Smitfraud-c.toolbar888

**Johnh** · 2007-06-25, 14:21

Heres the log from Combofix:

ComboFix 07-06-18.2 - F:\Documents and Settings\Madeline\Desktop\ComboFix.exe
"Madeline" - 2007-06-25 22:11:53 - Service Pack 2 NTFS
Command switches used :: F:\Documents and Settings\Madeline\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

F:\DOCUME~1\Madeline\APPLIC~1\DriveCleaner Free
F:\DOCUME~1\Madeline\APPLIC~1\DriveCleaner Free\Logs\update.log
F:\DOCUME~1\Madeline\APPLIC~1\errorsafefreeinstallw[1].exe
F:\DOCUME~1\Madeline\APPLIC~1\winantiviruspro2007freeinstall[1].exe
F:\WINDOWS\system32\cqqsmmkn.exe
F:\WINDOWS\system32\eefegoyo.dll
F:\WINDOWS\system32\fphbkefg.dll

((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))

2007-06-25 22:04 26,112 --a------ F:\WINDOWS\system32\nircmd.exe
2007-06-25 22:04 <DIR> drahs---- F:\autorun.inf
2007-06-25 14:02 49,152 --a------ F:\WINDOWS\nircmd.exe
2007-06-24 19:55 43,520 --a------ F:\WINDOWS\system32\CmdLineExt03.dll
2007-06-24 12:06 <DIR> d-------- F:\hijackthis
2007-06-17 19:58 <DIR> d-------- F:\DOCUME~1\Madeline\APPLIC~1\Ahead
2007-06-10 21:38 <DIR> d-------- F:\Program Files\EA GAMES
2007-06-09 17:05 <DIR> d-------- F:\Program Files\MSXML 4.0
2007-06-06 19:03 10,872 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 17:48 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-05 20:48 <DIR> d-------- F:\Program Files\Windows Journal Viewer
2007-06-02 12:51 400 --a------ F:\score.dat
2007-05-29 17:40 <DIR> d-------- F:\Games

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 12:03:59 -------- d-----w F:\DOCUME~1\Madeline\APPLIC~1\uTorrent
2007-06-24 05:59:08 -------- d-----w F:\Program Files\AlphaZIP
2007-06-24 05:25:25 58,904 ----a-w F:\WINDOWS\system32\azipcontmn.dll
2007-06-23 08:23:17 -------- d-----w F:\Program Files\Microsoft Games
2007-06-19 06:35:34 664 ----a-w F:\WINDOWS\system32\d3d9caps.dat
2007-06-17 00:43:52 -------- d-----w F:\Program Files\WS_FTP
2007-06-15 02:39:33 -------- d-----w F:\DOCUME~1\Madeline\APPLIC~1\U3
2007-06-15 01:29:54 74,472 ----a-w F:\DOCUME~1\Madeline\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-06 03:41:07 -------- d-----w F:\Program Files\Windows Live Safety Center
2007-06-03 06:34:42 -------- d-----w F:\Program Files\Scholastic
2007-06-01 09:46:19 -------- d--h--w F:\Program Files\InstallShield Installation Information
2007-06-01 01:18:17 18,816 ----a-w F:\WINDOWS\system32\drivers\dvd43llh.sys
2007-06-01 01:18:15 -------- d-----w F:\Program Files\dvd43
2007-05-31 12:29:07 -------- d-----w F:\Program Files\SwiftSwitch
2007-05-23 10:47:38 -------- d-----w F:\Program Files\QuickTime
2007-05-16 15:12:02 683,520 ----a-w F:\WINDOWS\system32\inetcomm.dll
2007-05-05 01:47:48 -------- d-----w F:\Program Files\Inkscape
2007-04-25 14:21:15 144,896 ----a-w F:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w F:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w F:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w F:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w F:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w F:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w F:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w F:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w F:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w F:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=F:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}=F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-04-18 19:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="F:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-08-29 21:11]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-22 10:55]
"RemoteControl"="F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"dvd43"="F:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"PWRISOVM.EXE"="F:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 19:16]
"Easy-PrintToolBox"="F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NetworkTen Media Manager Tray"="F:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2007-01-11 14:08]
"!AVG Anti-Spyware"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-18 16:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 22:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f35cbed2-0760-11dc-b820-00038a000015}]
AutoRun\command- H:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
2007-06-20 09:46:12 F:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 22:17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 22:18:41
F:\ComboFix-quarantined-files.txt ... 2007-06-25 22:18
F:\ComboFix2.txt ... 2007-06-25 21:42

--- E O F ---

**Johnh** · 2007-06-25, 14:22

And heres the HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:22:03 PM, on 25/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
F:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\dvd43\dvd43_tray.exe
F:\Program Files\PowerISO\PWRISOVM.EXE
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\hijackthis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [dvd43] F:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] F:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NetworkTen Media Manager Tray] "F:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NetworkTen
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Startup: IMVU.lnk = F:\Program Files\IMVU\gui1.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk846YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - F:\Documents and Settings\Madeline\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab50997.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {25EBFA7E-A624-487D-AD62-BD7EE060B2D7} - http://supernatural.ten.com.au/entri...en_3_5_0_7.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirate...GameLoader.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125319674675
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab50997.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://supernatural.ten.com.au/entri...2_2_Silent.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

**miekiemoes** · 2007-06-25, 15:28

Hello,

Just some leftovers now...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk846YYAU
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirate...GameLoader.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then delete the F:\Qoobox - folder

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u1.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Let me know in your next reply how things are now...

**Johnh** · 2007-06-25, 16:42

Smitfraud is now gone, and the computer seems to be running more smoothly as well.

MANY thanks again for all your help!

**miekiemoes** · 2007-06-25, 16:45

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

Thread: Smitfraud-c.toolbar888

Thread Tools

Display

Posting Permissions