32
Mon 01/01/2007 23:28:05.49
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
matching services found
tmcomm
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
Logfile of HijackThis v1.99.1
Scan saved at 11:31:21 PM, on 1/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Brad Harris\Desktop\Desktop Stuff\mIRC\mirc.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Steam\steam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
c:\program files\steam\steamapps\inev433\counter-strike\hl.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Brad Harris\Desktop\hiJackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166858419171
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Angelfire777
2007-01-02, 13:08
Option 2: Autofix
Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.]
No infections were found, everything still remains from the last hijackthis log.
Angelfire777
2007-01-03, 11:24
The log that you showed me before clearly tells me that you have a rootkit in your system. Please post the contents of C:\haxfix.txt along with a new HijackThis log. the reason why I wanted to see a new HijackThis log was because it is possible that the rootkit you had hid something in HijackThis log and there may be something new...
HAXFIX logfile - by Marckie
version 4.32
Tue 01/02/2007 7:15:14.25
--- Auto Haxdoorfix ---
searching for files:
no infections found
--- Goldunfix ---
searching for files:
searching for SSODLkeys:
no SSODLkeys found
searching for notifykeys:
no notifykeys found
searching for services:
no services found
Logfile of HijackThis v1.99.1
Scan saved at 7:41:42 AM, on 1/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Brad Harris\Desktop\Desktop Stuff\mIRC\mirc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Brad Harris\Desktop\hiJackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166858419171
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Angelfire777
2007-01-04, 10:47
Hi, how many times did you run haxfix option 2?
I need to confirm this because of the first log you gave to me:
checking for matching services
matching services found
tmcomm
In that log, there was clearly an infection found but now it is gone..The infection is nasty and I really need to confirm if it is gone..
Ran option 2 once.. and that was the log I gave you.
Ran the number 1 again, heres the log
HAXFIX logfile - by Marckie
version 4.32
Thu 01/04/2007 7:45:32.34
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
matching services found
tmcomm
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
Ran number 2 and it says no infections.. wierd..
Angelfire777
2007-01-05, 15:15
Option 3: Manual fix
Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 3. Run manual fix by typing 3 and then pressing Enter
This message will appear:
echo Insert the haxdoorkey,
and then press Enter:
Type the following: tmcomm
When this is a valid choice, the key will be added to delete.
There is the possibility to add a new key: Yes (type Y) or No (type N).
Followed by this message:
Haxdoorkey xxxx added to delete.
Do you want to add a new haxdoorkey?
Press Y for YES or N for NO and then press Enter:
Type N for No and press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of the logfile together with a new HijackThis log.
This is being really wierd, it says
"No matching services has been found.."
let me try to do another log of it...
Its there, but the manual way won't find it...
Angelfire777
2007-01-06, 08:26
Hi, please hold on while I'm asking an expert about this situation.
Angelfire777
2007-01-06, 11:21
I was told that the service was legit, it belonged to trend micro..
One or more of the identified infections is a backdoor trojan.
This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
=============================================
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Using windows Explorer delete this folder if it is still there:
C:\WINDOWS\system32\drv32dta
empty your recycle bin.
*Download Killbox (http://www.bleepingcomputer.com/files/killbox.php)
Open Killbox.exe
Check the following boxes:
Delete on Reboot
Highlight all the entries in the quote box below and the Copy them.
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\system32\sfc_os.dll
C:\WINDOWS\system32\drvsoh.dll
Then in Killbox, click File>>Paste from Clipboard
At this point the "All Files" button should be enabled so you can click it.
Click the "All Files" button.
Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? You will need to click Yes to allow the reboot.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method, you can copy and paste the lines one at a time into the Killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click Yes to allow the Reboot.
_____________________________________
Please search your computer if there are backups of iexplore.exe there..
Click Start > Search > Click "All Files and Folders".
Under "Advanced Options", make sure the following are checked:
Search System Folders.
Search Hidden Files And Folders.
Search Subfolders.
Then into the search box, copy and paste the following (one at a time):
iexplore.exe
If there is an iexplore.exe in here: C:\Windows\system32\dllcache
I want you to please copy and paste that file in to this folder: C:\Program files\internet explorer
If there is none inside C:\Windows\system32\dllcache , please post back of other locations where iexplorer.exe was found in your system..
After that, please open your internet explorer and check if it is running.
*Please download and save this file to your desktop sfc_os.dll
(http://www.dlldump.com/cgi-bin/testwrap/downloadcounts.cgi?rt=count&path=dllfiles/S/sfc_os.dll)
*move the sfc_os.dll from your desktop to the C:\WINDOWS\system32
folder.
Reboot.
____________________________________
Run Kaspersky Online Scanner (http://www.kaspersky.com/kos/english/kavwebscan.html)
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest Definition Files.
Once the Scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the Scan Settings, make that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your Desktop.
On your next reply, please post a fresh HijackThis log, Kaspersky scan log and please tell me if internet Explorer is already working, also, tell me if you still receive the startup error you said earlier.
Angelfire777
2007-01-06, 16:19
Please skip the sfc_os.dll download..Instead, do a search for that file in the C:\Windows\System32\dllcache folder then if you find a file like that in the dllcache folder, copy and paste it to C:\Windows\System32
This topic is closed due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.