PDA

View Full Version : Smitfraud-C Toolbar888


ddawson
2007-07-01, 07:14
Infected with Smitfraud-c toolbar888 and whatever.
Here is logfile. Please help with this very frustrating thing. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 11:07:27 PM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Sierra Wireless\AirCard 580\Generic\watcher.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {8879BE1A-5E99-4C79-84D7-173BDC588B06} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C42F119A-B636-4FC2-BB11-FB9ECA082D59} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Kremlin Sentry.lnk = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA8699DE-955F-4C48-94B3-96AF40A26F94}: NameServer = 204.174.120.45 204.174.120.46
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe
ddawson
2007-07-01, 07:59
Attached is also a combofix log.

"Don R Dawson" - 2007-06-30 22:03:50 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\efcyyvw.dll
C:\WINDOWS\system32\fcccywt.dll
C:\WINDOWS\system32\gebxvwt.dll
C:\WINDOWS\system32\jkkihig.dll
C:\WINDOWS\system32\khfecaw.dll
C:\WINDOWS\system32\pmnnkih.dll
C:\WINDOWS\system32\qommnoo.dll
C:\WINDOWS\system32\qomnmll.dll
C:\WINDOWS\system32\rqrqnlm.dll
C:\WINDOWS\system32\tuvtust.dll
C:\WINDOWS\system32\xxyxxxx.dll
C:\WINDOWS\system32\winupx32.dll
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\awtsqon.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\atwsettl1.exe
C:\atwsettl2.exe
C:\atwsettl3.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\setup.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\atwsettl
C:\WINDOWS\system32\atwsettl\atwsettl1.exe
C:\WINDOWS\system32\atwsettl\atwsettl2.exe
C:\WINDOWS\system32\atwsettl\atwsettl3.exe
C:\WINDOWS\system32\atwsettl\bg1.gif
C:\WINDOWS\system32\atwsettl\bgtop.gif
C:\WINDOWS\system32\atwsettl\bottom1.gif
C:\WINDOWS\system32\atwsettl\essentials.gif
C:\WINDOWS\system32\atwsettl\icon1.ico
C:\WINDOWS\system32\atwsettl\install1.gif
C:\WINDOWS\system32\atwsettl\left1.gif
C:\WINDOWS\system32\atwsettl\li.gif
C:\WINDOWS\system32\atwsettl\logo.gif
C:\WINDOWS\system32\atwsettl\main.htm
C:\WINDOWS\system32\atwsettl\mainframe.htm
C:\WINDOWS\system32\atwsettl\reinstall1.gif
C:\WINDOWS\system32\atwsettl\right1.gif
C:\WINDOWS\system32\atwsettl\s1.htm
C:\WINDOWS\system32\atwsettl\s2.htm
C:\WINDOWS\system32\atwsettl\s3.htm
C:\WINDOWS\system32\atwsettl\SMTop1.gif
C:\WINDOWS\system32\atwsettl\SMTop2.gif
C:\WINDOWS\system32\atwsettl\SMTop3.gif
C:\WINDOWS\system32\atwsettl\SMTop4.gif
C:\WINDOWS\system32\atwsettl\soft1_off.gif
C:\WINDOWS\system32\atwsettl\soft1_off_ext.gif
C:\WINDOWS\system32\atwsettl\soft1_on.gif
C:\WINDOWS\system32\atwsettl\soft1_on_ext.gif
C:\WINDOWS\system32\atwsettl\soft2_off.gif
C:\WINDOWS\system32\atwsettl\soft2_off_ext.gif
C:\WINDOWS\system32\atwsettl\soft2_on.gif
C:\WINDOWS\system32\atwsettl\soft2_on_ext.gif
C:\WINDOWS\system32\atwsettl\soft3_off.gif
C:\WINDOWS\system32\atwsettl\soft3_off_ext.gif
C:\WINDOWS\system32\atwsettl\soft3_on.gif
C:\WINDOWS\system32\atwsettl\soft3_on_ext.gif
C:\WINDOWS\system32\atwsettl\softbottom_off.gif
C:\WINDOWS\system32\atwsettl\softbottom_on.gif
C:\WINDOWS\system32\atwsettl\softleft_off.gif
C:\WINDOWS\system32\atwsettl\softleft_on.gif
C:\WINDOWS\system32\atwsettl\top1.gif
C:\WINDOWS\system32\atwsettl\top2.gif
C:\WINDOWS\system32\atwsettl\turnoff1.gif
C:\WINDOWS\system32\atwsettl\turnon1.gif
C:\WINDOWS\system32\winsys64.exe


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-06-30 19:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-30 01:14 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-24 18:35 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-06-24 13:58 <DIR> d-------- C:\VundoFix Backups
2007-06-24 13:43 <DIR> d-------- C:\hijackthis
2007-06-24 00:06 <DIR> d-------- C:\DOCUME~1\DONRDA~1\APPLIC~1\HouseCall 6.6
2007-06-23 22:48 6,369 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-06-23 16:18 <DIR> d-------- C:\DOCUME~1\DONRDA~1\.housecall6.6
2007-06-23 15:19 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-23 14:54 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-21 15:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-21 15:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-21 15:44 <DIR> d-------- C:\DOCUME~1\DONRDA~1\APPLIC~1\PC Tools
2007-06-21 15:22 <DIR> d-------- C:\DOCUME~1\DONRDA~1\APPLIC~1\RegistrySmart
2007-06-21 15:21 <DIR> d-------- C:\Program Files\RegistrySmart
2007-06-21 14:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-21 13:32 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-21 12:35 2,924 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-19 14:38 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-06-19 14:38 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2007-06-19 14:38 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2007-06-19 14:38 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-06-19 14:38 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2007-06-19 14:38 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2007-06-19 14:38 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-19 14:38 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-06-19 14:38 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-19 14:38 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2007-06-19 14:38 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-16 12:03 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-16 11:48 <DIR> d-------- C:\LottoPik
2007-06-12 16:59 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-10 11:17 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-06-10 11:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-10 10:43 <DIR> d-------- C:\DOCUME~1\DONRDA~1\APPLIC~1\WinRAR
2007-06-09 12:51 <DIR> d-------- C:\Program Files\Satellite PC
2007-06-04 10:05 12,032 --a------ C:\WINDOWS\system32\drivers\Netdevio.sys
2007-06-04 10:05 <DIR> d-------- C:\Program Files\TOSHIBA
2007-06-04 09:59 <DIR> d-------- C:\Config Free.temp
2007-06-03 13:48 <DIR> d-------- C:\DOCS
2007-06-03 12:12 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-06-02 17:19 65,536 --a------ C:\WINDOWS\system32\iAlmCoIn_v3732.dll
2007-06-02 17:19 <DIR> d-------- C:\WINDOWS\Drivers


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 15:21:27 37,289 ----a-w C:\WINDOWS\nsreg.dat
2007-06-25 00:42:29 -------- d-----w C:\Program Files\MailWasher
2007-06-23 06:19:30 -------- d-----w C:\Program Files\John Deere American Builder Deluxe
2007-06-21 22:38:55 388,608 ----a-w C:\WINDOWS\system32\cmd.exe
2007-06-21 03:31:47 12,290,511 ----a-w C:\avg7qt.dat
2007-06-19 20:38:11 -------- d-----w C:\Program Files\Ahead
2007-06-17 03:27:50 -------- d-----w C:\Program Files\Windows Lotto Pro 2000
2007-06-04 16:06:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 16:04:44 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-28 17:11:53 -------- d-----w C:\Program Files\HP
2007-05-28 17:09:19 50 ----a-w C:\install.bat
2007-05-28 17:09:19 39 ----a-w C:\uninstall.bat
2007-05-28 17:04:49 -------- d-----w C:\Program Files\Common Files\SWF Studio
2007-05-27 01:51:08 -------- d-----w C:\Program Files\RegistryFix
2007-05-27 01:49:07 -------- d-----w C:\Program Files\PCRescue3.0
2007-05-27 01:33:40 -------- d-----w C:\DOCUME~1\DONRDA~1\APPLIC~1\Uniblue
2007-05-27 00:18:16 -------- d-----w C:\Program Files\John Deere American Farmer Deluxe
2007-05-17 05:28:18 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 04:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2007-06-27 19:19]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2007-06-27 19:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-22 12:08]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 01:07]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 19:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-10-12 09:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

Contents of the 'Scheduled Tasks' folder
2007-06-30 09:30:02 C:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 22:42:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-30 22:45:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-30 22:45

--- E O F ---