View Full Version : Need help with Smitfraud & others please
SE_Incognito
2008-02-07, 06:48
I've been trying to clean an older laptop that was was full of malware/spyware. I've been able to get rid of a lot of it, but there are a some stubborn things like SmitFraud-C.Core Service detected by Spybot, and AdWare.Win32.Agent.vv, AdWare.Win32.AdBand.a & Downloader.Win32.Agent.q (frexup2.exe ) detected by Kaspersky that I haven't been able to get rid of & it's driving me nuts!
I've cleaned up as much as I could, and then ran scans with AVG Anti-Virus (free edition), TrendMicro (online scan), Ewido (online scan), Spybot, Super Anti-Spyware, Ad-Aware, Kaspersky (online scan), and Panda (online scan), all of which seem to find different things. I'm posting the Hijack This log, Panda log, and Kaspersky log. Your assistance would be greatly appreciated :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:36 PM, on 2/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\DOWNLOADS\HIJACK THIS\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2F9D3D37-290E-46A7-8981-C4FD6ACFBB06} - \
O2 - BHO: (no name) - {43BA8B97-9A24-4BC5-BC97-34B10D995183} - (no file)
O2 - BHO: (no name) - {485E4202-16F9-4C20-A95D-D1BA938470EE} - \
O2 - BHO: (no name) - {4C115912-221E-4932-9979-DA58E6F04CD1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C42E0BA-DC3B-48C3-9BE2-E07F7498B37E} - \
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8837FA97-D008-4349-85D6-1ED44F3F1C76} - \
O2 - BHO: (no name) - {8E53D4E9-F909-4943-964D-5446879BB753} - \
O2 - BHO: 0 - {8F08453A-08E6-4F2A-E1A8-E518FE422D85} - (no file)
O2 - BHO: (no name) - {96E99A32-FBD8-4EB0-9E9F-7B0624E4D6A4} - \
O2 - BHO: (no name) - {9B48B0AB-D3DD-4484-970C-3C9DB7E9FA0E} - \
O2 - BHO: (no name) - {9DC1ECC4-2A7B-4547-BF07-0ED3A197A64D} - \
O2 - BHO: (no name) - {A2289F73-2FA5-43BC-9774-20980C6C1B9E} - \
O2 - BHO: (no name) - {BA3FA827-087B-4794-BAF5-96FBAB97ADB9} - \
O2 - BHO: (no name) - {C84EF5B1-54B4-4A19-B793-05C73C9D8A16} - \
O2 - BHO: (no name) - {ca394cd1-e545-4f12-8f30-dd162f986347} - (no file)
O2 - BHO: (no name) - {F4DAA834-9711-4201-B288-F7B531BCA555} - (no file)
O2 - BHO: (no name) - {F8B34729-6E6B-43D8-8F6C-2E984513534F} - \
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: TA_Start.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: HPZRCV01.LNK.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198307824804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198307751799
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qomjkkl - qomjkkl.dll (file missing)
O20 - Winlogon Notify: wintug32 - wintug32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
--
End of file - 7444 bytes
________________________
Panda online scan log:
Incident Status Location
Adware:Adware/InternetSpeedMonitor Not disinfected C:\WINNT\FREXUP2.EXE
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\RECUPD13.EXE[QdrModule9.exe]
__________________________
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 10:37:32 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 552818
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINNT
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 10023
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:15:52
Infected Object Name Virus Name Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_3d0.dat Object is locked skipped
C:\WINNT\Temp\ZLT00f5f.TMP Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\frexup2.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\WINNT\frexup2.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINNT\frexup2.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINNT\frexup2.exe NSIS: infected - 3 skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\USER-6FCBB70DC1.ldb Object is locked skipped
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\recupd13.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\recupd13.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\recupd13.exe NSIS: infected - 2 skipped
Scan process completed.
Hi SE_Incognito
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
SE_Incognito
2008-02-10, 02:05
Hi Shaba,
I've run ComboFix as instructed. Here is the combofix and log. I will have to post the HiJack This log in a separate post.
