Smitfraud help needed [Archive] - Safer-Networking Forums

View Full Version : Smitfraud help needed

matt1901110

2006-08-30, 06:41

I have been having a problem for the past week or so I have tried everything under the sun that I could find, but I am still having issues. I have had an issue with surfersidekick, webnexus and smitfraud that just won't die. Either my comp came down with mad cow or I am missing a step somewhere. Any help would be appreciated. Here is my Spybot report ran from safe mode:

--- Report generated: 2006-08-29 20:53 ---

SurfSideKick: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{02EE5B04-F144-47BB-83FB-A60BD91B74A9}

SurfSideKick: Library (File, fixed)
C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-08-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-08-18 Includes\Cookies.sbi (*)
2006-08-18 Includes\Dialer.sbi (*)
2006-08-18 Includes\Hijackers.sbi (*)
2006-08-18 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-08-18 Includes\Malware.sbi (*)
2004-08-11 Includes\plugin-ignore.ini
2006-08-18 Includes\PUPS.sbi (*)
2006-08-18 Includes\Revision.sbi (*)
2006-08-18 Includes\Security.sbi (*)
2006-08-18 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-08-18 Includes\Trojans.sbi (*)

and the Highjack this report:

Logfile of HijackThis v1.99.1
Scan saved at 9:19:10 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 6\ABMTSR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\spywarefix\hjthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dmxbs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oiffekx.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 6\ABMTSR.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

matt1901110

2006-08-30, 06:48

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:34:48 PM 8/29/2006

+ Scan result:

C:\RECYCLER\NPROTECT\00019569.exe -> Adware.Agent : Cleaned.
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned.
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned.
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned.
C:\spywarefix\hjthis\hijackthis\backups\backup-20060821-152946-254.dll -> Adware.Mirar : Cleaned.
C:\Program Files\PSLister\PSLister.exe -> Adware.PurityScan : Cleaned.
C:\RECYCLER\NPROTECT\00019570.EXE -> Adware.SearchAssistant : Cleaned.
C:\RECYCLER\NPROTECT\00019571.EXE -> Adware.SearchAssistant : Cleaned.
C:\RECYCLER\NPROTECT\00019573.exe -> Adware.SearchAssistant : Cleaned.
C:\RECYCLER\NPROTECT\00019574.EXE -> Adware.SearchAssistant : Cleaned.
C:\RECYCLER\NPROTECT\00019575.exe -> Adware.SearchAssistant : Cleaned.
C:\RECYCLER\NPROTECT\00019579.dll -> Adware.Softomate : Cleaned.
C:\WINDOWS\system32\xeymi.dll -> Adware.Suggestor : Cleaned.
C:\RECYCLER\NPROTECT\00019535.dll -> Adware.SurfSide : Cleaned.
C:\RECYCLER\NPROTECT\00019536.dll -> Adware.SurfSide : Cleaned.
C:\RECYCLER\NPROTECT\00019537.exe -> Adware.SurfSide : Cleaned.
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned.
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned.
HKU\S-1-5-21-1606980848-1614895754-725345543-500\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned.
HKU\S-1-5-21-1606980848-1614895754-725345543-500\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned.
C:\RECYCLER\NPROTECT\00018916.EXE -> Backdoor.Small : Cleaned.
C:\RECYCLER\NPROTECT\00019499.DAT -> Downloader.Qoologic.bj : Cleaned.
C:\WINDOWS\system32\sbvaf.dat -> Downloader.Qoologic.bj : Cleaned.
[1112] C:\WINDOWS\system32\skhwknj.dll -> Downloader.Qoologic.bj : Cleaned.
[812] C:\WINDOWS\system32\skhwknj.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\Program Files\Common Files\{D8A91448-095A-1033-0927-040708040001}\Update.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\system32\hjk42b68.dll -> Downloader.Small : Cleaned.
C:\WINDOWS\system32\qgi42149.dll -> Downloader.Small : Cleaned.
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned.
C:\Program Files\Common Files\iqor\iqora.exe -> Downloader.TSUpdate.l : Cleaned.
C:\Program Files\Common Files\iqor\iqorl.exe -> Downloader.TSUpdate.r : Cleaned.
C:\WINDOWS\sys0260007864-6.exe -> Downloader.VB.tw : Cleaned.
C:\WINDOWS\win3207864-660007.exe -> Downloader.VB.tw : Cleaned.
C:\WINDOWS\ss1205.exe -> Dropper.Small.qn : Cleaned.
C:\Documents and Settings\Administrator\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned.
C:\Program Files\html1.htm -> Hijacker.Small.jf : Cleaned.
C:\Program Files\html2.htm -> Hijacker.Small.jf : Cleaned.
C:\RECYCLER\NPROTECT\00018567.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00018580.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00018600.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00018658.TXT -> TrackingCookie.2o7 : Cleaned.

I cut out about 150 tracking cookies from here so I can get the report to fit into post but all of delted showed cleaned

C:\RECYCLER\NPROTECT\00019393.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019394.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019402.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019403.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019404.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019406.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019407.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019408.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019410.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019411.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019413.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00019708.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00018661.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019065.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019066.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019067.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019068.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019069.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019070.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019071.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019154.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019155.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019156.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019200.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019201.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00019202.TXT -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\tapeG22.exe -> Trojan.VB.tg : Cleaned.
C:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned.
C:\WINDOWS\uninst104.exe -> Trojan.VB.tg : Cleaned.

pskelley

2006-08-30, 17:16

Welcome to the forum, I don't see some of this stuff you are talking about, but I do see a Qoologic trojan. This is what I would like you to do.

Complete these instructions in the posted order.

1) To be sure if Smitfraud is present or not, please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

2) Ewido: C:\RECYCLER\NPROTECT\ this is Norton's idea of extra protections for the recycle bin, use these instructions to clean it out:
http://service1.symantec.com/support/nsw.nsf/ba62122e5d142a6588256d87006b22be/831aa5c6ef0d750685256c370048ad89?OpenDocument&src=bar_sch_nam

Credit to Rubber Ducky for the tool...and LonnyRJONES for the original fix

3) Please download Qoofix by Rubber Ducky (http://www.malwarebytes.org/Qoofix.zip) to your desktop.

Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
Close all windows and programs, including internet windows.
Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
Click Begin Removal and wait for the scan to finish
If Qoofix finds an infection, select yes to restart your computer
You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

4) You have ewido, use these instructions to run it in Safe Mode, post the scan results.
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Make sure you restart the computer then post the log from Qoofix, the ewido scan results, a new HJT log, the report from SmitfraudFix and any comments you think will help.

Thanks

matt1901110

2006-08-31, 01:27

Maybe I shot myself in the foot but was still recieving popups and slow speeds. Just thought I would make sure. I appreciate your help with this!!!!

Qoofix report:Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/30/2006] at [3:51:28 PM]
-------------------------------------------------------------
Terminated module: skhwknj.dll found in Qoofix.exe (3268)
Terminated module: skhwknj.dll found in mdhwtf.exe (1036)
Terminated module: skhwknj.dll found in explorer.exe (1268)
Terminated module: skhwknj.dll found in dmxbs.exe (836)
Terminated module: skhwknj.dll found in wscntfy.exe (1468)
Terminated module: skhwknj.dll found in dmxbs.exe (1508)
Terminated module: skhwknj.dll found in dmxbs.exe (1548)
Terminated module: skhwknj.dll found in WgaTray.exe (1976)
Terminated module: skhwknj.dll found in Navapw32.exe (468)
Terminated module: skhwknj.dll found in rundll32.exe (848)
Terminated module: skhwknj.dll found in msmsgs.exe (1212)
Terminated module: skhwknj.dll found in rundll32.exe (1336)
Terminated module: skhwknj.dll found in ctfmon.exe (684)
Terminated module: skhwknj.dll found in ABMTSR.EXE (1304)
Terminated module: skhwknj.dll found in Ymsgr_tray.exe (2104)
Terminated module: skhwknj.dll found in wuauclt.exe (2636)
Terminated module: skhwknj.dll found in rundll32.exe (624)
-------------------------------------------------------------
C:\WINDOWS\system32\dmxbs.exe will be deleted on reboot!
C:\WINDOWS\system32\mdhwtf.exe will be deleted on reboot!
C:\WINDOWS\system32\oiffekx.exe will be deleted on reboot!
C:\WINDOWS\system32\sbvaf.dat will be deleted on reboot!
C:\WINDOWS\system32\skhwknj.dll will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\fktxa.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/30/2006] at [3:52:53 PM]

Note: Some registry keys may have been removed.

The Ewido scan:---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:06:24 PM 8/30/2006

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end

The hjt report:
Logfile of HijackThis v1.99.1
Scan saved at 5:17:50 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 6\ABMTSR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\spywarefix\hjthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 6\ABMTSR.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

And the SmitFraudfix report:
SmitFraudFix v2.82

Scan done at 15:37:18.89, Wed 08/30/2006
Run from C:\spywarefix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

In the past week I have ran numerous ewido and spybot scans in safe mode and I thought I got everything out but I guess I missed the Qooloo trojan. Thank you again for your help!!!!

pskelley

2006-08-31, 01:38

No problem, that's what we are here for. All logs look good, I am looking at HJT now.
Update your Java program >>> C:\Program Files\Java\jre1.5.0_06\ see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

If all is running well, you are good to go. tashi:) will close the topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

tashi

2006-09-05, 00:49

As the problem appears to be resolved this topic has been archived. :)

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers.