PDA

View Full Version : C:\rapport.txt Thanks for the help



Sessieloubob
2006-07-17, 07:39
Thank you very much for all the info, it was all very useful, effective, and much appreciated. Here are the logs from the scans.

Logfile of HijackThis v1.99.1
Scan saved at 11:03:20 PM, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Roy Smith\Desktop\HijackThis\HijackThis.exe

SmitFraudFix v2.72

Scan done at 21:29:40.48, 16/07/2006
Run from C:\Documents and Settings\Roy Smith\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ts.ico FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Roy Smith\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Malware-Wipe\ FOUND !
C:\Program Files\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:33:11 PM 16/07/2006

+ Scan result:



HKU\S-1-5-21-602162358-436374069-1060284298-1004\Software\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-602162358-436374069-1060284298-1004\Software\Hotbar\Common -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-602162358-436374069-1060284298-1004\Software\Hotbar\Common\updates -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
[204] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
[252] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
[264] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
[420] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
[472] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
[516] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
[732] C:\WINDOWS\system32\attrib.dll -> Adware.PurityScan : Error during cleaning.
HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{EF130E77-0A34-4365-BFB7-218FD3DDCD5F} -> Adware.SysProtect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473} -> Adware.SysProtect : Cleaned with backup (quarantined).
C:\WINDOWS\system32\awtrq.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vtutqpp.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Roy Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\Cache\71F545FEd01 -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\Documents and Settings\Roy Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\Cache\B23E4567d01 -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\Documents and Settings\Roy Smith\Local Settings\Temp\ICD4.tmp\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\Documents and Settings\Roy Smith\Local Settings\Temp\ICD5.tmp\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\4db7490422ab945c2bb1ac09b4a44ee6_35.exe -> Downloader.Small.bwy : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Ignored.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
C:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : Ignored.
:mozilla.101:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.61:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned.
:mozilla.34:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.147:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.148:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.68:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.167:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@cliks[2].txt -> TrackingCookie.Cliks : Cleaned.
:mozilla.55:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.166:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.108:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.112:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.146:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.133:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.134:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.65:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.66:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.67:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.10:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.11:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.12:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.13:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.14:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.15:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.16:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.9:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@starware[2].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.157:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.158:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.165:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.171:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.172:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.83:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.84:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.85:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Roy Smith\Local Settings\Temp\Cookies\roy smith@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.150:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.151:C:\Documents and Settings\Roy Smith\Application Data\Mozilla\Firefox\Profiles\3z15n7sy.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\wincnh32.dll -> Trojan.Mezzia : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{244CBE69-03B0-1033-0103-031228200002}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end

pskelley
2006-07-17, 15:25
OK Roy, If you are using these instructions: http://forums.spybot.info/showthread.php?t=4015

It looks to me like you have completed the SEARCH function. Ewido should not have been run until after the CLEAN function was run. You know the infection is there now, return to the instructions here:
8) #2 - SmitfraudFix Clean and complete these instructions:
Extract all the files to your Desktop. A folder named SmitfraudFix will be created there.
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually, and reboot back into Safe Mode

Here is a look at it if it will help: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Once you have cleaned Smitfraud post that report for me to view.
You are posting only the top half of your HJT log and I need to see it all.
Open HJT > Do a system scan and save a logfile > wait for it to be produced, will take a few > Click on format at the top of the notepad and be sure "Word Wrap" IS NOT checked > Click Edit then Select All > copy/paste the highlited information to this topic.

ewido report and what I can see indicate you have other infections besides Smitfraud, so we will have more to do.

All I need now is the report from the SmitfraudFix CLEAN and a complete HJT log.

Thanks...pskelley
Safer Networking Forums

tashi
2006-07-21, 19:16
Sessieloubob?

tashi
2006-07-24, 09:20
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.