Hello,

I have been infected with Smitfraud.C and been trying to remove it as suggested in some other threads on this forum but no luck so far. I have been using hijackthis, smitremove and symantec. Still Spybot detects and now i also get endless kill processes from Spybot for the ISHOST.exe process. Was hoping you can provide me with assistance.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 21:56:05, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
c:\program files\firm applications\media viewer\services\streamviewerservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\cmd32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis.exe
C:\WINDOWS\system32\ishost.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: winvvh32 - C:\WINDOWS\SYSTEM32\winvvh32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Sun 10/01/2006
The current time is: 21:18:32,08

Running from
C:\temp\smitrm\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ismini.exe


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 372 'explorer.exe'
Killing PID 372 'explorer.exe'
Killing PID 372 'explorer.exe'
Killing PID 372 'explorer.exe'
Killing PID 372 'explorer.exe'
Killing PID 372 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)

Welcome to the forum, you still show evidence of a Smitfraud infection and other trojans. If you still need help, this is what I would like you to do.

1) TeaTimer may be blocking changes we need to make with the tools, use these instruction and turn TeaTimer off until you are finished.
http://russelltexas.com/malware/teatimer.htm

2) Our experts would like to get a look at one of the nasties you have on your computer: C:\WINDOWS\system32\cmd32.exe Would you use these instructions to upload that file for investigation.
http://www.thespykiller.co.uk/forum/index.php?board=1.0
You will probably need to show hidden files and folder to see it:
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Uninstall all Smitfraud tools you downloaded, then follow the directions here:

3) http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.

Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

I will respond as soon as possible after you post with instructions.

Thanks...pskelley
Safer Networking Forums

If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/

Pskelly,

Thanks for the assistance. I ran all the 11 steps in the thread you linked and it appears my problems are solved. I will post the logs so you can verify.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:58:41, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\firm applications\media viewer\services\streamviewerservice.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Metso VPN Dialer (OnStartup).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.accenture.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: winvvh32 - C:\WINDOWS\SYSTEM32\winvvh32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Accenture Media Viewer (MediaViewer) - - c:\program files\firm applications\media viewer\services\streamviewerservice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

SmitFraudFix v2.104

Scan done at 11:15:01,84, Tue 10/03/2006
Run from D:\Documents and Settings\erik.berkel.van\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\cmd32.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"



»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:34:30 10/3/2006

+ Scan result:



C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP232\A0053026.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP234\A0053216.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053059.exe -> Backdoor.Agent.adr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP234\A0053184.exe -> Downloader.Agent.aqs : Cleaned with backup (quarantined).
C:\WINDOWS\ebo.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053066.exe -> Downloader.CWS.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP235\A0054344.exe -> Downloader.Delf.aeu : Cleaned with backup (quarantined).
C:\WINDOWS\mcl.exe -> Downloader.Delf.aeu : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP232\A0053033.dll -> Downloader.Delf.ayr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053067.exe -> Downloader.Small.ccm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053068.exe -> Downloader.Small.ccm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053074.dll -> Downloader.Small.ccm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053075.dll -> Downloader.Small.ccm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053076.dll -> Downloader.Small.ccm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\z3560.dll -> Downloader.Small.ccm : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP232\A0053032.exe -> Downloader.Small.ccm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053070.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp_2b2.exe -> Downloader.Tiny.eg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\win_3.dll -> Downloader.Tiny.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053072.exe -> Dropper.Small.asw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053073.exe -> Dropper.Small.asw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053071.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP233\A0053069.exe -> Not-A-Virus.Hoax.Win32.Renos.fc : Ignored.
C:\WINDOWS\system32\3339_27.dll -> Trojan.Agent.pk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\3339_32.dll -> Trojan.Agent.pk : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{DC5732D4-063E-1035-0126-050408160001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP232\A0053034.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP234\A0053214.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{30B602A1-9448-477F-B3B9-85D700FDB0D9}\RP234\A0053253.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end

Thanks for returning your information. Were you able to upload that file for the experts? Looks like we have one trojan that resisted.

SmitfraudFix appears to have done it's job, the HJT log is clean except for this one item:
O20 - Winlogon Notify: winvvh32 - C:\WINDOWS\SYSTEM32\winvvh32.dll. Google can't identify it so I am guessing it is some kind of random named trojan. If you want to scan it before you remove it use the scanners I provided earlier and make sure hidden files and folder are enabled. Turn off TeaTimer so it can not block the change.

The ewido scan shows items "Ignored" and I don't know if you did that or the new AVG scanners did? One way or another we wil be cleaning the System Restore files before we finish.

Let's remove that last item like this:
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\winvvh32.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button to reboot now.

Now let's clean a little:

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O20 - Winlogon Notify: winvvh32 - C:\WINDOWS\SYSTEM32\winvvh32.dll >>> should say (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a last HJT log, if all is running well, we will clean the System Restore files and give you some information to help you stay clean and safe.

Thanks...Phil

Phil,

Sadly I ran the first steps before actually uploading the cmd32.exe. So it has been deleted (a duh from my side). So i cant upload it for your experts. I did a search on my drive for it and dont see it anymore and in the above post logs it said it was deleted.

I will do the steps you lay our above later on today.

Thanks

Quin

Phil,

I ran the steps you layed out. It appears to me that my system is running fine but as you said i probably need to clean out the sys restore files. Furthermore i would would once again like to thank you, and the other volunteers on this forum, for the selflessness help you give to people. Being abroad for 3 weeks a month away from your GF makes you do stupid stuff and you get infected ;)

Here is the last HJT log for verification and excuse me for not uploading the cmd32.exe so you could investigate it and help more people.

Thanks

Quin

Logfile of HijackThis v1.99.1
Scan saved at 22:48:41, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\firm applications\media viewer\services\streamviewerservice.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Metso VPN Dialer (OnStartup).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Accenture Media Viewer (MediaViewer) - - c:\program files\firm applications\media viewer\services\streamviewerservice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

One last question about the HJT log:

I have deleted the following key almost all the time since 'file missing' to me means delete but it comes back all the time:

O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe (file missing)

I have googled it but it does not seem familiar to me with the programs i have installed on my laptop. Maybe you have an idea.

Thanks for your feedback and good job:bigthumb: with the complex instructions. Let me try to answer your questions.

Cleaning System Restore is not optional, you can see all of the junk the AVG Anti-Spyware - Scan Report is showing in System Restore. If you have to use System Restore for a legitimate reason, that junk would get back on your computer.

O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe (file missing)
This is a valid item: http://www.castlecops.com/o23list-612.html The file missing in the case is a glitch HJT is reporting, that file is there. If you wish to get rid of that item, you must "disable it first"

Disable the Service
Click Start > Run and type services.msc
Scroll down to MC/Empower i.collect Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Once it is Disabled, you can use HJT to delete it but you can not get it back via HJT "backups" and you will be warned of this when you use the tool.

Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (iCollectService) and press OK.
OK any prompts, close HijackThis, and restart your computer.

You HJT log looks to be clean of malware.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Safe surfing...tashi:) will close your topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Good job Quinlan :)

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers