PDA

View Full Version : Smitfraud-C in my computer! help me!



pinturicchio_ferdi
2007-02-12, 14:00
I've scanned my computer with spybot S&D,
there's found Smitfraud-C but spybot S&D can't fix them...
so I download hijackthis.exe and I've scanned with it too...
the log is like this :

Logfile of HijackThis v1.99.1
Scan saved at 2:18:02 AM, on 2/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system\dllhost.exe
F:\WINDOWS\system\mside.exe
F:\WINDOWS\soundman.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\System32\mysvcc.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\system32\srrvc.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\mfcee.exe
F:\WINDOWS\system32\mdmd.exe
F:\WINDOWS\system32\srvc.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Opera\Opera.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Alwil Software\Avast4\setup\avast.setup
F:\Documents and Settings\ferdi\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [john315] F:\WINDOWS\system32\srrvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKLM\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKLM\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "F:\WINDOWS\System32\dkrjrord.dll",setvm
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [john315] F:\WINDOWS\system32\srrvc.exe
O4 - HKCU\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKCU\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKCU\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE8C499B-523D-4647-864D-AE171A41CDD7}: NameServer = 203.130.196.5 203.130.208.18
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - F:\WINDOWS\system\dllhost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - F:\WINDOWS\system\mside.exe


What must I do now?

shelf life
2007-02-13, 00:43
hi pinturicchio_ferdi,


What must I do now?
stay off the internet as much as possible. pull the plug on your modem. you have some nastie trojans.

including a backdoor, someone most likely has been all over your computer. you should consider reformatting your hard drive

we can try this:
download, install, update AVG antimalware. then boot into safe mode to use it.

http://www.ewido.net/en/download/

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop
and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition
files.
3. On the main screen select the icon "Update" then select the "
Update now" link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then
select " "Quarantine" .".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"

Close AVG Anti-Spyware for now:
--------------------------------
might want to copy/paste this into notepad and save it so you can read it in safe mode.

boot into safe mode. to reach safe mode you would tap the f8 key during a computer restart. chose the first option safe mode.
once in safe mode:

2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
4. ewido will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all
actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your computer.
8. Close AVG Anti-Spyware

run avast antivirus also while in safe mode
-----------------------------------
reboot normally and post a new hjt log and the saved avg report. more to do.

shelf life

pinturicchio_ferdi
2007-02-13, 15:42
Hi, I have to do all of your advice.. I've scanned my computer with AVGAS.
the report is like this
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:24:21 PM 2/13/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-527237240-1604221776-725345543-1003\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access -> Dialer.Generic : Cleaned with backup (quarantined).
F:\Documents and Settings\ferdi\Cookies\ferdi@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@redir.adengage[1].txt -> TrackingCookie.Adengage : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\Documents and Settings\ferdi\Cookies\ferdi@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned.


::Report end

After scanned in the safe mode, i scanned with Avast! AntiVirus, and found some adware. I've deleted it.
And I going to reboot my computer to the normal mode,
but in the normal mode, Smitfraud-C and Smitfraud-C.Toolbar888 still founded when I scan with Spybot S&D.
What must I do now?
and, what smitfraud-C do in my computer?

shelf life
2007-02-14, 01:16
hi pinturicchio_ferdi,

you saw the part about reformatting your harddrive? someone no doubt has been all over your computer.

do all this in SAFE MODE. please copy/paste all this into notepad and save it so you can read it in safe mode:to reach safe mode tap the f8 key during a computer restart, chose first option on list.

---------------------------------------------------------
once in safe mode:

go to start>run and type in--> services.msc,<--in the list of services that comes up under the name column look for this:
Microsoft Sata emulation

right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled

do the same for this one:
Windows Host Services

next:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked. if you dont see a item dont worry about it.

O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\Run: [john315] F:\WINDOWS\system32\srrvc.exe
O4 - HKLM\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKLM\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKLM\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "F:\WINDOWS\System32\dkrjrord.dll",setvm

O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe

O4 - HKCU\..\Run: [john315] F:\WINDOWS\system32\srrvc.exe
O4 - HKCU\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKCU\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKCU\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
----------------------------------------
next:
to show all files:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
-----------------------------------------
see if you can locate each of these files and delete them one by one:
luckily there all located here>> F:\windows\system32 dir.

srrvc.exe
mfcee.exe
mdmd.exe
srvc.exe
mysvcc.exe
---------------------------------------
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
--------------------------------------
also still in safe mode, please run avast and avg antispyware again
--------------------------------------
reboot normally, please do a online scan here:
http://www.bitdefender.com/scan8/ie.html

when the scan is done, please save the report to your computer.
-----------------------------------
next:
1. Download comboFix from one of these links:

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
---------------------------------------
after all the above, please rescan with hjt and post:
a new hjt log
the bitdefender report
the comboFix log

shelf life

pinturicchio_ferdi
2007-02-14, 16:34
this is the log from combofix...

"ferdi" - 07-02-14 4:23:24 Service Pack 1
ComboFix 07-02-11 - Running from: "F:\Documents and Settings\ferdi\My Documents\My Received Files"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


F:\WINDOWS\system32\nvs2.inf
F:\WINDOWS\system32\rpcc.dll
F:\WINDOWS\system32\ytvcef.dat
F:\WINDOWS\system32\ytvcef.exe
F:\WINDOWS\system32\ytvcef_nav.dat
F:\WINDOWS\system32\ytvcef_navps.dat


((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 ))))))))))))))))))))))))))))))))))


2007-02-14 03:23 <DIR> d-------- F:\WINDOWS\BDOSCAN8
2007-02-13 16:29 3,968 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-13 16:29 <DIR> d-------- F:\Program Files\Grisoft
2007-02-05 08:13 175,090 --a------ F:\WINDOWS\system32\prodsrvs.exe
2007-02-04 22:41 <DIR> dr-h----- F:\DOCUME~1\ferdi\Application Data\yahoo!
2007-02-04 22:40 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-02-04 21:34 524,288 --ah----- F:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-04 21:30 1,456 --a------ F:\WINDOWS\system32\tmp.reg
2007-02-04 00:12 163,840 --a------ F:\WINDOWS\BJPSUNST.EXE
2007-02-04 00:07 116,736 --a------ F:\WINDOWS\system32\CNMLM6e.DLL
2007-02-04 00:06 86,016 -ra------ F:\WINDOWS\system32\CNMCP6e.exe
2007-02-04 00:06 7,680 --a------ F:\WINDOWS\system32\CNMVS6e.DLL
2007-02-04 00:06 <DIR> d--h----- F:\BJPrinter
2007-02-04 00:06 <DIR> d-------- F:\WINDOWS\StartHtmico
2007-02-04 00:06 <DIR> d-------- F:\WINDOWS\IP1000
2007-02-04 00:06 <DIR> d-------- F:\Program Files\Canon
2007-02-03 23:56 <DIR> d-------- F:\!KillBox
2007-02-03 23:54 <DIR> d-------- F:\WINDOWS\system32\appmgmt
2007-02-03 23:48 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\Application Data\Yahoo!
2007-02-02 10:28 <DIR> d-------- F:\Program Files\MetaTrader 4
2007-02-02 10:06 492,831 ---hs---- F:\WINDOWS\system32\efhkj.bak1
2007-02-02 07:56 <DIR> d-------- F:\DOCUME~1\ferdi\Application Data\Apple Computer
2007-02-02 07:50 <DIR> d-------- F:\Program Files\QuickTime
2007-02-02 07:49 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\Application Data\Apple Computer
2007-02-01 23:42 0 --a------ F:\FlashUtil9b.exe
2007-01-31 21:47 44,165 --a------ F:\WINDOWS\system32\juanjuvm.dll
2007-01-31 21:46 463,419 ---hs---- F:\WINDOWS\system32\efhkj.bak2
2007-01-16 19:41 <DIR> d-------- F:\WINDOWS\OPTIONS
2007-01-16 19:16 24,960 --a------ F:\WINDOWS\system32\drivers\usbprint.sys
2007-01-16 17:03 <DIR> d-------- F:\DOCUME~1\ferdi\Application Data\OpenOffice.org2
2007-01-16 16:33 90,112 --a------ F:\WINDOWS\system32\AVASTSS.scr
2007-01-16 13:05 <DIR> d-------- F:\Program Files\OpenOffice.org 2.0
2007-01-16 13:03 <DIR> d-------- F:\Program Files\Java
2007-01-16 13:03 <DIR> d-------- F:\Program Files\Common Files\Java
2007-01-15 06:11 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-14 04:26 643 ---hs---- F:\WINDOWS\system32\efhkj.ini2
2007-02-04 22:41 -------- dr-h----- F:\Documents and Settings\ferdi\Application Data\yahoo!
2007-02-04 20:03 -------- d-------- F:\Documents and Settings\ferdi\Application Data\openoffice.org2
2007-02-04 01:42 -------- d-------- F:\Program Files\easy cd-da extractor 7
2007-02-03 23:49 -------- d-------- F:\Program Files\yahoo!
2007-02-03 04:53 -------- d-------- F:\Documents and Settings\ferdi\Application Data\zipgenius
2007-02-03 01:07 -------- d-------- F:\Program Files\openttd
2007-02-02 07:56 -------- d-------- F:\Documents and Settings\ferdi\Application Data\apple computer
2007-01-16 19:44 -------- d--h----- F:\Program Files\windowsupdate
2007-01-16 19:41 -------- d--h----- F:\Program Files\installshield installation information
2007-01-16 00:32 689280 --a------ F:\WINDOWS\system32\aswboot.exe
2007-01-16 00:26 23352 --a------ F:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-08 17:48 20480 --a------ F:\WINDOWS\system32\aup.exe
2007-01-08 11:56 -------- d-------- F:\Program Files\stardict
2007-01-08 00:22 -------- d---s---- F:\Documents and Settings\ferdi\Application Data\microsoft
2007-01-07 20:09 277044 ---hs---- F:\WINDOWS\system32\jkhfe.dll
2007-01-07 19:10 261043 --a------ F:\WINDOWS\system32\gebcy.dll
2007-01-07 19:10 167603 --a------ F:\WINDOWS\system32\mljjk.dll
2007-01-07 10:25 144243 --a------ F:\WINDOWS\system32\jkhhf.dll
2007-01-05 17:49 737280 --a------ F:\WINDOWS\iun6002.exe
2007-01-05 12:58 -------- d-------- F:\Program Files\Common Files\installshield
2007-01-05 12:57 -------- d-------- F:\Program Files\audio recorder pro
2007-01-05 12:56 -------- d-------- F:\Program Files\my mp3 organizer
2006-12-27 15:49 -------- d-------- F:\Documents and Settings\ferdi\Application Data\ati
2006-12-27 15:47 -------- d-------- F:\Program Files\Common Files\ati technologies
2006-12-27 15:45 -------- d-------- F:\Program Files\ati technologies
2006-12-21 06:56 94424 --a------ F:\WINDOWS\system32\drivers\aswmon2.sys
2006-12-21 06:56 85952 --a------ F:\WINDOWS\system32\drivers\aswmon.sys
2006-12-21 06:51 31560 --a------ F:\WINDOWS\system32\drivers\aavmker4.sys
2006-12-20 02:03 -------- d-------- F:\Documents and Settings\ferdi\Application Data\my battle for middle-earth(tm) ii files
2006-12-19 17:30 -------- d-------- F:\Program Files\electronic arts
2006-12-19 07:51 -------- d-------- F:\Program Files\guitar pro 4
2006-12-18 14:44 -------- d-------- F:\Documents and Settings\ferdi\Application Data\macromedia
2006-12-18 14:18 -------- d-------- F:\Program Files\alwil software
2006-12-18 14:12 4212 ---h----- F:\WINDOWS\system32\zllictbl.dat
2006-12-18 10:51 -------- d-------- F:\Documents and Settings\ferdi\Application Data\opera
2006-12-17 23:39 -------- d-------- F:\Program Files\6610 usb-handset manager
2006-12-17 23:38 -------- d-------- F:\Documents and Settings\ferdi\Application Data\mobileaction
2006-12-17 23:11 62 --ahs---- F:\Documents and Settings\ferdi\Application Data\desktop.ini
2006-12-17 23:11 -------- d-------- F:\Program Files\Common Files\speechengines
2006-12-17 23:11 -------- d-------- F:\Program Files\Common Files\odbc
2006-12-17 17:26 -------- d-------- F:\Program Files\zipgenius 5
2006-12-17 17:26 -------- d-------- F:\Program Files\cutter 4
2006-12-17 16:57 -------- d-------- F:\Program Files\konami
2006-12-17 16:53 -------- d-------- F:\Program Files\alcohol soft
2006-12-17 16:47 -------- d-------- F:\Program Files\gigabyte
2006-12-17 16:29 -------- d-------- F:\Documents and Settings\ferdi\Application Data\identities
2006-12-17 16:24 -------- d-------- F:\Program Files\microsoft frontpage
2006-12-17 16:22 -------- d-------- F:\Program Files\online services
2006-12-17 16:21 -------- d-------- F:\Program Files\movie maker
2006-12-17 16:21 -------- d-------- F:\Program Files\Common Files\mssoap
2006-12-17 16:20 21640 --a------ F:\WINDOWS\system32\emptyregdb.dat
2006-12-17 16:19 -------- d-------- F:\Program Files\windows nt
2006-12-17 16:19 -------- d-------- F:\Program Files\msn gaming zone
2006-12-17 16:19 -------- d-------- F:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Instant Access"="F:\\WINDOWS\\System32\\prodsrvs.exe /res"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"F:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SoundMan"="soundman.exe"
"avast!"="F:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ATICCC"="\"F:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SunJavaUpdateSched"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Easy-PrintToolBox"="F:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{086F3ADF-92EA-4415-877E-C7DD7DD64F14}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"exemplars"="{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljijgh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


F:\WINDOWS\system32\nvs2.inf
F:\WINDOWS\system32\rpcc.dll
F:\WINDOWS\system32\ytvcef.dat
F:\WINDOWS\system32\ytvcef.exe
F:\WINDOWS\system32\ytvcef_nav.dat
F:\WINDOWS\system32\ytvcef_navps.dat
F:\WINDOWS\system32\ytvcef.dat
F:\WINDOWS\system32\ytvcef.exe
F:\WINDOWS\system32\ytvcef_nav.dat
F:\WINDOWS\system32\ytvcef_navps.dat


((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 ))))))))))))))))))))))))))))))))))


2007-02-03 23:56 <DIR> d-------- F:\!KillBox
2007-02-03 23:56 <DIR> d-------- F:\!KillBox


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-14 04:32 780 ---hs---- F:\WINDOWS\system32\efhkj.ini2
2007-02-04 22:41 -------- dr-h----- F:\Documents and Settings\ferdi\Application Data\yahoo!
2007-02-04 20:03 -------- d-------- F:\Documents and Settings\ferdi\Application Data\openoffice.org2
2007-02-04 01:42 -------- d-------- F:\Program Files\easy cd-da extractor 7
2007-02-03 23:49 -------- d-------- F:\Program Files\yahoo!
2007-02-03 04:53 -------- d-------- F:\Documents and Settings\ferdi\Application Data\zipgenius
2007-02-03 01:07 -------- d-------- F:\Program Files\openttd
2007-02-02 07:56 -------- d-------- F:\Documents and Settings\ferdi\Application Data\apple computer
2007-01-16 19:44 -------- d--h----- F:\Program Files\windowsupdate
2007-01-16 19:41 -------- d--h----- F:\Program Files\installshield installation information
2007-01-16 00:32 689280 --a------ F:\WINDOWS\system32\aswboot.exe
2007-01-16 00:26 23352 --a------ F:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-08 17:48 20480 --a------ F:\WINDOWS\system32\aup.exe
2007-01-08 11:56 -------- d-------- F:\Program Files\stardict
2007-01-08 00:22 -------- d---s---- F:\Documents and Settings\ferdi\Application Data\microsoft
2007-01-07 20:09 277044 ---hs---- F:\WINDOWS\system32\jkhfe.dll
2007-01-07 19:10 261043 --a------ F:\WINDOWS\system32\gebcy.dll
2007-01-07 19:10 167603 --a------ F:\WINDOWS\system32\mljjk.dll
2007-01-07 10:25 144243 --a------ F:\WINDOWS\system32\jkhhf.dll
2007-01-05 17:49 737280 --a------ F:\WINDOWS\iun6002.exe
2007-01-05 12:58 -------- d-------- F:\Program Files\Common Files\installshield
2007-01-05 12:57 -------- d-------- F:\Program Files\audio recorder pro
2007-01-05 12:56 -------- d-------- F:\Program Files\my mp3 organizer
2006-12-27 15:49 -------- d-------- F:\Documents and Settings\ferdi\Application Data\ati
2006-12-27 15:47 -------- d-------- F:\Program Files\Common Files\ati technologies
2006-12-27 15:45 -------- d-------- F:\Program Files\ati technologies
2006-12-21 06:56 94424 --a------ F:\WINDOWS\system32\drivers\aswmon2.sys
2006-12-21 06:56 85952 --a------ F:\WINDOWS\system32\drivers\aswmon.sys
2006-12-21 06:51 31560 --a------ F:\WINDOWS\system32\drivers\aavmker4.sys
2006-12-20 02:03 -------- d-------- F:\Documents and Settings\ferdi\Application Data\my battle for middle-earth(tm) ii files
2006-12-19 17:30 -------- d-------- F:\Program Files\electronic arts
2006-12-19 07:51 -------- d-------- F:\Program Files\guitar pro 4
2006-12-18 14:44 -------- d-------- F:\Documents and Settings\ferdi\Application Data\macromedia
2006-12-18 14:18 -------- d-------- F:\Program Files\alwil software
2006-12-18 14:12 4212 ---h----- F:\WINDOWS\system32\zllictbl.dat
2006-12-18 10:51 -------- d-------- F:\Documents and Settings\ferdi\Application Data\opera
2006-12-17 23:39 -------- d-------- F:\Program Files\6610 usb-handset manager
2006-12-17 23:38 -------- d-------- F:\Documents and Settings\ferdi\Application Data\mobileaction
2006-12-17 23:11 62 --ahs---- F:\Documents and Settings\ferdi\Application Data\desktop.ini
2006-12-17 23:11 -------- d-------- F:\Program Files\Common Files\speechengines
2006-12-17 23:11 -------- d-------- F:\Program Files\Common Files\odbc
2006-12-17 17:26 -------- d-------- F:\Program Files\zipgenius 5
2006-12-17 17:26 -------- d-------- F:\Program Files\cutter 4
2006-12-17 16:57 -------- d-------- F:\Program Files\konami
2006-12-17 16:53 -------- d-------- F:\Program Files\alcohol soft
2006-12-17 16:47 -------- d-------- F:\Program Files\gigabyte
2006-12-17 16:29 -------- d-------- F:\Documents and Settings\ferdi\Application Data\identities
2006-12-17 16:24 -------- d-------- F:\Program Files\microsoft frontpage
2006-12-17 16:22 -------- d-------- F:\Program Files\online services
2006-12-17 16:21 -------- d-------- F:\Program Files\movie maker
2006-12-17 16:21 -------- d-------- F:\Program Files\Common Files\mssoap
2006-12-17 16:20 21640 --a------ F:\WINDOWS\system32\emptyregdb.dat
2006-12-17 16:19 -------- d-------- F:\Program Files\windows nt
2006-12-17 16:19 -------- d-------- F:\Program Files\msn gaming zone
2006-12-17 16:19 -------- d-------- F:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Instant Access"="F:\\WINDOWS\\System32\\prodsrvs.exe /res"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"F:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SoundMan"="soundman.exe"
"avast!"="F:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ATICCC"="\"F:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SunJavaUpdateSched"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Easy-PrintToolBox"="F:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{086F3ADF-92EA-4415-877E-C7DD7DD64F14}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"exemplars"="{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljijgh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-14 4:32:34

oh yeah, my computer's time isn't valid, but the date is valid... it's problem?
I have delete srrvc.exe, but not found another file...
have the smitfraud going far away from my computer?

shelf life
2007-02-15, 02:44
hi pinturicchio_ferdi,

another download to run:

VundoFix by Atri
Please download VundoFix.exe to your desktop.

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
---------------------------------------
reboot computer once, then rescan with hjt and post new hjt log.

shelf life

pinturicchio_ferdi
2007-02-17, 07:35
Here is my Vundo log...

VundoFix V6.3.6

Checking Java version...

Java version is 1.5.0.6

Scan started at 6:31:52 AM 2/14/2007

Listing files found while scanning....

F:\WINDOWS\System32\efhkj.bak1
F:\WINDOWS\System32\efhkj.bak2
F:\WINDOWS\System32\efhkj.ini
F:\WINDOWS\System32\efhkj.ini2
F:\WINDOWS\System32\efhkj.tmp
F:\WINDOWS\System32\jkhfe.dll
F:\WINDOWS\System32\juanjuvm.dll
F:\WINDOWS\System32\mljijgh.dll

Beginning removal...

Attempting to delete F:\WINDOWS\System32\efhkj.bak1
F:\WINDOWS\System32\efhkj.bak1 Has been deleted!

Attempting to delete F:\WINDOWS\System32\efhkj.bak2
F:\WINDOWS\System32\efhkj.bak2 Has been deleted!

Attempting to delete F:\WINDOWS\System32\efhkj.ini
F:\WINDOWS\System32\efhkj.ini Has been deleted!

Attempting to delete F:\WINDOWS\System32\efhkj.ini2
F:\WINDOWS\System32\efhkj.ini2 Has been deleted!

Attempting to delete F:\WINDOWS\System32\efhkj.tmp
F:\WINDOWS\System32\efhkj.tmp Has been deleted!

Attempting to delete F:\WINDOWS\System32\jkhfe.dll
F:\WINDOWS\System32\jkhfe.dll Has been deleted!

Attempting to delete F:\WINDOWS\System32\juanjuvm.dll
F:\WINDOWS\System32\juanjuvm.dll Has been deleted!

Performing Repairs to the registry.
Done!


And this is HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 9:26:36 AM, on 2/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\WINDOWS\soundman.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\System32\prodsrvs.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\ferdi\My Documents\My Received Files\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {086F3ADF-92EA-4415-877E-C7DD7DD64F14} - F:\WINDOWS\System32\mljijgh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {61F772CB-F07A-47DB-957A-F7DEC6973D70} - F:\WINDOWS\System32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - F:\WINDOWS\System32\juanjuvm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Instant Access] F:\WINDOWS\System32\prodsrvs.exe /res
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: mljijgh - mljijgh.dll (file missing)
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - F:\WINDOWS\System32\cwgppb.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


I have scanned my computer with Spybot S&D and the Smitfraud-C not found again. It's something I must do again?

shelf life
2007-02-17, 15:38
hi pinturicchio_ferdi,

not done just yet. one more download.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back here with a new HijackThis log

pinturicchio_ferdi
2007-02-17, 18:51
this is SDFix log


SDFix: Version 1.65

Run by: ferdi - Thu 02/15/2007 @ 4:43:54.40

Microsoft Windows XP [Version 5.1.2600]

Running From: F:\SDFix

Safe Mode:
Checking Services:

Name:
DLLHOST32
mside

Path:
"F:\WINDOWS\system\dllhost.exe"
"F:\WINDOWS\system\mside.exe"

DLLHOST32 Deleted
mside Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

F:\WINDOWS\system32\TFTP1228 - Deleted
F:\WINDOWS\system32\TFTP364 - Deleted



ADS Check:

F:\WINDOWS\system32
No streams found.

Final Check:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Remaining Files:
---------------

Backups Folder: - F:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

F:\WINDOWS\LastGood.Tmp\INF\oem4.inf
F:\WINDOWS\LastGood.Tmp\INF\oem4.PNF

Finished


And the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:40 AM, on 2/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\WINDOWS\soundman.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\System32\prodsrvs.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Documents and Settings\ferdi\My Documents\My Received Files\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {086F3ADF-92EA-4415-877E-C7DD7DD64F14} - F:\WINDOWS\System32\mljijgh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {61F772CB-F07A-47DB-957A-F7DEC6973D70} - F:\WINDOWS\System32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - F:\WINDOWS\System32\juanjuvm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Instant Access] F:\WINDOWS\System32\prodsrvs.exe /res
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: mljijgh - mljijgh.dll (file missing)
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - F:\WINDOWS\System32\cwgppb.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

shelf life
2007-02-18, 15:03
hi pinturicchio_ferdi,

good. thanks for the info. last hjt log looks ok. how is it on your end now?

shelf life

pinturicchio_ferdi
2007-02-19, 10:23
Hi, Shelf Life,

In the end, my computer start normally again... And my internet connection running well again,
thank you very much...

shelf life
2007-02-19, 23:38
hi pinturicchio_ferdi,

good. happy safe surfing.

for your reference:

Prevention (http://security-central.us/SafeHex/prevention.htm)