PDA

View Full Version : smithfraud-C



xtophe
2007-03-16, 14:06
Hello,

I notice while running SP&S that smithfraud-C is always on my computer even after corecting the problem with SP&S, it comes back.
Any idea how to fix this?

Xtophe.

here is a fresh HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 13:04:29, on 16/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - (no file)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\adobe gamma loader.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

pskelley
2007-03-18, 16:49
Welcome to the forum, since I see no antivirus scan results, I have to
assume you missed this important information. "BEFORE you POST"
Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288 Please read and follow
all instructions.

I also see no active antivirus program running on this computer? Are you sure it is not disabled? I see Kaspersky here:
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
I believe you have no active anti-virus protection running. Open Start > Control Panel > Security Center and tell me what is said about those three items.

There is also no active spyware program running that I can see?

I notice while running SP&S that smithfraud-C
What is SP&S? what program is showing Smitfraud-C and what exactly is being shown. If this is Spybot S&D you are talking about, make sure you are running version 1.4 and that your databases are completely up to date. Then read this information.
http://forums.spybot.info/showthread.php?t=8668

Are you experiencing any other malware symptoms at all? I can see the results of an incomplete Vundo trojan removal?

Start by reading and following the directions, post the results of an online antivirus scan, give me the information I requested along with a new HJT log.

Thanks

xtophe
2007-03-19, 17:33
Hello PsKelley,

I have done what you sugested setp by step:
Did a online scan with Panda, you will find the log below.
Ran Spybot S&D (v1.4) in safe mode and fixed all the red entry ( among them Smithfraud-C )
Few answer to your question: I did have Kasperski but do no longer have a license, i am looking for a free anti-virus software.
Also I have been infected with smithfraud toolbar 888 and Sality a couple month ago. Shaba help me get rid of it succesfully.
I have Since disable helpsvc.exe that was running crazy eating up all memory at startup.
S P&S was a mispel of Spybot Search and Destroy I do have the latest version 1.4 and do a regular update almost everyday.
Also I do have similard tablet problem as reported in thread (http://forums.spybot.info/showthread.php?t=8668)

Thank you for your patience,
Xtophe.

here is the Panda report:

Incident Status Location

Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.xiti.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.fastclick.net/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.weborama.fr/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.adtech.de/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[fe.lea.lycos.fr/]

Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:23:51, on 19/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - (no file)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\adobe gamma loader.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

pskelley
2007-03-19, 17:54
Thanks for returning your information and the feedback, we will work on the issues like this first:
Free antivirus programs, please choose one, then download and install it. Make sure you update and then run a complete system scan. Remove anything the program finds but save the scan results and post them so I can see what was removed.
Make sure you stay with free, I personally suggest AVG by Grisoft, but do not pick trials or paid for versions.

http://free.grisoft.com/freeweb.php/doc/2/

http://www.free-av.com/

Once you have an antivirus program in place and have run a complete scan, then do this:

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Use these instructions to disable TeaTimer, it will block changes we must make: http://russelltexas.com/malware/teatimer.htm

4) Disable the Service
Click Start > Run and type services.msc
Scroll down to Kaspersky Anti-Virus 6.0 and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - (no file)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - (no file)
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O20 - Winlogon Notify: ddcyyay - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Kaspersky Lab\ <<< delete that folder

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log, please add your comments, tell me how the computer is running now.

Thanks

xtophe
2007-03-20, 13:46
hello PsKelley,

I ranthrough all the steps you described, but i am unable to delete:

C:\Program Files\Kaspersky Lab\ <<< delete that folder

unable to delete 145D.tmp refused acces

wich is an empty file 0k ...located in C:\Program Files\Kaspersky Lab\kaspersky anti-virus6.0/145D.tmp

I check for protection: uncheck readonly but it comes back to readonly files ...

any idea?

Should i try to uninstall kaspersky lab with control panel ?

pskelley
2007-03-20, 14:31
Thanks for the feedback, look in Start > Control Panel > Add Remove programs and uninstall Kaspersky if there, from the way it was in your log it looks like someone tried to uninstall it at some point and failed for some reason.

After you do that, please do this:
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread.

Post that information along with the HJT log I am waiting for, I need to see that you have installed antivirus protection.

Thanks

xtophe
2007-03-20, 15:00
Hello PsKelley,

I did remove Kaspersky succesfully through the control panel and manualy delete the C:\Program Files\Kaspersky Lab\ directory.

then ran the ATF Cleaner , and empty all files found.

Reboot.

Computer seam to run smoothly, still problem with Pen tablet, few other programs refuse to launch ( i-tune, super )

Here is my new fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:27:51, on 20/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\adobe gamma loader.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

xtophe
2007-03-20, 15:05
Hello,

here is the uninstall_list log:

AC3Filter (remove only)
Adobe After Effects 5.0
Adobe After Effects 6.5
Adobe After Effects 7.0
Adobe Common File Installer
Adobe Help Center 2.0
Adobe Photoshop 7.0
Adobe Premiere 6.0
Adobe Premiere Pro
Adobe Reader 7.0.5 - Français
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
AVG 7.5
AVIcodec (remove only)
AviSynth 2 (remove only)
Canon Digital Camera USB WIA Driver
Canon EOS 20D Pilote WIA
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities Digital Photo Professional 2.2
Canon Utilities EOS Capture 1.2
Canon Utilities EOS Viewer Utility 1.2
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.7
Cleaner 5 EZ
COMODO Firewall Pro
CompressionPackage
Correctif Windows XP - KB842773
Cycore Effects 1.0
dBpowerAMP WMA V9 Codec
Dell ResourceCD
Diaporama version 3.0.0.1
DivX
DivX Player
DVD Decrypter (Remove Only)
DVD Solution
eMule
EPSON Logiciel imprimante
EPSON PhotoQuicker3.4
EPSON PRINT Image Framer Tool2.0
FileZilla (remove only)
Free - Kit de connexion
Gaim (supprimer uniquement)
GLOBEtrotter FLEXid Drivers
GTK+ 2.4.3 runtime environment
HijackThis 1.99.1
InterVideo WinDVD
iPod for Windows 2005-01-11
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
Keylight (1.0v4) for Adobe After Effects
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX
Macromedia Flash Player
Macromedia Shockwave Player
MainConcept DV Codec
Maya 7.0
Microsoft Office 97 Professional
Mise à jour pour Windows XP (KB898461)
Mozilla (1.7.13)
Mozilla Firefox (0.9.2)
Mozilla Thunderbird (0.7.2.)
MyScript r1.0 PalmOS
Nero Digital
Nero OEM
NVIDIA Windows 2000/XP Display Drivers
Nvu 0.30
Panda ActiveScan
Pdf995
Pen Tablet
PhotoMontage 1.0
PixDiscount 2.00
PowerProducer
QuickTime
ScanToWeb
SecondLife (remove only)
Skype 1.3
Sony USB Driver
Spybot - Search & Destroy 1.4
TreeSize 1.75
Turbine Video Encoder - Free Edition 1.0
VideoLAN VLC media player 0.8.4a
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WinLibre
xp-AntiSpy V3.71 Fr
XviD 1.1 final uninstall

pskelley
2007-03-20, 15:37
Thanks for the cooperation and as far as these old eyes can see, you have a clean HJT log. The junk can hide, but since the computer is performing, let's assume for the moment we have no malware to deal with.
You do have items (some in French) disabled in O4 - Global Startup and I will have to assume you know what they are and why they are disabled.

Your Uninstall log: I am looking for malware and security issues, it's a great time for you to look for stuff you no longer use so you can clean it off your computer.

Java 2 Runtime Environment, SE v1.4.2_06
http://forums.spybot.info/showpost.php?p=12880&postcount=2 <<< see this information
make sure you have the newest version installed and uninstall all old versions.


Mozilla (1.7.13)
Mozilla Firefox (0.9.2)
Mozilla Thunderbird (0.7.2.)
Old versions can get you infected, if you are going to run Mozilla, you need to update to the newest verion:
http://www.mozilla.com/en-US/

Can you suggest anything that you might have installed around the time your issues started? I am interested in the firewall, how long has it been installed?

Just in case a Windows files has been corrupted or is missing, follow these instructions: http://www.updatexp.com/scannow-sfc.html

Here are some maintenance ideas that may help.
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Beyand that we are getting out of my area and I would suggest you contact technical support at the software you are having issues with. They will probably suggest you uninstall and reinstall, but I would prefer they told you that.

Thanks

xtophe
2007-03-21, 18:09
Hello PsKelley,

First of all I am the one to thank you for your cooperation.

I did a few cleanup of older programs:
- Remove Java 2 Runtime Environment, SE v1.4.2_06
I have not even install the new version yet should I?
- Remove Mozilla Firefox (0.9.2) and Mozilla Thunderbird (0.7.2.)
A few other older programs which i don't use anymore
Put back Tea timer on,
and finaly run a scan with Spybot S&D and guess what it found again:
Smitfraud-C
Browser helper object

....??? What did i do wrong, maybe it is not harmfull? what should I do?

Xtophe.

pskelley
2007-03-21, 18:30
Thanks for the feedback:

I did a few cleanup of older programs:
- Remove Java 2 Runtime Environment, SE v1.4.2_06
I have not even install the new version yet should I?If you are going to run Java and I suggest you do, that answer is yes, in fact my instructions say:
make sure you have the newest version installed and uninstall all old versions
and finaly run a scan with Spybot S&D and guess what it found again:
Smitfraud-C: Browser helper object did you read the information in the link I posted in my first post:
2007-03-18, 09:49 #2
If this is Spybot S&D you are talking about, make sure you are running version 1.4 and that your databases are completely up to date. Then read this information.http://forums.spybot.info/showthread.php?t=8668 <<< see that information
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml


Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

xtophe
2007-03-21, 20:25
Hello again PsKelley,

I will install the latest JRE 6.

I did read the thread you mention:
http://forums.spybot.info/showthread.php?t=8668 <<< see that information

But it's quite hard to understand what's happening and overall what to do ...
I understand that spybot finds something as a threat but it is not a threat ...
Also it appears to be resolved since the release of november 3 ... I wonder why, since i do have the lates version of Spybot S&D 1.4 and latest updated this is happening again?
Also the last thread from instrumenturnoff (junior menber) offers a fix that has not been validated by either a menber of spybot, a warior or an expert. should i folow it and see what happened?
Also i just realized that i do not have a tablet PC but a graphic Pen tablet that i use with graphic program, mostly to draw, now maybe it is the same ...

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Anyhow, I'd love to hear back from you on this issue but if it is out of your area of expertise, I will totaly understand.
And I do want to thank you very much for your time and patience.

Xtophe.

xtophe
2007-03-21, 20:30
Hello again,

I did download the JRE v6. but as I started to install it I have a message telling me my platform is not taken into account ....
Do i need XP SP2 i only have XP SP1.
Maybe this is my main problem?

Xtophe.

pskelley
2007-03-21, 21:12
http://www.microsoft.com/windows/support/endofsupport.mspx
You are running: Platform: Windows XP SP1 (WinNT 5.01.2600)

End of support for Windows XP Service Pack 1
On October 10, 2006, Microsoft will end all public assisted support for Windows XP Service Pack1 (SP1). After this date, Microsoft will no longer provide any incident support options or security updates for this retired service pack under the policies defined by the Microsoft Support Lifecycle policy.
You can not receive any critical updates until you do install SP 2. See this information for help:
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
http://www.microsoft.com/windowsxp/sp2/sysreqs.mspx

Your computer is clean of malware as far as I can see at the present time, I would read the instructions and install SP2 as soon as possible, then visit Windows Updates to make sure you have all critical updates for your sustem.
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

As far as the issues with Spybot, you can post here with questions about them: http://forums.spybot.info/forumdisplay.php?f=4

Also the last thread from instrumenturnoff (junior menber) offers a fix that has not been validated by either a menber of spybot, a warior or an expert. should i folow it and see what happened?I am not sure what you are talking about here, point me with a link to that information.

Also i just realized that i do not have a tablet PC but a graphic Pen tablet that i use with graphic program, mostly to draw, now maybe it is the same ...
You are right, I know absolutely nothing about that product.

I am not sure why you posted the 023 services at the botton, but they areall valid services, see these links for information:

1) http://www.liutilities.com/products/wintaskspro/processlibrary/nvsvc32/

2) http://www.liutilities.com/products/wintaskspro/processlibrary/tablet/

3) http://www.liutilities.com/products/wintaskspro/processlibrary/wdfmgr/

My reference is: http://www.castlecops.com/O23.html
You may ignore the (file missing) in those 023 items, that is a glitch in HJT which should be fixed by the next version.

Thanks

xtophe
2007-03-22, 13:40
Dear PSkelley,

Thank you for your patience, your cooperation, and all the informations.
I shall get and install SP2 before doing anyhting else.
All the best,

Xtophe.

pskelley
2007-03-31, 13:23
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks