View Full Version : Another smitfruad-c problem with others
micahr14
2007-05-07, 17:30
Ok.. I have another smitfraud-c issue combined with not being able to access windows firewall settings but nothing for my internet will work. Spybot says its a PSW.WOW and Smitfraud-C again.>>ALso have the HijackThis ADS scan log with this. dunno if this helps
Here is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:27:10 AM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.gmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micah's Internet Explorer
O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: interceptor.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
ADS Spy Scan Log:
C:\WINDOWS\ODBCINST.INI : hii (64 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
Thanks you guys,
Micahr14
i also have no internet connectivity even if i connect with the land line instead of the wireless. .. although mozilla thunderbird is able to connect, IE and Firefox are saying that they can't display the page due to a connection error.
also since not able to access any web pages. not able to also run an online scanner. :mad:
micahr14
2007-05-15, 19:11
Avast found a malware piece by the name of Win.32 - Small EHB
I told it to remove it and so far it hasn't at least as far as i can see.
None of other scanners picked this up.
Any help?
Mic:angel:
shelf life
2007-05-15, 23:24
hi micahr14,
use firefox to get these three downloads. the first two are just downloads, the last one will require a update after the install. also is your antivirus up to date?
i would stay off the internet until computer is cleaned up some. in fact pull the plug on the modem after you update avg.
1) smitfraud:
download smitfraudFix to your desktop:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search-- by typing 1 and press Enter
it will scan your computer, looking for certain files.
when done it will create a log named: rapport.txt on your C: drive
----------------------------
2) combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
--------------------------
avg antispyware:
Download AVG Anti-Spyware(formerly ewido). save file, install, follow wizard
http://www.ewido.net/en/download/
----------------------------
run the above, post the smitfraud log, the combofix log and scan and post a new hjt log please.
shelf life
micahr14
2007-05-18, 18:34
Here are the HJT and SmitfraudFix logs. I can't get the combofix to keep running.. it just keeps stalling out without me doing anything also did you want me to clean the system with the smitfraud fix? :band:
Smitfraudfix
SmitFraudFix v2.183
Scan done at 18:23:58.52, 2007-05-17
Run from C:\Documents and Settings\BTN USER\Desktop\Spyware and Such Utilities\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
ªªªªªªªªªªªªªªªªªªªªªªªª Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
ªªªªªªªªªªªªªªªªªªªªªªªª hosts
ªªªªªªªªªªªªªªªªªªªªªªªª C:\
ªªªªªªªªªªªªªªªªªªªªªªªª C:\WINDOWS
ªªªªªªªªªªªªªªªªªªªªªªªª C:\WINDOWS\system
ªªªªªªªªªªªªªªªªªªªªªªªª C:\WINDOWS\Web
ªªªªªªªªªªªªªªªªªªªªªªªª C:\WINDOWS\system32
C:\WINDOWS\system32\ot.ico FOUND !
ªªªªªªªªªªªªªªªªªªªªªªªª C:\WINDOWS\system32\LogFiles
ªªªªªªªªªªªªªªªªªªªªªªªª C:\Documents and Settings\BTN USER
ªªªªªªªªªªªªªªªªªªªªªªªª C:\Documents and Settings\BTN USER\Application Data
C:\Documents and Settings\BTN USER\Application Data\Install.dat FOUND !
