PDA

View Full Version : SystemDoctor2006 & SmitFraud



Schnick1
2007-04-23, 21:37
Hello,

Last week my work PC had been infected with a virus which left me with the SystemDoctor2006 & SmitFraud malware programs.

I believe I have taken care of all problems but the SystemDoctor2006.
A Safe Mode SpyBot scan turned up a few tracking cookies, and the ones that stuck out at me are: SystemDoctor2006, and WinSoftware - WinAntiVirusPro2006.

Below is a copy of my HijackThis log (in Safe Mode). I believe all I have to do now is fix the O12 and O15s, but would like further advice before I do this.


Logfile of HijackThis v1.99.1
Scan saved at 1:16:30 PM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Outlook Express (2).lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: QuickBooks Premier - Manufacturing and Wholesale Edition 2004.lnk = C:\Program Files\Intuit\QuickBooks Premier - Manufacturing and Wholesale Edition\qbw32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adxgate.net
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.sxload.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4 AntiVirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4 AntiVirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4 AntiVirus\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartPayments Service Manager (SmartPayments_Service) - TPI Software, LLC - c:\program files\smartpayments\smartpayments_service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Shaba
2007-04-24, 12:02
Hi Schnick1

Rename HijackThis.exe to scanner.exe and post back a fresh Hijackthis log taken in normal mode :)

tashi
2007-04-30, 05:40
Multi forum poster. :mad:

http://forums.techguy.org/security/565769-solved-systemdoctor2006-smitfraud.html#post4663879

http://www.bleepingcomputer.com/forums/topic89795.html

"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)

Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't. Many of our volunteers are at several forums.