PDA

View Full Version : Possible false positive? Smitfraud-C Toolbar888



Clara4284
2007-06-18, 04:03
Hello there, I'm in need of some expert help. Spybot detected Smitfraud on my computer last week. I took all the measures I could to get rid of it, but even though Smitfraudfix does not detect any infections, Spybot still accuses one entry:

--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-725345543-1005\Software\Microsoft\aldd

It says it's fixed, but it always shows back up. I can't find anything that looks like it could be it on my HJT log either, though I'm by no means an expert and don't really know if I'm looking the right way. Can this be a false positive?

I'm using S&D 1.4, latest detection update 2007-06-13, plus AVG Free Edition 7.5.472 and Sygate Personal Firewall 5.6 build 2808. And Spyware Blaster.

nrshapiro
2007-06-18, 23:37
I have the same problem. Oddly enough too, if I scan under my admin account, or in safe mode, spybot doesn't find it.

However, on my son's account, it finds it each time I re-log in to his userid on the machine.

--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1416163055-3445941883-4294521060-1013\Software\Microsoft\aldd


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

Yodama
2007-06-19, 15:26
hi,

this may be a false positive, but due to the nature of Smitfraud.Toolbar888 it may also still be present.

We will require Spybot S&D logs of your computers to see if there is anything suspicious left. Please attach them to your next posts.

Clara4284
2007-06-21, 05:03
Okay, here's my full Spybot log. My system changed since my first post, because my sister bought Norton 360.



--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-725345543-1005\Software\Microsoft\aldd

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-10 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-13 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-13 Includes\DialerC.sbi (*)
2007-06-13 Includes\Hijackers.sbi (*)
2007-06-13 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-06-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-05-30 Includes\Malware.sbi (*)
2007-06-13 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-13 Includes\PUPSC.sbi (*)
2007-06-13 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-13 Includes\SecurityC.sbi (*)
2007-06-06 Includes\Spybots.sbi (*)
2007-06-13 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-05-16 Includes\Trojans.sbi (*)
2007-06-13 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Windows Media Player 6.4: Atualização de Segurança para o Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Atualização de Segurança para o Windows Media Player 9 (KB917734)
/ Windows XP: Atualização de Segurança para Windows XP (KB923689)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Atualização para Windows XP (KB894391)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB896358)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB896422)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB896423)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB896424)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB896428)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB896688)
/ Windows XP / SP3: Atualização para Windows XP (KB896727)
/ Windows XP / SP3: Atualização para Windows XP (KB898461)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB899587)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB899588)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB899589)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB899591)
/ Windows XP / SP3: Atualização para Windows XP (KB900485)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB900725)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB901017)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB901214)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB902400)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB903235)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB904706)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB905414)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB905749)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB905915)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB908519)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB908531)
/ Windows XP / SP3: Atualização para Windows XP (KB910437)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB911280)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB911562)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB911567)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB911927)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB912812)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB912919)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB913446)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB913580)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB914388)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB914389)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB916281)
/ Windows XP / SP3: Atualização para Windows XP (KB916595)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB917159)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB917344)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB917422)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB917953)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB918118)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB918439)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB918899)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB919007)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB920213)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB920214)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB920670)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB920683)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB920685)
/ Windows XP / SP3: Atualização para Windows XP (KB920872)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB921398)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB921883)
/ Windows XP / SP3: Atualização para Windows XP (KB922582)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB922616)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB922760)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB922819)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB923191)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB923414)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB923694)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB923980)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB924191)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB924270)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB924496)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB924667)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB925454)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB925486)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB926255)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB926436)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB927779)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB927802)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB928090)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB928255)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB928843)
/ Windows XP / SP3: Atualização para Windows XP (KB929338)
/ Windows XP / SP3: Atualização de Segurança para Windows XP (KB929969)
/ Windows XP / SP3: Atualização para Windows XP (KB931836)