ªªªªªªªªªªªªªªªªªªªªªªªª Start Menu
ªªªªªªªªªªªªªªªªªªªªªªªª C:\DOCUME~1\BTNUSE~1\FAVORI~1
ªªªªªªªªªªªªªªªªªªªªªªªª Desktop
ªªªªªªªªªªªªªªªªªªªªªªªª C:\Program Files
ªªªªªªªªªªªªªªªªªªªªªªªª Corrupted keys
ªªªªªªªªªªªªªªªªªªªªªªªª Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/BTNUSE~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gif"
"SubscribedURL"="file:///C:/DOCUME~1/BTNUSE~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gif"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
ªªªªªªªªªªªªªªªªªªªªªªªª Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="acheweed"
ªªªªªªªªªªªªªªªªªªªªªªªª AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="interceptor.dll"
ªªªªªªªªªªªªªªªªªªªªªªªª Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
ªªªªªªªªªªªªªªªªªªªªªªªª pe386-msguard-lzx32-huy32
ªªªªªªªªªªªªªªªªªªªªªªªª DNS
ªªªªªªªªªªªªªªªªªªªªªªªª Scanning for wininet.dll infection
ªªªªªªªªªªªªªªªªªªªªªªªª End
HJT
Logfile of HijackThis v1.99.1
Scan saved at 07:25, on 2007-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe - Session Manager Subsystem
C:\WINDOWS\system32\winlogon.exe - Windows Logon Process
C:\WINDOWS\system32\services.exe - Windows Service Controller
C:\WINDOWS\system32\lsass.exe - Local Security Authority Service
C:\WINDOWS\system32\svchost.exe - Microsoft Service Host Process
C:\WINDOWS\System32\svchost.exe - Microsoft Service Host Process
C:\WINDOWS\system32\pctspk.exe - PCTEL Connection Assistant
C:\WINDOWS\system32\svchost.exe - Microsoft Service Host Process
C:\WINDOWS\system32\spoolsv.exe - Microsoft Printer Spooler Service
C:\WINDOWS\explorer.exe - Windows Explorer
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE - Microsoft Word
C:\HJT\scanner.exe - Hijack-This
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.gmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: interceptor.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
shelf life
2007-05-19, 04:30
hi micahr14,
do i see two antivirus? avast and avg? only need one av, two isnt better than one in this case. i would remove one via add/remove programs panel.
-----------------------------
thanks for the info, hold off on combofix for now.
yes, run option 2 of the smitfraudfix in safe mode
--------------------------
might want to copy/paste this into notepad and save it so you can read it in safe mode:
clean step is best run in safe mode. to reach safe mode you would tap the f8 key during a computer restart. double-click smitfraudfix.cmd icon, chose option 2 this time (clean)
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter
after it completes please run spycatcher and do this:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
--------------------
reboot normally and post the smitfraudfix report and a new hjt log please
shelf life
micahr14
2007-05-21, 19:05
Here are the new HJT log and also the smitfraud kept freezing up on me. It was as if something was running in the background that i didn't need too have running. Also do you need the mwav infection list? because i ran mwav and found a whole bunch. It will be attached to the bottom of this post if you need it. I have gone ahead and cleaned with mwav and haven't had time to re-run the scan to double check for stuff. Am now able to get into WinFirewall settings and have disabled it since i'm running ZoneAlarm Pro as well
HJT
Logfile of HijackThis v1.99.1
Scan saved at 07:25, on 2007-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: interceptor.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Mwav
File C:\Documents and Settings\BTN USER\Desktop\Spyware and Such Utilities\SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Object "dope wars Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "proventactics Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "zipitpro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "dope wars Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "mysearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "claria.dashbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "vx2 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "dope wars Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "dope wars Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\JavaPlugin.150_06" refers to invalid object "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}". Action Taken: No Action Taken.
Entry "HKCR\WaveStudio.Document" refers to invalid object "{48689CC0-9DC4-11CF-8367-00AA00A108A5}". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Real\RealArcade\RNArcade.exe /m application/vnd.rn-rn_game_package". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Real\RealArcade\RNArcade.exe /m application/vnd.rn-rn_game_info". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Real\RealArcade\RNArcade.exe /m application/vnd.rn-rn_secured_installer". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""D:\Programs\Java\bin\javaws.exe"". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\DAO" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\DAO". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Age of Empires 2.0". Action Taken: No Action Taken.
File C:\Documents and Settings\BTN USER\Desktop\Spyware and Such Utilities\SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8349084F-2F74-4456-A9C9-FDC1A23D3983}\RP212\A0266517.exe//data.rar/SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
This was before I cleaned with mwav just to let you see what i found.
Thanks guys,
If this is confusing let me know and ill try to explain it better. (time crunch at this time)
Mic
shelf life
2007-05-22, 03:27
hi micahr14,
was the smitfraud clean able to complete?
you still have two antivirus, only need one.
you didnt get avg antispyware, its a resident malware scanner. i would download,install update and run it.
-----------------------
read thru there are several steps-- then follow this:
1) Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
---------------------------------------
2) Download AVG Anti-Spyware from HERE and save that file to your
desktop.
http://www.ewido.net/en/download/
This is a 30 day trial of the program
1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition
files.
3. On the main screen select the icon "Update" then select the "
Update now" link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then
select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
------------------------------------------
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Reboot your computer in Safe Mode.
* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe Mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* Login on your usual account.
______________________________
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Clean out your Temporary Internet files. Proceed like this:
* Quit Internet Explorer and quit any instances of Windows Explorer.
* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete Files under Temporary Internet Files.
* In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
* On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
* Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
* Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware, and run a full scan.
IMPORTANT: Do not open any other windows or
* programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
* ewido will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all
actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your system (make sure to remember where
you saved that file, this is important).
Close AVG Anti-Spyware and Reboot in Normal Mode.
----------------------------
please post the saved AVG report the smitfraud report and a new hjt log.
shelf life
micahr14
2007-05-25, 19:22
Ok. AVG antispyware is not able to run on my system. It just keeps freezing. But I now have full internet conenctivity after running MWAV and SmitfraudFix twice. So I think i'm pretty much all set. Please look over my logs and tell me if am I clean, if you could :) I know how to analyse HJT logs and I didn't see anything wrong with this one but I don't know how to analyse SmitfraudFix logs and the rest.
Thanks,
Micah R.
MRU University Freshman
You too could help train to fight malware.
LOGS
-------
HJT
----
Logfile of HijackThis v1.99.1
Scan saved at 20:22, on 2007-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: interceptor.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Smitfraud
-----------
SmitFraudFix v2.186
Scan done at 19:40:49.60, 2007-05-24
Run from C:\Documents and Settings\BTN USER\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="acheweed"
ªªªªªªªªªªªªªªªªªªªªªªªª Killing process
ªªªªªªªªªªªªªªªªªªªªªªªª hosts
ªªªªªªªªªªªªªªªªªªªªªªªª Generic Renos Fix
GenericRenosFix by S!Ri
ªªªªªªªªªªªªªªªªªªªªªªªª Deleting infected files
ªªªªªªªªªªªªªªªªªªªªªªªª DNS
ªªªªªªªªªªªªªªªªªªªªªªªª Deleting Temp Files
ªªªªªªªªªªªªªªªªªªªªªªªª Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
ªªªªªªªªªªªªªªªªªªªªªªªª Registry Cleaning
Registry Cleaning done.
ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
ªªªªªªªªªªªªªªªªªªªªªªªª End
shelf life
2007-05-26, 22:32
hi micahr14,
thanks for all the info. uninstall avg via the add/remove programs panel, reboot computer once. are you able to run combofix?
shelf life
micahr14
2007-05-29, 17:27
Ok. AVG Shows Clean but i found a log from march that showed this and im wondering if it maybe hung around and didn't get clean all the way:
-
micahr14
2007-05-29, 17:29
Ok. AVG Shows Clean but i found a log from march that showed this and im wondering if it maybe hung around and didn't get clean all the way:
Ok. AVG Shows Clean but i found a log from march that showed this and im wondering if it maybe hung around and didn't get clean all the way:
-
micahr14
2007-05-29, 17:31
somethings wrong with this.. ill try separate posts... heres HJT
Logfile of HijackThis v1.99.1
Scan saved at 20:22, on 2007-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: interceptor.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\ODBCINST.INI : hii (64 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
micahr14
2007-05-29, 17:48
here is the AVG report in question from March.
Again, sorry for so many posts, the apple i'm working on hates me :p:
Mic
micahr14
2007-05-29, 17:52
here tis. seems the copy/paste function on apple doesn't work so i may have to put it in manually or attach the log if you don't mind
Again this is the one in question from march
The infection found is called:
[B]C
micahr14
2007-05-29, 17:54
The infection is
Hijacker.Costrat.l
File where found is
c:\Windows\lzx32.sys
Also says file was cleaned but I wonder if remnants are still hanging around.
micahr14
2007-05-29, 17:56
SmitFraudFix v2.186
Scan done at 19:40:49.60, 2007-05-24
Run from C:\Documents and Settings\BTN USER\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="acheweed"
ªªªªªªªªªªªªªªªªªªªªªªªª Killing process
ªªªªªªªªªªªªªªªªªªªªªªªª hosts
ªªªªªªªªªªªªªªªªªªªªªªªª Generic Renos Fix
GenericRenosFix by S!Ri
ªªªªªªªªªªªªªªªªªªªªªªªª Deleting infected files
ªªªªªªªªªªªªªªªªªªªªªªªª DNS
ªªªªªªªªªªªªªªªªªªªªªªªª Deleting Temp Files
ªªªªªªªªªªªªªªªªªªªªªªªª Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
ªªªªªªªªªªªªªªªªªªªªªªªª Registry Cleaning
Registry Cleaning done.
ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
ªªªªªªªªªªªªªªªªªªªªªªªª End
shelf life
2007-05-30, 02:55
hi micahr14,
ok thanks for all the info.
this:
lzx32.sys is a rootkit that can arrive with smitfraud. thats from a avg scan from march? it will show in a smitfraud log and combofix log, but they dont remove it. you can do this to be sure:
1. Download - rustbfix.exe ...and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe
2. Double click on rustbfix.exe to run the tool.
1. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
2. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.
shelf life
micahr14
2007-05-31, 18:23
Ok, there were no rootkits found. HJT log on the way as soon as I can get it. I've spent 3 straight days at work trying to fix our satellite feed from the syndicated network. We have an underground cable gone bad and digging it all up to get to that one area. May not post for a couple of days.
Mic
shelf life
2007-06-01, 03:19
hi micahr14,
ok good no rootkits. just post back whenever you get a chance.
shelf life
micahr14
2007-06-01, 17:28
ok we got another issue. when I right click on the taskbar and look at the toolbars they are all grayed out. The same is happening with the folder options. I've had this issue before. Also, ever since starting ZA Pro firewall up again it has stopped the internet connection between the file and the server (wherever it is). HJT revealed me nothing was infected ?? I've double checked the lines too. Somehow I think the virus has infected my explorer.exe file(s)
Here is the Spybot log in the next post, it was the only thing I could get to work and pick up.
shelf life
2007-06-02, 05:23
hi micahr14,
I've had this issue before.
and how did you fix it?
file and the server
do you know what application ZA is calling the "server"?
Here is the Spybot log
the log?
shelf life
micahr14
2007-06-04, 18:15
The log will not post. Its way too long. And I'll look in the archives here. It was about 6 months ago and ps_kelley was the one that helped me with it.
No i'm seeing nothing from the ZA on the server. All I know is the Ad-Watch is not reporting any more registry changes ever since I started ZA pro and ran the spybot cleaning.
Mic . sorry about the vagueness :D I should probably be a little clearer next time. It's just kinda hard with work and all. :(
micahr14
2007-06-04, 18:25
Here is the linky to the other post I had with ps_kelley. The symptoms are the same but something is running in the background of my computer and not showing in the process list, its really a memory hog too.
http://forums.spybot.info/showthread.php?t=11904&highlight=micahr14
MIC
shelf life
2007-06-04, 23:30
hi
i saw that archived post-- looks like you had LOP then. got smitfraud and company now.
you sure you ran AVg antispyware? i dont see it in the hjt log. did you ever get combofix to run? post another hjt log and the saved report form avg. if avg wont run we can get something else.
how to save avg report:
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all
actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your computer. Please post the AVG log in next reply.
shelf life
micahr14
2007-06-07, 03:53
hurray! We have a combo fix log but no AVG log still. AVG doesn't (and hasn't liked my system) - running on 319 MB of RAM
Still a bit sluggish (the computer) and its changed its theme (colors, windows, sounds) back to windows classic and isn't letting me change them back. I look on kelly's korner for tools to restore. Was able to get taskbar restored back. sUBS over at MRU was able to give me a beta that worked and turns out that it was the program. Well, here's the log :
"BTN USER" - 2007-06-06 17:38:43 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\BTN USER\Desktop\"
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\All Users.WINDOWS.\documents\settings
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\desktop.ini
C:\WINDOWS\keyboard11.dat
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\mc-110-12-0000140.exe
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))
2007-06-03 21:14 <DIR> d-------- C:\DOCUME~1\BTNUSE~1\APPLIC~1\Ceedo
2007-05-24 21:10 <DIR> d-------- C:\VundoFix Backups
2007-05-20 23:08 <DIR> d-------- C:\ie-spyad2
2007-05-19 23:37 <DIR> d-------- C:\Program Files\Incomplete
2007-05-18 22:29 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-05-18 22:29 <DIR> d-a------ C:\WINDOWS\SYSTEM32\vcmgcd32.dll
2007-05-18 22:29 <DIR> d-a------ C:\WINDOWS\SYSTEM32\iifgfgf.dll
2007-05-18 22:09 146,432 --a------ C:\WINDOWS\R.COM
2007-05-18 22:09 135,680 --a------ C:\WINDOWS\SYSTEM32\T.COM
2007-05-17 19:24 1,812 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-05-10 17:04 95,872 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-05-10 17:04 94,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-05-10 17:04 85,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-05-10 17:04 43,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-05-10 17:04 26,888 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-05-10 17:04 23,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-05-10 17:03 745,600 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-05-10 17:03 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-05-10 17:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-09 16:29 <DIR> d-------- C:\Program Files\FastStone Capture
2007-05-09 16:29 <DIR> d-------- C:\DOCUME~1\BTNUSE~1\APPLIC~1\FastStone
2007-05-09 16:27 <DIR> d-------- C:\Program Files\CNet
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-02 23:55:50 -------- d-----w C:\Program Files\Wisdom-soft AutoScreenRecorder Free
2007-05-25 01:34:29 -------- d-----w C:\Program Files\Actual Title Buttons
2007-05-25 00:00:18 -------- d-----w C:\Program Files\Winamp
2007-05-24 23:56:07 -------- d-----w C:\Program Files\QO Labs
2007-05-21 03:18:59 1,964 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-20 12:18:39 -------- d-----w C:\Program Files\ZipCentral
2007-05-20 12:16:54 -------- d-----w C:\Program Files\LimeWirePro
2007-05-10 20:28:40 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\OpenOffice.org2
2007-05-06 00:03:21 4,212 -c-h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-05 23:45:28 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-05 18:32:33 -------- d-----w C:\Program Files\TuneXP
2007-05-05 18:32:33 -------- d-----w C:\Program Files\Tradewinds Full Game
2007-05-05 18:32:32 -------- d-----w C:\Program Files\Pizza Frenzy
2007-05-05 18:32:32 -------- d-----w C:\Program Files\Bejeweled 2 Deluxe
2007-05-05 17:21:06 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Tenebril
2007-05-05 02:12:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-03 23:47:56 -------- d-----w C:\Program Files\Google
2007-05-03 23:46:11 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-02 02:44:45 -------- d-----w C:\Program Files\a-squared HiJackFree
2007-04-30 21:11:44 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-29 01:42:14 -------- d-----w C:\Program Files\SpyCatcher 2006
2007-04-29 01:41:13 -------- d-----w C:\Program Files\WhatsRunning
2007-04-29 01:40:23 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\gtopala
2007-04-24 00:05:00 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Ventrilo
2007-04-23 23:58:11 -------- d-----w C:\Program Files\Ventrilo
2007-04-23 23:57:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-19 22:41:24 114 -c--a-w C:\WINDOWS\popcinfo.dat
2007-04-17 18:02:52 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\AVSMedia
2007-04-17 12:53:29 -------- d-----w C:\Program Files\Freeciv-2.0.9-gtk2
2007-04-16 02:00:43 5 --sha-w C:\WINDOWS\system32\efabaaabef1_s.dll
2007-04-15 11:49:21 -------- d-----w C:\Program Files\ActualCoach
2007-04-15 11:49:21 -------- d-----w C:\Program Files\4t Tray Minimizer
2007-04-15 11:49:18 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-15 11:49:17 -------- d-----w C:\Program Files\SolSuite
2007-04-14 02:06:51 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\IrfanView
2007-04-12 23:05:06 -------- d-----w C:\Program Files\AVSMedia
2007-04-12 21:56:35 -------- d-----w C:\Program Files\Ministars Software
2007-04-12 21:55:07 -------- d-----w C:\Program Files\Microsoft Games
2007-04-12 21:51:24 -------- d-----w C:\Program Files\PDFCreator
2007-04-12 21:44:18 -------- d-----w C:\Program Files\Nuclear Power
2007-04-12 21:43:47 -------- d-----w C:\Program Files\CursorXP
2007-04-12 21:42:25 -------- d-----w C:\Program Files\Taskbar Shuffle
2007-04-12 21:41:34 -------- d-----w C:\Program Files\Windows X
2007-04-12 21:34:05 720,896 -c--a-w C:\WINDOWS\iun6002.exe
2007-04-12 02:03:45 -------- d-----w C:\Program Files\GFX
2007-04-10 22:17:13 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\IE7pro
2007-04-10 22:07:39 -------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2007-04-10 21:52:28 -------- d-----w C:\Program Files\Chronotron Inc
2007-04-10 21:22:36 -------- d-----w C:\Program Files\IE7pro
2007-04-10 21:20:45 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Actual Tools
2007-04-10 21:15:08 -------- d-----w C:\Program Files\SRS Labs
2007-04-09 01:24:50 -------- d-----w C:\Program Files\Odometer
2007-04-09 00:46:25 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Inkscape
2007-04-06 22:06:58 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Lavasoft
2007-04-06 00:42:35 -------- d-----w C:\Program Files\Inkscape
2007-04-06 00:00:48 -------- d-----w C:\Program Files\Scribus 1.3.3.8
2007-03-28 20:40:51 80 --sh--r C:\WINDOWS\system32\4E6F1E8D02.dll
2007-03-19 10:35:14 1,636 -c--a-w C:\WINDOWS\system32\d3d9caps.dat
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 04:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-10-17 16:04]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-09-27 17:45]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Resume copy"="copyfstq.exe" [2006-12-06 17:31 C:\WINDOWS\copyfstq.exe]
"StartupDelayer"="C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2006-06-23 04:12]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMMyPictures"=01000000
"NoLowDiskSpaceChecks"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSharedDocuments"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoSaveSettings"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"winupdates"=C:\Program Files\winupdates\winupdates.exe /auto
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 20:34:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-06 20:39:13
C:\ComboFix-quarantined-files.txt ... 2007-06-06 20:38
--- E O F ---
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 07:34, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
shelf life
2007-06-08, 02:21
hi micahr14,
ok good. looks like combofix got rid of some stuff also. lets forget avg, i would remove it via the add/remove programs panel then reboot computer once.
i suggest scanning with superantispyware, see what else it might dig up.the hjt log looks ok:
http://www.superantispyware.com/
--------------------
shelf life
micahr14
2007-06-18, 07:07
Hi all,
just to let you know our family suffered a terrible tragedy this past week or two and i've been off and on alot.. not sure when things will even out for my online time either. So far an update: Evidently the spyware hasn't been removed because im still having trouble with my windows shell... had to remove ZA pro because it was stuck in lock mode and would not let me access the internet.. Switching to outpost firewall. Sure it might take time to reconfig everything but I'm sure that it will work better :D ... Still got high CPU usage..
Thanks for everything shelf,
Keep us in your hopes and prayers :)
Micah R. Roemmich
shelf life
2007-06-19, 00:13
hi micahr14,
I hope it all turns out ok for you and your family.
Outpost is a excellent firewall. i also highly recommend jetico.
these entries from combofix are typical of a worm:
ping.com
tasklist.com
taskmgr.com
tracert.com
if you wish to continue just post back when you can.
shelf life
This topic has been moved to archives to prevent others with similar issues posting to it.
When you need the thread re-opened, please send me a private message (pm) :bighug: