Another smitfruad-c problem with others

**shelf life** · 2007-06-02, 05:23

hi micahr14,

I've had this issue before.

and how did you fix it?

file and the server

do you know what application ZA is calling the "server"?

Here is the Spybot log

the log?

shelf life

**micahr14** · 2007-06-04, 18:15

The log will not post. Its way too long. And I'll look in the archives here. It was about 6 months ago and ps_kelley was the one that helped me with it.

No i'm seeing nothing from the ZA on the server. All I know is the Ad-Watch is not reporting any more registry changes ever since I started ZA pro and ran the spybot cleaning.

Mic . sorry about the vagueness :D I should probably be a little clearer next time. It's just kinda hard with work and all. :(

**micahr14** · 2007-06-04, 18:25

Here is the linky to the other post I had with ps_kelley. The symptoms are the same but something is running in the background of my computer and not showing in the process list, its really a memory hog too.

http://forums.spybot.info/showthread...light=micahr14

MIC

**shelf life** · 2007-06-04, 23:30

hi

i saw that archived post-- looks like you had LOP then. got smitfraud and company now.

you sure you ran AVg antispyware? i dont see it in the hjt log. did you ever get combofix to run? post another hjt log and the saved report form avg. if avg wont run we can get something else.

how to save avg report:
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all
actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your computer. Please post the AVG log in next reply.

shelf life

**micahr14** · 2007-06-07, 03:53

hurray! We have a combo fix log but no AVG log still. AVG doesn't (and hasn't liked my system) - running on 319 MB of RAM

Still a bit sluggish (the computer) and its changed its theme (colors, windows, sounds) back to windows classic and isn't letting me change them back. I look on kelly's korner for tools to restore. Was able to get taskbar restored back. sUBS over at MRU was able to give me a beta that worked and turns out that it was the program. Well, here's the log :

"BTN USER" - 2007-06-06 17:38:43 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\BTN USER\Desktop\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users.WINDOWS.\documents\settings
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\desktop.ini
C:\WINDOWS\keyboard11.dat
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\mc-110-12-0000140.exe
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))

2007-06-03 21:14 <DIR> d-------- C:\DOCUME~1\BTNUSE~1\APPLIC~1\Ceedo
2007-05-24 21:10 <DIR> d-------- C:\VundoFix Backups
2007-05-20 23:08 <DIR> d-------- C:\ie-spyad2
2007-05-19 23:37 <DIR> d-------- C:\Program Files\Incomplete
2007-05-18 22:29 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-05-18 22:29 <DIR> d-a------ C:\WINDOWS\SYSTEM32\vcmgcd32.dll
2007-05-18 22:29 <DIR> d-a------ C:\WINDOWS\SYSTEM32\iifgfgf.dll
2007-05-18 22:09 146,432 --a------ C:\WINDOWS\R.COM
2007-05-18 22:09 135,680 --a------ C:\WINDOWS\SYSTEM32\T.COM
2007-05-17 19:24 1,812 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-05-10 17:04 95,872 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-05-10 17:04 94,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-05-10 17:04 85,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-05-10 17:04 43,176 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-05-10 17:04 26,888 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-05-10 17:04 23,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-05-10 17:03 745,600 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-05-10 17:03 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-05-10 17:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-09 16:29 <DIR> d-------- C:\Program Files\FastStone Capture
2007-05-09 16:29 <DIR> d-------- C:\DOCUME~1\BTNUSE~1\APPLIC~1\FastStone
2007-05-09 16:27 <DIR> d-------- C:\Program Files\CNet

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 23:55:50 -------- d-----w C:\Program Files\Wisdom-soft AutoScreenRecorder Free
2007-05-25 01:34:29 -------- d-----w C:\Program Files\Actual Title Buttons
2007-05-25 00:00:18 -------- d-----w C:\Program Files\Winamp
2007-05-24 23:56:07 -------- d-----w C:\Program Files\QO Labs
2007-05-21 03:18:59 1,964 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-20 12:18:39 -------- d-----w C:\Program Files\ZipCentral
2007-05-20 12:16:54 -------- d-----w C:\Program Files\LimeWirePro
2007-05-10 20:28:40 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\OpenOffice.org2
2007-05-06 00:03:21 4,212 -c-h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-05 23:45:28 -------- d-----w C:\Program Files\GIMP-2.0
2007-05-05 18:32:33 -------- d-----w C:\Program Files\TuneXP
2007-05-05 18:32:33 -------- d-----w C:\Program Files\Tradewinds Full Game
2007-05-05 18:32:32 -------- d-----w C:\Program Files\Pizza Frenzy
2007-05-05 18:32:32 -------- d-----w C:\Program Files\Bejeweled 2 Deluxe
2007-05-05 17:21:06 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Tenebril
2007-05-05 02:12:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-03 23:47:56 -------- d-----w C:\Program Files\Google
2007-05-03 23:46:11 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-02 02:44:45 -------- d-----w C:\Program Files\a-squared HiJackFree
2007-04-30 21:11:44 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-29 01:42:14 -------- d-----w C:\Program Files\SpyCatcher 2006
2007-04-29 01:41:13 -------- d-----w C:\Program Files\WhatsRunning
2007-04-29 01:40:23 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\gtopala
2007-04-24 00:05:00 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Ventrilo
2007-04-23 23:58:11 -------- d-----w C:\Program Files\Ventrilo
2007-04-23 23:57:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-19 22:41:24 114 -c--a-w C:\WINDOWS\popcinfo.dat
2007-04-17 18:02:52 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\AVSMedia
2007-04-17 12:53:29 -------- d-----w C:\Program Files\Freeciv-2.0.9-gtk2
2007-04-16 02:00:43 5 --sha-w C:\WINDOWS\system32\efabaaabef1_s.dll
2007-04-15 11:49:21 -------- d-----w C:\Program Files\ActualCoach
2007-04-15 11:49:21 -------- d-----w C:\Program Files\4t Tray Minimizer
2007-04-15 11:49:18 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-15 11:49:17 -------- d-----w C:\Program Files\SolSuite
2007-04-14 02:06:51 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\IrfanView
2007-04-12 23:05:06 -------- d-----w C:\Program Files\AVSMedia
2007-04-12 21:56:35 -------- d-----w C:\Program Files\Ministars Software
2007-04-12 21:55:07 -------- d-----w C:\Program Files\Microsoft Games
2007-04-12 21:51:24 -------- d-----w C:\Program Files\PDFCreator
2007-04-12 21:44:18 -------- d-----w C:\Program Files\Nuclear Power
2007-04-12 21:43:47 -------- d-----w C:\Program Files\CursorXP
2007-04-12 21:42:25 -------- d-----w C:\Program Files\Taskbar Shuffle
2007-04-12 21:41:34 -------- d-----w C:\Program Files\Windows X
2007-04-12 21:34:05 720,896 -c--a-w C:\WINDOWS\iun6002.exe
2007-04-12 02:03:45 -------- d-----w C:\Program Files\GFX
2007-04-10 22:17:13 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\IE7pro
2007-04-10 22:07:39 -------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2007-04-10 21:52:28 -------- d-----w C:\Program Files\Chronotron Inc
2007-04-10 21:22:36 -------- d-----w C:\Program Files\IE7pro
2007-04-10 21:20:45 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Actual Tools
2007-04-10 21:15:08 -------- d-----w C:\Program Files\SRS Labs
2007-04-09 01:24:50 -------- d-----w C:\Program Files\Odometer
2007-04-09 00:46:25 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Inkscape
2007-04-06 22:06:58 -------- d-----w C:\DOCUME~1\BTNUSE~1\APPLIC~1\Lavasoft
2007-04-06 00:42:35 -------- d-----w C:\Program Files\Inkscape
2007-04-06 00:00:48 -------- d-----w C:\Program Files\Scribus 1.3.3.8
2007-03-28 20:40:51 80 --sh--r C:\WINDOWS\system32\4E6F1E8D02.dll
2007-03-19 10:35:14 1,636 -c--a-w C:\WINDOWS\system32\d3d9caps.dat
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 04:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-10-17 16:04]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-09-27 17:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Resume copy"="copyfstq.exe" [2006-12-06 17:31 C:\WINDOWS\copyfstq.exe]
"StartupDelayer"="C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2006-06-23 04:12]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoSMMyPictures"=01000000
"NoLowDiskSpaceChecks"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSharedDocuments"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"winupdates"=C:\Program Files\winupdates\winupdates.exe /auto
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 20:34:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-06 20:39:13
C:\ComboFix-quarantined-files.txt ... 2007-06-06 20:38

--- E O F ---

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 07:34, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

**shelf life** · 2007-06-08, 02:21

hi micahr14,

ok good. looks like combofix got rid of some stuff also. lets forget avg, i would remove it via the add/remove programs panel then reboot computer once.
i suggest scanning with superantispyware, see what else it might dig up.the hjt log looks ok:

http://www.superantispyware.com/
--------------------
shelf life

**micahr14** · 2007-06-18, 07:07

Hi all,
just to let you know our family suffered a terrible tragedy this past week or two and i've been off and on alot.. not sure when things will even out for my online time either. So far an update: Evidently the spyware hasn't been removed because im still having trouble with my windows shell... had to remove ZA pro because it was stuck in lock mode and would not let me access the internet.. Switching to outpost firewall. Sure it might take time to reconfig everything but I'm sure that it will work better :D ... Still got high CPU usage..

Thanks for everything shelf,
Keep us in your hopes and prayers

Micah R. Roemmich

**shelf life** · 2007-06-19, 00:13

hi micahr14,

I hope it all turns out ok for you and your family.

Outpost is a excellent firewall. i also highly recommend jetico.

these entries from combofix are typical of a worm:
ping.com
tasklist.com
taskmgr.com
tracert.com

if you wish to continue just post back when you can.

shelf life

**tashi** · 2007-07-02, 16:19

This topic has been moved to archives to prevent others with similar issues posting to it.

When you need the thread re-opened, please send me a private message (pm)

Thread: Another smitfruad-c problem with others

Thread Tools

Display

Heh

Linky

dormancy

Posting Permissions