--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
file: C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
size: 115816
MD5: 25be770865658cb79100117112819a7c

Located: HK_LM:Run, EPSON Stylus C43 Series (cópia 1)
command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P33 "EPSON Stylus C43 Series (cópia 1)" /O5 "LPT1:" /M "Stylus C43"
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE
size: 75776
MD5: a0d03e1d45ae308ef87bc0a7f04c3bd3

Located: HK_LM:Run, LanguageShortcut
command: "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
file: C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe
size: 54832
MD5: 2798313dbb6ae778207eb1b1c68a1988

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, QuickTime Task
command: "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
file: C:\Arquivos de programas\QuickTime\qttask.exe
size: 282624
MD5: 7fbe43046efdf24fc9375024e4d02ac9

Located: HK_LM:Run, RemoteControl
command: "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
file: C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
size: 71216
MD5: 459ba26605d6721ddef0922a59c2fa29

Located: HK_LM:RunServices, RegisterDropHandler
command: C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
file:

Located: HK_CU:Run, NBJ
command: "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"
file: C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe
size: 1961984
MD5: a459e38e7c878a57b03280a000038764

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
file: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
size: 40048
MD5: 54c88bfbd055621e2306534f445c0c8d

Located: Startup (common), Adobe Reader Synchronizer.lnk
command: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
file: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
size: 734872
MD5: 169c293ce9460a05646d17dc6aa2fb2c

Located: Startup (user), Adobe Gamma.lnk
command: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
file: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
size: 40048
MD5: 54c88bfbd055621e2306534f445c0c8d

Located: Startup (disabled), Adobe Reader Synchronizer (DISABLED)
command: D:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
file:

Located: Startup (disabled), Microsoft Office (DISABLED)
command: D:\Programas\Microsoft Office\Office\OSA9.EXE -b -l
file:

Located: Startup (disabled), Utility Tray (DISABLED)
command: C:\WINDOWS\system32\sistray.exe
file: C:\WINDOWS\system32\sistray.exe
size: 331776
MD5: 75d2905cc72d4deb2771eef42a809c35

Located: Startup (disabled), Adobe Gamma (DISABLED)
command: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (disabled), Webshots (DISABLED)
command: C:\Arquivos de programas\Webshots\Launcher.exe /t
file:

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WgaLogon
command:
file:

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

Clara4284
2007-06-21, 05:04
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 22/10/2006 23:08:42
Date (last access): 20/6/2007 18:22:14
Date (last write): 22/10/2006 23:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
BHO name:
CLSID name:
Path: C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\
Long name: NppBHO.dll
Short name:
Date (created): 19/2/2007 00:22:56
Date (last access): 20/6/2007 22:19:32
Date (last write): 19/2/2007 00:22:56
Filesize: 97960
Attributes: readonly archive
MD5: FE48BB4C64B6D42EB637732D9D2962E4
CRC32: 9D5C5BBE
Version: 2007.1.7.4

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\ARQUIV~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/5/2004 01:03:00
Date (last access): 20/6/2007 22:50:54
Date (last write): 31/5/2005 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: spehiqct.dll

{5DAB07FD-760C-453F-A9F1-44E5CFB63905} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: sstqq.dll

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ()
BHO name:
CLSID name:

{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
BHO name:
CLSID name:

{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein

{C41A1C0E-EA6C-11D4-B1B8-444553540000} (G-Buster Browser Defense)
BHO name: G-Buster Browser Defense
CLSID name: GbIehObj Class
description: G-Buster Browser Defense
classification: Legitimate
known filename: gbieh.dll
info link:
info source: TonyKlein
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gbieh.dll
Short name:
Date (created): 16/5/2005 14:21:04
Date (last access): 20/6/2007 22:18:56
Date (last write): 22/2/2007 15:00:58
Filesize: 228392
Attributes: archive
MD5: 650265603A66CBE661E01C342C944CEF
CRC32: 5FA659BD
Version: 3.1.5.13

{C41A1C0E-EA6C-11D4-B1B8-444553540007} (G-Buster Browser Defense Real)
BHO name: G-Buster Browser Defense Real
CLSID name: GbIehObj Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gbiehabn.dll
Short name:
Date (created): 3/10/2005 09:01:46
Date (last access): 20/6/2007 22:18:56
Date (last write): 3/10/2005 09:01:46
Filesize: 140968
Attributes: archive
MD5: ACD40895997247FC46EDE3F5044C1A47
CRC32: E2840214
Version: 2.7.2.17



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 11/7/2006 09:41:36
Date (last access): 20/6/2007 22:18:56
Date (last write): 11/7/2006 09:41:36
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4

{E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class)
DPF name:
CLSID name: GbPluginObj Class
Installer: C:\WINDOWS\Downloaded Program Files\GbPluginABN.inf
Codebase: https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gbiehabn.dll
Short name:
Date (created): 3/10/2005 09:01:46
Date (last access): 20/6/2007 22:18:56
Date (last write): 3/10/2005 09:01:46
Filesize: 140968
Attributes: archive
MD5: ACD40895997247FC46EDE3F5044C1A47
CRC32: E2840214
Version: 2.7.2.17

{E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class)
DPF name:
CLSID name: GbPluginObj Class
Installer: C:\WINDOWS\Downloaded Program Files\GbPluginBb.inf
Codebase: https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
description:
classification: Open for discussion
known filename: GBIEH.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gbieh.dll
Short name:
Date (created): 16/5/2005 14:21:04
Date (last access): 20/6/2007 22:18:56
Date (last write): 22/2/2007 15:00:58
Filesize: 228392
Attributes: archive
MD5: 650265603A66CBE661E01C342C944CEF
CRC32: 5FA659BD
Version: 3.1.5.13

Clara4284
2007-06-21, 05:05
--- Process list ---
PID: 0 ( 0) [System]
PID: 496 ( 4) \SystemRoot\System32\smss.exe
PID: 552 ( 496) \??\C:\WINDOWS\system32\csrss.exe
PID: 576 ( 496) \??\C:\WINDOWS\system32\winlogon.exe
PID: 620 ( 576) C:\WINDOWS\system32\services.exe
size: 108544
MD5: CC73C4430C2FC27FDE16A0A4E3678148
PID: 632 ( 576) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 35C6463B3C5F62D2B20C953B6E1538E9
PID: 812 ( 620) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 5DE3E7B6F7624552F2F06664F110820D
PID: 860 ( 620) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 5DE3E7B6F7624552F2F06664F110820D
PID: 924 ( 620) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 5DE3E7B6F7624552F2F06664F110820D
PID: 1000 ( 620) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 5DE3E7B6F7624552F2F06664F110820D
PID: 1092 ( 620) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 5DE3E7B6F7624552F2F06664F110820D
PID: 1200 ( 620) C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
size: 108648
MD5: FE69C498B922CE835E2E2123FBD0A272
PID: 1384 ( 620) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1784 ( 620) C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
size: 173616
MD5: 1D4061CC5BC8E823D05E1E6E6C1224E3
PID: 1888 ( 620) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 5DE3E7B6F7624552F2F06664F110820D
PID: 1920 ( 620) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: 49501C6BE752D5043ADA8667AC774F7A
PID: 408 ( 620) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 379C7AC3EBCB636ECDB704E188A96A13
PID: 1016 (1492) C:\WINDOWS\Explorer.EXE
size: 1034240
MD5: FA61A19050AE14BEC1A26DE82390DD65
PID: 1528 (1016) C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
size: 71216
MD5: 459BA26605D6721DDEF0922A59C2FA29
PID: 1164 (1016) C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
size: 115816
MD5: 25BE770865658CB79100117112819A7C
PID: 2640 (1016) C:\Arquivos de programas\utorrent.exe
size: 177152
MD5: E3013175D75CB6ABBB55F61FDFEF7F50
PID: 1296 ( 620) C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
size: 1174664
MD5: 43CFCA936D211BF7F1CDE1DDF807CB76
PID: 2852 (1016) C:\Arquivos de programas\Mozilla Firefox\firefox.exe
size: 7637104
MD5: 77C6AB4E70E7FC35E17B8ED919408B62
PID: 3832 (1016) C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 20/6/2007 22:59:45

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6B9EDF0-41A7-43CF-BD2D-D95AE24BE618}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6B9EDF0-41A7-43CF-BD2D-D95AE24BE618}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C654A62-BACD-4C18-AFC1-FF1A21EE9867}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C654A62-BACD-4C18-AFC1-FF1A21EE9867}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F64A13F9-130E-4F59-B438-98A7038E16BE}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F64A13F9-130E-4F59-B438-98A7038E16BE}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{324DB7AB-4E37-4C80-9E4F-733F398BDD29}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{324DB7AB-4E37-4C80-9E4F-733F398BDD29}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3D281B4E-BAE0-4ED0-86AF-009B44BE0682}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3D281B4E-BAE0-4ED0-86AF-009B44BE0682}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Espaço para nome do reconhecimento de local da rede (NLA)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

//END

If there's anything in Portuguese in there that you need translated, just ask.

Yodama
2007-06-21, 09:09
thank you for posting your log file, but attach the textfile containing the log file to your post the next time, that way the thread will be more clearly laid out.

now to your log:

{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: spehiqct.dll

{5DAB07FD-760C-453F-A9F1-44E5CFB63905} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: sstqq.dll

these 2 browser helper objects are related to Smitfraud-C.Toolbar888 (also known as Vundo or Virtumonde).

Alternative A)
If you send me your email address by pm, I can sent you a quick fix to have Spybot remove this.

Alternative B)
You can also remove them manually from the BHOs in the tools section of the Spybot S&D advanced mode, after that you will have to remove the files.


We will require another log file after the BHOs and files have been removed to check if there is nothing left.

Clara4284
2007-06-21, 20:09
Oh, very sorry about that, but thanks for taking a look anyway. I just PMed you with my email.

icebluerose
2007-07-04, 06:53
Hello,
After downloading some keygens, i suspect my pc has been infected by spyware. A pop-up advertisement keeps appearing intermitently. when i scanned with spybot the Smitfraud-C.Toolbar appears. Every time i fix it, it appears in the nexr scan.

Does it have anything to do with the pop-up ad? Can anyone help me with this problem? Thanks in advance.

My spybot log is:
--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

Virtumonde: Library (File, fixed)
C:\WINDOWS\system32\winopn32.dll_tobedeleted_old

DoubleClick: Tracking cookie (Internet Explorer: user) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-24 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-27 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-27 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-06-27 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-06-27 Includes\KeyloggersC.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-06-27 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-27 Includes\PUPSC.sbi (*)
2007-06-27 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-27 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-06-27 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-06-27 Includes\Trojans.sbi (*)
2007-06-27 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)


--- Startup entries list ---
Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
size: 416256
MD5: 2200c98c049de1a7638ea0edba1c8882

Located: HK_LM:Run, DataLayer
command: C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
file: C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
size: 986624
MD5: 9c31d663ad677563f206c9aa2f577217

Located: HK_LM:Run, IMJPMIG8.1
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7bbe4cf421aecc7f0226edd75f12079f

Located: HK_LM:Run, IMONTRAY
command: C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
file: C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
size: 32768
MD5: 3ddae3fe5de161f6a70ef94f98ebb7db

Located: HK_LM:Run, InCD
command: C:\Program Files\Ahead\InCD\InCD.exe
file: C:\Program Files\Ahead\InCD\InCD.exe
size: 1200178
MD5: d80b1f959e2ce36a0d8bd171262e2fe5

Located: HK_LM:Run, MSPY2002
command: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1b17e09c1223f6d17336d2dd7a1af4f4

Located: HK_LM:Run, NeroCheck
command: C:\WINDOWS\system32\\NeroCheck.exe
file: C:\WINDOWS\system32\\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 782336
MD5: ea7b37b0aca0d471629eb92270402322

Located: HK_LM:Run, PCSuiteTrayApplication
command: C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
file: C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
size: 148992
MD5: a4919f47cf60fcfea71a372a506dde5e

Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, ServiceHost
command: "C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe" ""
file: C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe
size: 147968
MD5: 6fd938c263c1ab6e7272c88953dc8887

Located: HK_LM:Run, SoundMAX
command: "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
file: C:\Program Files\Analog Devices\SoundMAX\smax4.exe
size: 585728
MD5: 5fa14654b827bc70dc14de586dc5d493

Located: HK_LM:Run, SoundMAXPnP
command: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
file: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
size: 790528
MD5: 8a6ef2d20da01fc5934f63de43752c1b

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61a3a9d5d98bf0331df5b716144a8100

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 006220ee86eb71c5884f415eaa9e8058

Located: HK_LM:Run, WinampAgent
command: C:\Documents and Settings\user\My Documents\Winamp\winampa.exe
file:

Located: HK_LM:RunOnce, SpybotDeletingA4407
command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
file:

Located: HK_LM:RunOnce, SpybotDeletingA8858
command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
file:

Located: HK_LM:RunOnce, SpybotDeletingC4385
command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
file:

Located: HK_LM:RunOnce, SpybotDeletingC4980
command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
file:

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, WinPop
command: C:\Program Files\WinPop\winpop.exe
file: C:\Program Files\WinPop\winpop.exe
size: 49152
MD5: 279ee361f8efa463b3edc2d488bfb6c8

Located: HK_CU:RunOnce, SpybotDeletingB4631
command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
file:

Located: HK_CU:RunOnce, SpybotDeletingB841
command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
file:

Located: HK_CU:RunOnce, SpybotDeletingD5271
command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
file:

Located: HK_CU:RunOnce, SpybotDeletingD5797
command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
file:

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll

Located: WinLogon, winopn32
command: winopn32.dll
file: winopn32.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 1:56:50 AM
Date (last access): 7/3/2007 8:32:14 PM
Date (last write): 1/12/2006 8:38:22 PM
Filesize: 63128
Attributes: archive
MD5: F17B2B264072B921FC66A0BE16626BAB
CRC32: 5184CFEA
Version: 7.0.7.142

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 12/24/2005 4:25:26 PM
Date (last access): 7/3/2007 8:32:14 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 3/2/2006 1:53:00 PM
Date (last access): 7/3/2007 12:04:52 PM
Date (last write): 11/10/2005 1:22:12 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5

{86C510E9-97EF-4749-914F-0280247BE3A6} (CVirtualDNSObj Object)
BHO name:
CLSID name: CVirtualDNSObj Object
Path: C:\WINDOWS\
Long name: VirtualDNS.dll

Yodama
2007-07-05, 10:20
Hello icebluerose,

please refrain from posting your log files in the forums, as you could see that makes the posts less readable. For further log files, save them to text files and attach them to your post.

Your computer appears to be infected with Virtumonde and Virtumonde.Winpop.
This file
C:\WINDOWS\system32\winopn32.dll
is being loaded by the winlogon.exe and currently cannot be removed while your windows is running. You will need to start your computer using a different operating system which can write on your ntfs partition.
For example you can use NTFS4Dos by avira, you can find a download here:
http://www.free-av.com/
you will need to be able to use a command console to browser your directories and delete the file named above.
NTFS4Dos is owned by Avira and is free for personal use only.



The latest detection update should detect the Virtumonde.Winpop component and delete it.

icebluerose
2007-07-06, 08:50
Thank you Yodama, i will try to follow your advice.