Please let me know if I need to do anything further, and thank you sooooooo much for your help!
ComboFix 08-02.05.3 - Administrator 02/09/2008 13:42:33.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Program Files\ISM2
C:\Program Files\ystem~1
C:\Program Files\ystem~1\?ystem\
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINNT\cookies.ini
C:\WINNT\system32\.exe
C:\WINNT\system32\a13
C:\WINNT\system32\cisvc.dll
C:\WINNT\system32\e2
C:\WINNT\system32\g1
C:\WINNT\system32\i8
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\pac.txt
C:\WINNT\system32\uvxbc.bak1
C:\WINNT\system32\uvxbc.bak2
C:\WINNT\system32\uvxbc.ini
C:\WINNT\system32\x22
C:\WINNT\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CORE
-------\LEGACY_FMTR
-------\core
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.
2008-02-05 23:09 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-02-05 23:08 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\jfoejftoyvbs.sys
2008-02-05 22:51 . 08-02-05 22:51 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-02-05 22:51 . 08-02-05 22:51 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-02-05 22:51 . 08-02-05 22:51 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-02-05 22:51 . 08-02-05 22:51 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-05 21:08 . 08-02-05 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-05 21:07 . 08-02-05 21:08 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-02-05 15:05 . 08-02-05 15:05 <DIR> d-------- C:\FOUND.007
2008-02-05 11:03 . 08-02-05 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 00:36 . 08-02-06 23:35 1,016,394 ---h----- C:\WINNT\ShellIconCache
2008-01-27 21:45 . 03-06-19 12:05 21,776 --a------ C:\WINNT\system32\drivers\mouclass.sys
2008-01-27 21:45 . 03-06-19 12:05 19,728 --a------ C:\WINNT\system32\hidserv.exe
2008-01-27 21:45 . 03-06-19 12:05 11,632 --a------ C:\WINNT\system32\drivers\mouhid.sys
2008-01-27 21:26 . 99-11-30 23:39 30,480 --a------ C:\WINNT\system32\pid.dll
2008-01-27 21:26 . 03-06-19 12:05 24,752 --a------ C:\WINNT\system32\drivers\hidclass.sys
2008-01-27 21:26 . 03-06-19 12:05 23,056 --a------ C:\WINNT\system32\drivers\hidparse.sys
2008-01-27 21:26 . 03-06-19 12:05 18,192 --a------ C:\WINNT\system32\hid.dll
2008-01-27 21:26 . 99-10-04 15:03 13,904 --a------ C:\WINNT\system32\drivers\hidusb.sys
2008-01-27 09:48 . 08-01-27 09:48 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 15:56 . 08-01-26 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-26 15:55 . 08-01-26 15:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 15:55 . 08-01-26 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-26 15:47 . 08-01-26 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 14:57 . 08-01-26 14:57 <DIR> d-------- C:\VundoFix Backups
2008-01-26 14:25 . 08-01-26 14:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-26 14:23 . 03-06-19 12:05 30,768 --a------ C:\WINNT\system32\drivers\disk.sys
2008-01-20 20:04 . 08-01-20 20:04 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2008-01-20 20:04 . 08-01-20 20:04 <DIR> d-------- C:\Program Files\Zone Labs
2008-01-20 20:04 . 08-02-09 13:59 890 --ah----- C:\WINNT\system32\vsconfig.xml
2008-01-20 18:52 . 08-02-05 20:52 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-01-20 18:44 . 08-01-20 18:44 <DIR> d-------- C:\WINNT\Internet Logs
2008-01-18 15:44 . 08-01-18 15:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-18 12:06 . 08-01-18 12:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-18 12:06 . 08-01-18 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-17 23:54 . 08-01-17 23:54 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2008-01-17 23:54 . 08-01-17 23:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-17 23:54 . 08-01-17 23:54 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2008-01-17 23:53 . 08-01-17 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-17 23:53 . 08-01-17 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-17 23:34 . 08-01-17 23:34 <DIR> d-------- C:\DOWNLOADS
2008-01-17 23:22 . 08-01-17 23:22 <DIR> d-------- C:\FOUND.006
2008-01-15 17:25 . 08-01-15 17:25 <DIR> d-------- C:\FOUND.005
2008-01-14 12:39 . 08-01-14 12:39 1,048 --a------ C:\WINNT\_isenv31.ini
2008-01-14 12:39 . 08-01-14 12:39 521 --a------ C:\WINNT\_iserr31.ini
2008-01-14 08:19 . 08-01-14 08:20 <DIR> d-------- C:\Program Files\HP
2008-01-14 08:18 . 08-01-14 08:18 106,193 --a------ C:\WINNT\hpoins07.dat
2008-01-14 08:18 . 05-06-21 18:19 17,505 --------- C:\WINNT\hpomdl07.dat
2008-01-14 08:15 . 05-02-04 10:58 98,304 --a------ C:\WINNT\system32\hpzjsn01.dll
2008-01-13 16:11 . 08-01-13 16:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 05:00 38,400 ------w C:\WINNT\Internet Logs\xDB9.tmp
2008-02-06 04:37 946,688 ------w C:\WINNT\Internet Logs\xDB8.tmp
2008-02-05 20:03 120,832 ------w C:\WINNT\Internet Logs\xDB7.tmp
2008-02-05 19:47 946,688 ------w C:\WINNT\Internet Logs\xDB6.tmp
2008-01-27 16:52 143,872 ------w C:\WINNT\Internet Logs\xDB5.tmp
2008-01-27 16:24 868,864 ------w C:\WINNT\Internet Logs\xDB4.tmp
2008-01-26 20:23 258,048 ------w C:\WINNT\Internet Logs\xDB3.tmp
2008-01-26 20:21 870,912 ------w C:\WINNT\Internet Logs\xDB2.tmp
2008-01-18 04:43 44,288 ----a-w C:\WINNT\system32\drivers\cdr4_2K.sys
2007-12-22 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-22 03:00 --------- d-----w C:\Program Files\Trend Micro
2007-12-14 16:32 12,632 ----a-w C:\WINNT\system32\lsdelete.exe
2004-09-08 05:45 271 ---h--w C:\Program Files\desktop.ini
2004-09-08 05:45 21,952 ---h--w C:\Program Files\folder.htt
2003-07-03 20:36 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F9D3D37-290E-46A7-8981-C4FD6ACFBB06}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{485E4202-16F9-4C20-A95D-D1BA938470EE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C42E0BA-DC3B-48C3-9BE2-E07F7498B37E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8837FA97-D008-4349-85D6-1ED44F3F1C76}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E53D4E9-F909-4943-964D-5446879BB753}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96E99A32-FBD8-4EB0-9E9F-7B0624E4D6A4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B48B0AB-D3DD-4484-970C-3C9DB7E9FA0E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DC1ECC4-2A7B-4547-BF07-0ED3A197A64D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2289F73-2FA5-43BC-9774-20980C6C1B9E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA3FA827-087B-4794-BAF5-96FBAB97ADB9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84EF5B1-54B4-4A19-B793-05C73C9D8A16}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8B34729-6E6B-43D8-8F6C-2E984513534F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRPCMonitor"="PRPCUI.exe" [02-03-25 14:30 43008 C:\WINNT\system32\prpcui.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [00-02-07 13:15 102400]
"AtiPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02-08-27 16:57 294912]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03-08-15 12:38 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03-08-15 12:37 618496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-01-17 23:57 579072]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [04-03-04 11:36 211828]
"Synchronization Manager"="mobsync.exe" [03-07-03 15:41 111376 C:\WINNT\system32\mobsync.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-01-17 23:54 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-03 08:37 186640]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
TA_Start.lnk.disabled [2008-01-17 23:45:36 413]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-11-16 19:34:56 36864]
HPZRCV01.LNK.disabled [2008-01-17 23:23:52 708]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjkkl]
qomjkkl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintug32]
wintug32.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
"plite731"=C:\WINNT\plite731.exe
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\soft602\pdfSaver.exe"
"pdfSaver3"=
"NeroCheck"=C:\WINNT\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun
"Synchronization Manager"=mobsync.exe /logon
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-01-17 23:54 ]
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [03-11-13 13:29 ]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [01-11-28 14:20 ]
R3 ati2mtai;ati2mtai;C:\WINNT\system32\DRIVERS\ati2mtai.sys [02-11-18 15:48 ]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINNT\system32\CBTNDIS5.SYS [03-07-16 22:28 ]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINNT\system32\DRIVERS\EL556ND5.sys [00-05-02 13:14 ]
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINNT\system32\drivers\es198xdl.sys [02-06-20 17:53 ]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINNT\system32\DRIVERS\odysseyIM4.sys [04-09-24 23:36 ]
R3 WDHABBG;WDHABBGMiniPCI Winmodem;C:\WINNT\system32\DRIVERS\WDHABBG.sys [00-04-05 16:40 ]
S3 ati2mpab;ati2mpab;C:\WINNT\system32\DRIVERS\ati2mpab.sys [00-11-15 23:49 ]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;C:\WINNT\system32\DRIVERS\cben5.sys [02-02-26 17:10 ]
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 14:00:07
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
.
**************************************************************************
.
Completion time: 2008-02-09 14:01:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 19:01:50
.
2008-01-16 01:37:38 --- E O F ---
SE_Incognito
2008-02-10, 02:07
This is the HiJack This log. I ran Spybot to see what came up and it longer shows Smitfraud. Do I need to do anything further?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:30 PM, on 2/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOWNLOADS\HIJACK THIS\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2F9D3D37-290E-46A7-8981-C4FD6ACFBB06} - \
O2 - BHO: (no name) - {485E4202-16F9-4C20-A95D-D1BA938470EE} - \
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C42E0BA-DC3B-48C3-9BE2-E07F7498B37E} - \
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8837FA97-D008-4349-85D6-1ED44F3F1C76} - \
O2 - BHO: (no name) - {8E53D4E9-F909-4943-964D-5446879BB753} - \
O2 - BHO: (no name) - {96E99A32-FBD8-4EB0-9E9F-7B0624E4D6A4} - \
O2 - BHO: (no name) - {9B48B0AB-D3DD-4484-970C-3C9DB7E9FA0E} - \
O2 - BHO: (no name) - {9DC1ECC4-2A7B-4547-BF07-0ED3A197A64D} - \
O2 - BHO: (no name) - {A2289F73-2FA5-43BC-9774-20980C6C1B9E} - \
O2 - BHO: (no name) - {BA3FA827-087B-4794-BAF5-96FBAB97ADB9} - \
O2 - BHO: (no name) - {C84EF5B1-54B4-4A19-B793-05C73C9D8A16} - \
O2 - BHO: (no name) - {F8B34729-6E6B-43D8-8F6C-2E984513534F} - \
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: TA_Start.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: HPZRCV01.LNK.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198307824804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198307751799
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qomjkkl - qomjkkl.dll (file missing)
O20 - Winlogon Notify: wintug32 - wintug32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
--
End of file - 6815 bytes
Hi
Let's check next one file:
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINNT\system32\drivers\jfoejftoyvbs.sys
Repeat steps for all files on the list.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
SE_Incognito
2008-02-10, 17:02
Good Morning!
Ran the scan as you instructed. Here are the results:
Service load: 0% 100%
File: jfoejftoyvbs.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d7dbfbc453b645111e6d21142305e80b
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 10 Feb 2008 15:49:47 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Hi
That looks like to be clean.
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {2F9D3D37-290E-46A7-8981-C4FD6ACFBB06} - \
O2 - BHO: (no name) - {485E4202-16F9-4C20-A95D-D1BA938470EE} - \
O2 - BHO: (no name) - {5C42E0BA-DC3B-48C3-9BE2-E07F7498B37E} - \
O2 - BHO: (no name) - {8837FA97-D008-4349-85D6-1ED44F3F1C76} - \
O2 - BHO: (no name) - {8E53D4E9-F909-4943-964D-5446879BB753} - \
O2 - BHO: (no name) - {96E99A32-FBD8-4EB0-9E9F-7B0624E4D6A4} - \
O2 - BHO: (no name) - {9B48B0AB-D3DD-4484-970C-3C9DB7E9FA0E} - \
O2 - BHO: (no name) - {9DC1ECC4-2A7B-4547-BF07-0ED3A197A64D} - \
O2 - BHO: (no name) - {A2289F73-2FA5-43BC-9774-20980C6C1B9E} - \
O2 - BHO: (no name) - {BA3FA827-087B-4794-BAF5-96FBAB97ADB9} - \
O2 - BHO: (no name) - {C84EF5B1-54B4-4A19-B793-05C73C9D8A16} - \
O2 - BHO: (no name) - {F8B34729-6E6B-43D8-8F6C-2E984513534F} - \
O20 - Winlogon Notify: qomjkkl - qomjkkl.dll (file missing)
O20 - Winlogon Notify: wintug32 - wintug32.dll (file missing)
Close all windows including browser and press fix checked.
Reboot.
I see that you scanned critical areas only last time.
Now I want you to scan entire My computer as instructed below:
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note: This scanner will work with Internet Explorer Only!
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
SE_Incognito
2008-02-12, 05:36
Here's my newest Kaspersky scan report:
KASPERSKY ONLINE SCANNER REPORT
Monday, February 11, 2008 10:31:54 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 558175
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 19087
Number of viruses found 9
Number of infected objects 13
Number of suspicious objects 2
Duration of the scan process 00:36:46
Infected Object Name Virus Name Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\Temp\ZLT02f1e.TMP Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\frexup2.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\WINNT\frexup2.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINNT\frexup2.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINNT\frexup2.exe NSIS: infected - 3 skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\USER-6FCBB70DC1.ldb Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmsrvc_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Router Service\Log\RouterService.145.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008021120080212\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\1002.exe.bac_a01832 Infected: not-a-virus:AdWare.Win32.Agent.td skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\plite731.exe.bac_a01832 Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\T0CHD001.exe.bac_a01832 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dwdsrngt.exe.bac_a01832 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\kpdsrngj.exe.bac_a01832 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\scnkrnl.dll.bac_a01832 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\install_en[1].exe.bac_a01832 Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\install_en.exe.bac_a01832 Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\RTasks.exe.bac_a01832 Infected: not-a-virus:FraudTool.Win32.BestSeller.c skipped
Scan process completed.
Hi
Please post also a fresh HijackThis log :)
SE_Incognito
2008-02-13, 03:38
Oops, so sorry that I forgot to post the HiJack This Log, so here it is. Please let me know if I need to do anything further. Thank you! :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:43 PM, on 2/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\DOWNLOADS\HIJACK THIS\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet
Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: TA_Start.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program
Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: HPZRCV01.LNK.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/w
uweb_site.cab?1198307824804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/m
uweb_site.cab?1198307751799
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program
Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program
Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc.
- C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINNT\system32\ZONELABS\vsmon.exe
--
End of file - 5945 bytes
Hi
Delete this:
C:\WINNT\frexup2.exe
Empty these folders:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine
Empty Recycle Bin.
Still problems?
SE_Incognito
2008-02-16, 10:12
I just wanted to say thanks for all of your help. Everything is working great now! :)
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can fix this, it's leftover:
O4 - Startup: TA_Start.lnk.disabled
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 4 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnerable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=0&esdcanhandle=0&hasjavascript=1&dlm=nos
Install it, then go to Add/Remove Programs and remove any older versions that may remain.
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.