• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Smitfraud-C.Coreservice

C

cfunderburg

New member
I'm not so knowledgeable about computers, but I've attempted to follow the instructions laid for how to deal with this. I have the Smitfraud-C.Corservice problem. Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:21 AM, on 6/11/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7c336c34-41d3-4be2-bdd1-874f0b21be4b} - C:\WINNT\System32\rjvvfge.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
O4 - HKLM\..\Run: [uevcmukA] C:\WINNT\uevcmukA.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe

Please let me know how to proceed.

thank you very much for your help,
chris
 
Hi

Please download
VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from
Click the Scan for Vundo button when VundoFix appears at reboot.


Remove thru add/remove programs (if found):
Web Buying

Start hjt, click do a system scan only, check (if found):
O2 - BHO: (no name) - {7c336c34-41d3-4be2-bdd1-874f0b21be4b} - C:\WINNT\System32\rjvvfge.dll
O4 - HKLM\..\Run: [uevcmukA] C:\WINNT\uevcmukA.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe

Close browsers and other windows. Click fix checked.


Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here)
@echo off
sc stop "Net Agent"
sc delete "Net Agent"

Double-click on fixes.bat file to execute it.



==============================

Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Deleting files & folders
------------------------

Delete following files and folders (if found):
C:\WINNT\SYSTEM32\rjvvfge.dll
C:\WINNT\uevcmukA.exe
C:\WINNT\dls0523pmw.exe
C:\WINNT\SYSTEM32\vtssqnl.dll
C:\Program Files\Web Buying

Reboot back into normal mode.

Please post the contents of C:\vundofix.txt and a new
HiJackThis log.
 
As per your request, I have posted the VundoFix and HJT logs below. However, I also wanted to mention that when I tried to follow your instructions, I had a couple problemswhen I went into the files/folders to delete items.

1) C:\WINNT\SYSTEM32\rjuvfge.dll did not exist, so I couldn't delete it.
2) C:\Program Files\Web Buying did not exist.
3) I could not delete C\WINNT\SYSTEM32\vtssqnl.dll as it was "currently in use by windows


Thank you very much for your help and quick reply. Just let me know what I should do next...

chris

VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 12:19:52 AM 6/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Scan started at 10:57:31 AM 6/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Scan started at 11:00:23 AM 6/11/2007

Listing files found while scanning....

No infected files were found.


Logfile of HijackThis v1.99.1
Scan saved at 11:42:06 AM, on 6/11/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\tppaldr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
 
One final thing I forgot to mention. When I was attempting to "fix checked," I got the following error/notice. I did e-mail the address as per the instructions, but i just want to make sure I can keep everything on the same page.

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 5.00.3315.1000
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
 
Looks like hjt bug to me (not serious though). Anyway, let's move on. :)

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
  • C:\WINDOWS\system32\vtssqnl.dll
  • C:\WINDOWS\system32\lnqsstv.*
  • Click Add Files and Click Close Window
  • Repeat with these entries
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from
Click the Scan for Vundo button when VundoFix appears at reboot.



Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run ATF yet. Will do it a bit later.




Start hjt, click do a system scan only, check:
O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll

Close browsers and other windows. Click fix checked.



==============================

Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)


Delete if found:
c:\winnt\system32\vtssqnl.dll



Running temp cleaner & AVG Anti-Spyware
---------------------------------------



Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the
    Save Scan Report
    button before you did hit the
    Apply all Actions
    button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.


Post
-contents of c:\vundofix.txt
-AVG Anti-Spyware log
-a fresh HJT log.
 
Ok, I had a couple problems when I was going through your instructions:

1) When I ran HJT and checked "O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll" to be fixed, i ran into the same error as before.
2) I still couldn't delete c:\winnt\system32\vtssqnl.dll because it was "in use by windows"
3) In ATF, I couldn't click off the box for "Prefetch" because it was "disenabled."
4) For some reason, AVG would mot run in same mode, despite an attempt to re-install it. I ran it in normal mode.

Ok, one more thing that may be relevant: In between when I started having pop-up problems and posted on this forum, it was recommended to me that I update my Java to the newest version. I downloaded and installed "jre-6u1-windows-i586-p-iftw," but got a message saying that it wasn't compatible with my computer. So, have no idea how that is effecting any of this (I completely removed my old version Java before installing the new one).

Again, thanks for your help,
chris


Here are the logs:

VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 12:19:52 AM 6/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Scan started at 10:57:31 AM 6/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Scan started at 11:00:23 AM 6/11/2007

Listing files found while scanning....

No infected files were found.


Logfile of HijackThis v1.99.1
Scan saved at 2:57:41 PM, on 6/11/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\tppaldr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:46:12 PM 6/11/2007

+ Scan result:



C:\WINNT\system32\dvdbin.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINNT\system32\T3\am67.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINNT\system32\perfc000.dat -> Backdoor.Small.os : Cleaned with backup (quarantined).
C:\WINNT\system32\T6\amwr.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\WINNT\system32\T1QaSQ\T1QaSQ1065.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\WINNT\system32\T4\amst5.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINNT\system32\TQ0\am52.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINNT\uevcmuk.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\WINNT\48x.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\WINNT\system32\vtssqnl.dll -> Trojan.Agent.bi : Cleaned with backup (quarantined).


::Report end
 
1) When I ran HJT and checked "O20 - AppInit_DLLs: c:\winnt\system32\vtssqnl.dll" to be fixed, i ran into the same error as before.
2) I still couldn't delete c:\winnt\system32\vtssqnl.dll because it was "in use by windows"
Click to expand...
AVG found and quarantined the file (C:\WINNT\system32\vtssqnl.dll -> Trojan.Agent.bi : Cleaned with backup (quarantined).)

3) In ATF, I couldn't click off the box for "Prefetch" because it was "disenabled."
Click to expand...
Yes, found out that it's not available in Win2000.


4) For some reason, AVG would mot run in same mode, despite an attempt to re-install it. I ran it in normal mode.
Click to expand...
Drats.. they still need to have this safe mode issue fixed.. Anyway, glad you ran it in normal mode. :)

Ok, one more thing that may be relevant: In between when I started having pop-up problems and posted on this forum, it was recommended to me that I update my Java to the newest version. I downloaded and installed "jre-6u1-windows-i586-p-iftw," but got a message saying that it wasn't compatible with my computer. So, have no idea how that is effecting any of this (I completely removed my old version Java before installing the new one).
Click to expand...
When updating Java it's always recommended to remove old version(s) first and after that install the latest one.


Delete c:\Vundofix Backups folder.

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT


We need to re hide system files. To do so, please follow the steps below:
  1. Double-click My Computer.
  2. Click the Tools menu, and then click Folder Options.
  3. Click the View tab.
  4. Put a check by
    Hide file extensions for known file types.
  5. Under the
    Hidden files
    folder, select
    Show hidden files and folders.
  6. Check
    Hide protected operating system files.
  7. Click Apply, and then click OK.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options. (note: all these options may not be available in IE 5)
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
    The program is available for download here
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • Download iespyad
    It puts many bad webpages on your restricted zones list. This means that you can still view the
    bad
    webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
    If you need help understanding how it works, there is a tutorial here
    Download it here
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok


  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.

Please take the time to go and complain - that forum has a topic for your infection which is Vundo please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.
Click to expand...

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade
 
Ugh - I'm not sure what the problem is, but I'm still getting pop-ups. I just ran spybot search and destroy and it indicates that I still have SmitFraud-C.Coreservice on my computer.

When I'm using Mozilla, there's virtually no problem, but if I use IE I'm immediately flooded. Do you have any idea what the problem is?

Oh, I should also mention that the spybot program freezes when I attempt to fix the checked files

Just for the record, here's a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:24 PM, on 6/11/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\tppaldr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
 
Is this what you need? If not, let me know where I can find it - this is a report of my last Spybot S&D check:

(again, thanks for all your help)

--- Search result list ---
Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\core

Smitfraud-C.CoreService: Data (File, nothing done)
C:\WINNT\system32\drivers\core.cache.dsk

Smitfraud-C.CoreService: System file (File, nothing done)
C:\WINNT\system32\drivers\core.sys

Advertising.com: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-06 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-06 Includes\DialerC.sbi (*)
2007-05-30 Includes\Hijackers.sbi (*)
2007-06-06 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-06-06 Includes\KeyloggersC.sbi (*)
2007-05-30 Includes\Malware.sbi (*)
2007-06-06 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-06 Includes\PUPSC.sbi (*)
2007-06-06 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-06 Includes\SecurityC.sbi (*)
2007-06-06 Includes\Spybots.sbi (*)
2007-06-06 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-05-16 Includes\Trojans.sbi (*)
2007-06-06 Includes\TrojansC.sbi (*)



--- System information ---
Windows 2000 (Build: 2195) Service Pack 2


--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6731312
MD5: 5d6086e6d1e14d69723e7685ff595081

Located: HK_LM:Run, Matrox Powerdesk
command: C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
file: C:\WINNT\System32\PDesk\PDesk.exe
size: 622592
MD5: aa746544c5f39b32a91a0c8fe45d3c32

Located: HK_LM:Run, Promon.exe
command: Promon.exe
file: C:\WINNT\system32\Promon.exe
size: 29184
MD5: 953d76f56c42fa1ccd6c5ceae70f9471

Located: HK_LM:Run, Smapp
command: Smtray.exe
file: C:\WINNT\system32\Smtray.exe
size: 228355
MD5: a9c1978005b55657057b47db4cef6f63

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9c1c80bbf8e6044980890e2d2d91091c

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 8896de4ed047ba097e82d75e4da30d06

Located: HK_LM:Run, TPP Auto Loader
command: C:\WINNT\tppaldr.exe
file: C:\WINNT\tppaldr.exe
size: 118784
MD5: a90e85b4367dff9afdbf2ed109119d44

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: c2d7b64e5113b8f1e3c0394711d2eb4d

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll



--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 6/11/2007 12:05:20 PM
Date (last access): 6/11/2007 3:36:20 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_01\bin\
Long name: ssv.dll
Short name:
Date (created): 6/11/2007 2:09:18 AM
Date (last access): 6/11/2007 3:36:20 PM
Date (last write): 3/14/2007 3:43:40 AM
Filesize: 501400
Attributes: archive
MD5: 70FD57D6EDBED8D80C1995257C99D27E
CRC32: 3CE654AC
Version: 6.0.10.6



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINNT\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\System32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 4/24/2007 11:32:06 AM
Date (last access): 6/11/2007 4:34:24 PM
Date (last write): 4/24/2007 11:32:06 AM
Filesize: 1485696
Attributes: archive
MD5: F41FA54CD85AF8AACF8C7E084F6742F4
CRC32: 6328586B
Version: 1.7.36.0

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 3/14/2007 2:04:46 AM
Date (last access): 6/11/2007 4:34:24 PM
Date (last write): 3/14/2007 3:43:42 AM
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 3/14/2007 2:04:46 AM
Date (last access): 6/11/2007 4:34:24 PM
Date (last write): 3/14/2007 3:43:42 AM
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 3/14/2007 2:04:46 AM
Date (last access): 6/11/2007 4:34:24 PM
Date (last write): 3/14/2007 3:43:42 AM
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\System32\Macromed\Flash\
Long name: Flash9c.ocx
Short name:
Date (created): 3/27/2007 4:04:00 PM
Date (last access): 6/11/2007 3:36:24 PM
Date (last write): 3/27/2007 4:04:00 PM
Filesize: 2267368
Attributes: readonly archive
MD5: D7E66E0215341B9950FAB1D749F9F692
CRC32: 65E35770
Version: 9.0.45.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 140 ( 8) \SystemRoot\System32\smss.exe
PID: 164 ( 140) \??\C:\WINNT\system32\csrss.exe
PID: 184 ( 140) \??\C:\WINNT\system32\winlogon.exe
PID: 212 ( 184) C:\WINNT\system32\services.exe
size: 88848
MD5: 048811C03D7F71D2EDEC993348138480
PID: 224 ( 184) C:\WINNT\system32\lsass.exe
size: 33552
MD5: A26901CE15C815AE634BF2A6DEBE61E5
PID: 388 ( 212) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 416 ( 212) C:\WINNT\system32\spoolsv.exe
size: 44816
MD5: 34B45ED0176C838E0A3AF8CCEA44A630
PID: 444 ( 212) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
size: 312880
MD5: 5DCD235C061022BCDA9AA48670B64211
PID: 464 ( 212) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 488 ( 212) C:\WINNT\System32\mgabg.exe
size: 81920
MD5: 7DFFB692C38E46E379572E1BD38AD5FC
PID: 516 ( 212) C:\WINNT\system32\regsvc.exe
size: 66832
MD5: B29752816C90F8C53D8C27A2C07DD906
PID: 548 ( 212) C:\WINNT\system32\MSTask.exe
size: 118032
MD5: F4398408A3A6C5ABC7EA9195618B6B79
PID: 600 ( 212) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196685
MD5: 8666E38ABD56D9D325026C4D869CCDF7
PID: 892 ( 860) C:\WINNT\Explorer.EXE
size: 242960
MD5: 5F3BA74126D0ABC8E113D2AEB86B65CF
PID: 764 ( 892) C:\WINNT\System32\Smtray.exe
size: 228355
MD5: A9C1978005B55657057B47DB4CEF6F63
PID: 768 ( 892) C:\WINNT\System32\Promon.exe
size: 29184
MD5: 953D76F56C42FA1CCD6C5CEAE70F9471
PID: 756 ( 892) C:\WINNT\System32\PDesk\PDesk.exe
size: 622592
MD5: AA746544C5F39B32A91A0C8FE45D3C32
PID: 740 ( 892) C:\WINNT\tppaldr.exe
size: 118784
MD5: A90E85B4367DFF9AFDBF2ED109119D44
PID: 1012 ( 892) C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9C1C80BBF8E6044980890E2D2D91091C
PID: 1020 ( 892) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6731312
MD5: 5D6086E6D1E14D69723E7685FF595081
PID: 508 ( 892) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7637104
MD5: 77C6AB4E70E7FC35E17B8ED919408B62
PID: 1240 ( 892) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 6/11/2007 4:34:58 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F6351CF9-8F12-42FE-962D-FAEBE5430DA0}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F6351CF9-8F12-42FE-962D-FAEBE5430DA0}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4ED4CB14-9920-4911-8FB5-20B980F9961A}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4ED4CB14-9920-4911-8FB5-20B980F9961A}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BFD283D1-2109-474A-839E-86E72EC4B716}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BFD283D1-2109-474A-839E-86E72EC4B716}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D27240A-5E96-4651-A744-E21D6464C4B9}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D27240A-5E96-4651-A744-E21D6464C4B9}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
 
Ok - I just cut that report off once it reached the "Uninstall List" because it was too long to include. Let me know if you need info from it.
 
Yes, that was the right one :)

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code: 
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\core]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)


Please download the Killbox © Option^Explicit.
Unzip it to the desktop but do NOT run it yet.

Copy the text to a Notepad file and save it to your desktop! We will need the file later.

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually. Rescan with Spybot after that.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
 
I followed the instructions, but Smitfraud-C.Coreservice was still there when I ran Spybot S&D after it all.

I couldn't figure out which program to use to unzip Killbox from the link you provided, so I downloaded it directly from Killbox.net. I went through the process once and when it didn't work, I downloaded the Beta version of Killbox from Killbox.net.

Also, when I ran Killbox in safemode the first time, I didn't receive any "Pending Operations" prompt.

The second time I ran it, I received a prompt about something to the effect of "Pending Operations... by outside source" to which I could only click "Ok" (not "yes" or "no."). Also the second time I ran it, the computer did not reboot itself.

Please let me know if there is anything further I can do.

Also, I mentioned it briefly before - but I'm not sure if it matters - I have no working version of Java on my computer and I haven't installed all of the most updated service packs for windows. I have no idea if that will effect anything, but I just wanted to make sure you knew that my computer is pretty old and I certainly haven't kept up with updates.



I have one other semi-related question that should have a simple "yes" or "no" answer: is it safe to copy some files off the c: drive onto an external Lacie drive without any risk of infection to the external drive whatsoever?

Here's the reason I ask: I have a Lacie external drive that I haven't had hooked up for a week or two (since before I started having this trojan horse problem) and this drive has some very important, irreproducible stuff on it (a bunch digitized DV footage that I've been cutting with Avid). However, all of the Avid media/program files required to make use of this external drive are on my C: drive (with the virus). I don't want to run any risk at all of infecting that external drive with a virus, but I very much want to make sure that the stuff on it usable if this smitfraud virus ends up being a total disaster for the c: drive. Essentially, I'd love it if I could make the external drive stand alone and hook it up to another computer if need be. I'm sorry if that's too unrelated, it would just reduce my level of stress immeasurably to know that I could do that - regardless of what happens with the smitfraud.


again, thanks for all your help...
 
also, just now re-reading the "how to make a reg file" instructions - it says that I need to "leave a blank line after the text" for it to work - which I did the first time through, but forgot to do that the second time through.

Again, not sure what info will be helpful to you, but I just want to keep you informed.
 
Let's take Combofix way..

Hi


1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

I have one other semi-related question that should have a simple "yes" or "no" answer: is it safe to copy some files off the c: drive onto an external Lacie drive without any risk of infection to the external drive whatsoever?
Click to expand...
It's safe unless you're going to copy system files.
 
When I tried to follow the combofix link just now, I got a "404 Not Found The requested URL '/sUBs/combofix.exe' was not found on this server."
 
appears to have worked...

ok - I got combofix to download.

Here's the log (it says it deleted the stuff we were targeting with killbox...):

ComboFix 07-06-13.3 - C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
"Administrator" - 2007-06-13 14:57:49 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\$winbrd.dll
C:\WINNT\system32\acserf.dll
C:\WINNT\system32\act000.dll
C:\WINNT\system32\adsat.dll
C:\WINNT\system32\atm866.dll
C:\WINNT\system32\atmtil.dll
C:\WINNT\system32\cactrs.dll
C:\WINNT\system32\cdfcsp.dll
C:\WINNT\system32\cdmmui.dll
C:\WINNT\system32\clicm32.dll
C:\WINNT\system32\cmcocn.dll
C:\WINNT\system32\cnethts.dll
C:\WINNT\system32\conmon.dll
C:\WINNT\system32\crypol.dll
C:\WINNT\system32\csrm32.dll
C:\WINNT\system32\c_1inn.dll
C:\WINNT\system32\c_1lui.dll
C:\WINNT\system32\c_2min.dll
C:\WINNT\system32\c_5pxn.dll
C:\WINNT\system32\c_8der.dll
C:\WINNT\system32\d3delp.dll
C:\WINNT\system32\ddemmat.dll
C:\WINNT\system32\des605.dll
C:\WINNT\system32\descsp.dll
C:\WINNT\system32\dgsFIG.dll
C:\WINNT\system32\dimm32.dll
C:\WINNT\system32\disftp.dll
C:\WINNT\system32\disula.dll
C:\WINNT\system32\dmsamp.dll
C:\WINNT\system32\dmsntr.dll
C:\WINNT\system32\dplntr.dll
C:\WINNT\system32\dpnrad.dll
C:\WINNT\system32\ds3ula.dll
C:\WINNT\system32\esenusr.dll
C:\WINNT\system32\expnum.dll
C:\WINNT\system32\faxmgr.dll
C:\WINNT\system32\FNTdne.dll
C:\WINNT\system32\gpkfig.dll
C:\WINNT\system32\hpmasf.dll
C:\WINNT\system32\imgdne.dll
C:\WINNT\system32\iplask.dll
C:\WINNT\system32\ipssvc.dll
C:\WINNT\system32\kandfc.dll
C:\WINNT\system32\locfrm.dll
C:\WINNT\system32\mainrds.dll
C:\WINNT\system32\mfctrs.dll
C:\WINNT\system32\mmefthk.dll
C:\WINNT\system32\mod932.dll
C:\WINNT\system32\byvsr.exe
C:\WINNT\system32\cbaww.exe
C:\WINNT\system32\cbawx.exe
C:\WINNT\system32\cbaxv.exe
C:\WINNT\system32\cbxww.exe
C:\WINNT\system32\cbxxv.exe
C:\WINNT\system32\efcab.exe
C:\WINNT\system32\efcda.exe
C:\WINNT\system32\efecy.exe
C:\WINNT\system32\fccbb.exe
C:\WINNT\system32\fcyvu.exe
C:\WINNT\system32\fcywx.exe
C:\WINNT\system32\gebyx.exe
C:\WINNT\system32\geebc.exe
C:\WINNT\system32\geeff.exe
C:\WINNT\system32\hgdax.exe
C:\WINNT\system32\iiiji.exe
C:\WINNT\system32\iiijj.exe
C:\WINNT\system32\jkhff.exe
C:\WINNT\system32\jkkjh.exe
C:\WINNT\system32\khhgg.exe
C:\WINNT\system32\ljjgd.exe
C:\WINNT\system32\ljjgf.exe
C:\WINNT\system32\ljjjk.exe
C:\WINNT\system32\mljji.exe
C:\WINNT\system32\nnnom.exe
C:\WINNT\system32\nnnon.exe
C:\WINNT\system32\opnop.exe
C:\WINNT\system32\opppp.exe
C:\WINNT\system32\pmklm.exe
C:\WINNT\system32\qopmj.exe
C:\WINNT\system32\rqono.exe
C:\WINNT\system32\rqrsq.exe
C:\WINNT\system32\tuvvs.exe
C:\WINNT\system32\urqqr.exe
C:\WINNT\system32\urspm.exe
C:\WINNT\system32\vtutq.exe
C:\WINNT\system32\wvust.exe
C:\WINNT\system32\wvwuu.exe
C:\WINNT\system32\wvwxx.exe
C:\WINNT\system32\yayaa.exe
C:\WINNT\system32\yayaw.exe
C:\WINNT\system32\yayvs.exe
C:\WINNT\system32\yayxu.exe
C:\WINNT\system32\yayxv.exe
C:\WINNT\system32\yayyv.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINNT\cs_cache.ini
C:\WINNT\rau001978.exe
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\media
C:\WINNT\system32\media\AvidRender.wav
C:\WINNT\system32\pog
C:\WINNT\system32\T3
C:\WINNT\system32\T4


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 14:53 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-12 21:26 <DIR> d-------- C:\!KillBox
2007-06-11 13:41 10,872 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-06-11 01:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-11 01:07 <DIR> d-------- C:\AntiSpyWare
2007-06-11 00:19 <DIR> d-------- C:\VundoFix Backups
2007-06-10 23:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-10 22:56 0 --a------ C:\WINNT\nsreg.dat
2007-06-10 21:44 39,936 --a------ C:\WINNT\system32\msisip.dll
2007-06-10 21:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdwareAlert
2007-06-10 20:46 <DIR> d-------- C:\WINNT\system32\TQ0
2007-06-10 20:46 <DIR> d-------- C:\WINNT\system32\T7
2007-06-10 20:46 <DIR> d-------- C:\WINNT\system32\T6
2007-06-10 20:46 <DIR> d-------- C:\WINNT\system32\T1QaSQ
2007-06-10 20:46 <DIR> d-------- C:\Temp\x2b
2007-06-10 20:46 <DIR> d-------- C:\Temp
2007-06-03 15:58 48,014 --a------ C:\WINNT\system32\pmnkk.exe
2007-06-03 15:45 48,014 --a------ C:\WINNT\system32\byxww.exe
2007-05-27 04:04 11,830 --a------ C:\DOCUME~1\ADMINI~1\tm.exe
2007-05-27 03:15 <DIR> d-------- C:\WINNT\system32\Macromed
2007-05-26 22:08 36,013 -ra------ C:\WINNT\system32\drivers\lne100v5.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-11 01:52:04 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-29 04:40:07 -------- d-----w C:\Program Files\SHOW Player


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [07-03-14 03:43 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [01-05-08 08:00 C:\WINNT\system32\mobsync.exe]
"Smapp"="Smtray.exe" [00-12-21 18:47 C:\WINNT\system32\SMTray.exe]
"Promon.exe"="Promon.exe" [00-04-13 06:34 C:\WINNT\system32\promon.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [07-05-30 08:29 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-06-11 01:05:44 C:\WINNT\tasks\AdwareAlert Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 15:01:19
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-13 15:01:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-13 15:01

--- E O F ---
 
ok, I also just ran spybot and smitfraud is gone! I tooled around on the internet some as well and the pop-up problem seems to be totally solved.

thank you very much for all your help! let me know if there's anything further I need to do.
 
Something to do

Hi

Delete following folders:
C:\VundoFix Backups
C:\WINNT\system32\TQ0
C:\WINNT\system32\T7
C:\WINNT\system32\T6
C:\WINNT\system32\T1QaSQ
C:\Temp\x2b

and files:
C:\WINNT\system32\pmnkk.exe
C:\WINNT\system32\byxww.exe
C:\Documents And Settings\Administrator\tm.exe

Post when you are ready :)
 
You must log in or register to reply here.
Back
Top