PDA

View Full Version : Virus not detected, persistant



cammy1174
2006-10-05, 20:07
Hello,

I got a virus, first detected as smitfraud, I ran adaware, pccillin, spybot, I had to do this a few times and reboot quite a few times. Now nothing is detected, however when I browse to legitimate sites, I get a random popup that I need virus software to remove a virus. It's obviously more malware, but I can't seem to get rid of the dumb popup, and nothing is detecting it. Here was my log when it detected the smitfraud.

Please help!! I don't want to reload ;)


------>


--- Search result list ---
Smitfraud-C.: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-4160378380-2760707263-1256863938-1006\Software\AdwareDisableKey3

Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\AdwareDisableKey3

Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\system32\ishost.exe

Smitfraud-C.: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-4160378380-2760707263-1256863938-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\ishost.exe

Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ishost.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-04 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-29 Includes\Cookies.sbi (*)
2006-09-29 Includes\Dialer.sbi (*)
2006-09-29 Includes\Hijackers.sbi (*)
2006-09-29 Includes\Keyloggers.sbi (*)
2006-09-29 Includes\Malware.sbi (*)
2006-09-29 Includes\PUPS.sbi (*)
2006-09-29 Includes\Revision.sbi (*)
2006-09-29 Includes\Security.sbi (*)
2006-09-29 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-29 Includes\Trojans.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Media Center 2005 / SP4: Update Rollup 2 for Windows XP Media Center Edition 2005
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Update for Windows Media Player 10 (KB913800)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888239
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Hotfix for Windows XP (KB888795)
/ Windows XP / SP3: Windows XP Hotfix - KB889673
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Hotfix for Windows XP (KB891593)
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Hotfix for Windows XP (KB893357)
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB895953)
/ Windows XP / SP3: Hotfix for Windows XP (KB896256)
/ Windows XP / SP3: Hotfix for Windows XP (KB896344)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Hotfix for Windows XP (KB899337)
/ Windows XP / SP3: Hotfix for Windows XP (KB899510)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Hotfix for Windows XP (KB902841)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Hotfix for Windows XP (KB906569)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Hotfix for Windows XP (KB909095)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Hotfix for Windows XP (KB910728)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Hotfix for Windows XP (KB912024)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Update for Windows XP (KB912945)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914906)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917537)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)


--- Startup entries list ---
Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
file: C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
size: 45056
MD5: 64c4c17bf6a40ff1cd21205e6fd415b8

cammy1174
2006-10-05, 20:08
Located: HK_LM:Run, Broadcom Wireless Manager UI
command: C:\WINDOWS\system32\WLTRAY.exe
file: C:\WINDOWS\system32\WLTRAY.exe
size: 1236992
MD5: f11c343318da14137669ae14ade27df1

Located: HK_LM:Run, ehTray
command: C:\WINDOWS\ehome\ehtray.exe
file: C:\WINDOWS\ehome\ehtray.exe
size: 64512
MD5: 7a21e06385e748e9cb0252f1bbc493f1

Located: HK_LM:Run, elebxnn.dll
command: C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\elebxnn.dll,golqqtf
file: C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, MSKDetectorExe
command: C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
file:

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, pccguide.exe
command: "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
file: C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
size: 3112960
MD5: cbac1a72422b6a77b725e698957de3e5

Located: HK_LM:Run, prskofg.dll
command: C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\prskofg.dll,sklxgdb
file: C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, Recguard
command: %WINDIR%\SMINST\RECGUARD.EXE
file: C:\WINDOWS\SMINST\RECGUARD.EXE
size: 212992
MD5: d3cc7a3813123e955b3a497c04b404e2

Located: HK_LM:Run, Reminder
command: %WINDIR%\Creator\Remind_XP.exe
file: C:\WINDOWS\Creator\Remind_XP.exe
size: 966656
MD5: bacc877db547bd8f421891ebfb6282ed

Located: HK_LM:Run, SigmatelSysTrayApp
command: stsystra.exe
file: C:\WINDOWS\stsystra.exe
size: 413696
MD5: 35643c90b523a7e5602b9a3bdb1d2f60

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 688218
MD5: 55582f239914c8efccf89bd632639542

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 98394
MD5: 3665ba88b993554db062ff96542d85ff

Located: HK_LM:Run, WinampAgent
command: C:\Program Files\Winamp\winampa.exe
file: C:\Program Files\Winamp\winampa.exe
size: 35328
MD5: ea7b08147c0cb85eeb4e48dc3444208e

Located: HK_CU:Run, OE
command: "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
file: C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
size: 315392
MD5: b59c1a32f3988acdc26324256bc9304a

Located: HK_CU:Run, Power2GoExpress
command: NA
file:

Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, winjrs32
command: winjrs32.dll
file: winjrs32.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 9/13/2006 8:12:02 PM
Date (last access): 10/4/2006 4:22:00 PM
Date (last write): 12/14/2004 2:56:50 AM
Filesize: 63136
Attributes: archive
MD5: 42729C3DE75A7A51FC6F9EF6546C9199
CRC32: 4D60BD07
Version: 7.0.0.1333

{13BE67A6-D733-8042-9917-0090E29D33DE} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: cfloqr.dll
Short name:
Date (created): 10/4/2006 3:50:42 PM
Date (last access): 10/4/2006 4:52:50 PM
Date (last write): 10/4/2006 3:50:42 PM
Filesize: 72704
Attributes: archive
MD5: 5D4846DEDEAD21C7F6D89DE96B573C8E
CRC32: 5BFAD5C1

{376751F7-8B55-BA9B-C456-08795A50CDBC} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: qjimece.dll
Short name:
Date (created): 10/4/2006 2:10:58 PM
Date (last access): 10/4/2006 4:48:24 PM
Date (last write): 10/4/2006 2:10:58 PM
Filesize: 72704
Attributes: archive
MD5: 14257D0431309E418E12D59725EA2B59
CRC32: FBAADDA7

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 10/4/2006 3:03:56 PM
Date (last access): 10/4/2006 4:53:52 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{a43385f0-7113-496d-96d7-b9b550e3fcca} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ixt0.dll

{CA6319C0-31B7-401E-A518-A07C3DB8F777} (Browser Address Error Redirector)
BHO name: Browser Address Error Redirector
CLSID name: CBrowserHelperObject Object
Path: c:\windows\system32\
Long name: bae.dll
Short name:
Date (created): 9/13/2006 8:09:14 PM
Date (last access): 10/4/2006 4:23:04 PM
Date (last write): 1/31/2006 12:54:30 PM
Filesize: 94208
Attributes: archive
MD5: 3467178AE878796650290CA54361C810
CRC32: 9C59917B
Version: 1.1.0.1



--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 4:36:50 AM
Date (last access): 10/4/2006 4:54:48 PM
Date (last write): 3/4/2005 4:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 5.0.20.9

{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
description:
classification: Legitimate
known filename: NPJPI150_02.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 4:36:50 AM
Date (last access): 10/4/2006 4:54:48 PM
Date (last write): 3/4/2005 4:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 5.0.20.9



--- Process list ---
PID: 0 ( 0) [System]
PID: 884 ( 4) \SystemRoot\System32\smss.exe
PID: 936 ( 884) \??\C:\WINDOWS\system32\csrss.exe
PID: 964 ( 884) \??\C:\WINDOWS\system32\winlogon.exe
PID: 1008 ( 964) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 1020 ( 964) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1220 (1008) C:\WINDOWS\system32\Ati2evxx.exe
size: 405504
MD5: 5784A06FDC2AC7954225A1A79E1A8F00
PID: 1236 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1320 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1360 (1008) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1464 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1492 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1656 (1008) C:\WINDOWS\System32\WLTRYSVC.EXE
size: 18944
MD5: 61E71BC3CD3530444000A9B68F7EE931
PID: 1676 (1656) C:\WINDOWS\System32\bcmwltry.exe
size: 1093632
MD5: 9A0CE1DB25F1CDD3ED11236884800538
PID: 1792 (1008) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1920 (1008) C:\WINDOWS\eHome\ehRecvr.exe
size: 237568
MD5: B03BCD810A2EE089FA08E47B5200BE31
PID: 1932 (1008) C:\WINDOWS\eHome\ehSched.exe
size: 102912
MD5: A53243709439AC2A4C216B817F8D7411
PID: 2040 (1008) C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
size: 1544192
MD5: 5AA9681E35792E898EAB5D216A380407
PID: 236 (1008) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
size: 172032
MD5: 33D7285F12D934268A34206DFC4AD1B3
PID: 308 (1008) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 380 (1008) C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
size: 503808
MD5: 52D456DC5043053FA042DCA4B586AD9C
PID: 400 (1008) C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
size: 933949
MD5: 08F98944284DED21CF33DE4203B29A19
PID: 440 (1008) C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
size: 561220
MD5: 5A5DF11D10F1CA108833393DB4505555
PID: 668 (1008) C:\WINDOWS\ehome\mcrdsvc.exe
size: 99328
MD5: DF0A511F38F16016BF658FCA0090CB87
PID: 1516 (1008) C:\WINDOWS\system32\dllhost.exe
size: 5120
MD5: DD87DB7387B9EB441C5674888A0D840C
PID: 1684 (1008) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1912 (1008) C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
size: 196608
MD5: 31AA8AC3BD6BE8BCBA39AD5EC04DD40F
PID: 2252 ( 964) C:\WINDOWS\system32\Ati2evxx.exe
size: 405504
MD5: 5784A06FDC2AC7954225A1A79E1A8F00
PID: 2484 (2312) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 2800 (2484) C:\WINDOWS\ehome\ehtray.exe
size: 64512
MD5: 7A21E06385E748E9CB0252F1BBC493F1
PID: 2816 (2484) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 98394
MD5: 3665BA88B993554DB062FF96542D85FF
PID: 2868 (2484) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 688218
MD5: 55582F239914C8EFCCF89BD632639542
PID: 2888 (2788) C:\WINDOWS\system32\ismini.exe
size: 6656
MD5: 295EE02EE150BAA011D77630C79E0CD1
PID: 2952 (2484) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
size: 45056
MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 2972 (2484) C:\WINDOWS\stsystra.exe
size: 413696
MD5: 35643C90B523A7E5602B9A3BDB1D2F60
PID: 3000 (2484) C:\WINDOWS\system32\WLTRAY.exe
size: 1236992
MD5: F11C343318DA14137669AE14ADE27DF1
PID: 3024 (2484) C:\Program Files\Winamp\winampa.exe
size: 35328
MD5: EA7B08147C0CB85EEB4E48DC3444208E
PID: 3072 (2484) C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
size: 3112960
MD5: CBAC1A72422B6A77B725E698957DE3E5
PID: 3316 (2484) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 3392 (1236) C:\WINDOWS\eHome\ehmsas.exe
size: 46592
MD5: 03A905FBA1D62317087DB5C21C0F8F62
PID: 3444 (2484) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 3476 (2484) C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
size: 315392
MD5: B59C1A32F3988ACDC26324256BC9304A
PID: 3616 (2952) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
size: 45056
MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 3624 (2952) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
size: 45056
MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 4080 (1008) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3056 (2484) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 3936 (3072) C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
size: 3014656
MD5: 980D324880A32D39A0384AE50DF28B41
PID: 2432 (3072) C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
size: 1503232
MD5: 1F36C42C8297B0AFDC74DB28B00EE9F7
PID: 3400 ( 868) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 2588 (2700) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 2392 (2484) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7190637
MD5: 43658E87F7B183F2245491FBCC695E05
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 10/4/2006 5:24:14 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2E186E5A-A29F-4533-BD69-D527E697B668}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2E186E5A-A29F-4533-BD69-D527E697B668}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6A457B15-F129-4310-A1ED-17B7C4B0BB9B}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

cammy1174
2006-10-05, 20:09
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6A457B15-F129-4310-A1ED-17B7C4B0BB9B}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{807199B4-06FD-42F9-B66F-01EDDBCE49B7}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{807199B4-06FD-42F9-B66F-01EDDBCE49B7}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{506B92FB-A770-49DE-B465-8EA15A95D517}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{506B92FB-A770-49DE-B465-8EA15A95D517}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E02061F1-C8BA-4BD9-9327-9B0269DD363E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E02061F1-C8BA-4BD9-9327-9B0269DD363E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

md usa spybot fan
2006-10-05, 20:53
cammy1174:


I got a virus, first detected as smitfraud …
Smitfraud is not a virus. It is actually malware delivered (downloaded and accepted by you) from unscrupulous sales "affiliates" of questionable anti-spyware companies who are paid between 40% and 90% commission to get you to buy these questionable anti-spyware products.

Follow the instructions posted here:
VirusBurst, SpywareStrike and other desktop type hijacks
http://forums.spybot.info/showthread.php?t=4015
Then open a "New thread" in the following forum:
Malware Removal
http://forums.spybot.info/forumdisplay.php?f=22
Make sure that you include in your initial post the following items that should have been produced when following the above instructions:
c:\rapport.txt
AVG Anti-Spyware log
The HJT log
Someone will assist you and make sure that the Smitfraud problem is removed.

cammy1174
2006-10-06, 01:30
Thank you very much for the info, I will try that. :bigthumb: