Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Possible false positive? Smitfraud-C Toolbar888

  1. #1
    Junior Member
    Join Date
    Jun 2007
    Posts
    5

    Default Possible false positive? Smitfraud-C Toolbar888

    Hello there, I'm in need of some expert help. Spybot detected Smitfraud on my computer last week. I took all the measures I could to get rid of it, but even though Smitfraudfix does not detect any infections, Spybot still accuses one entry:

    --- Search result list ---
    Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-854245398-1614895754-725345543-1005\Software\Microsoft\aldd

    It says it's fixed, but it always shows back up. I can't find anything that looks like it could be it on my HJT log either, though I'm by no means an expert and don't really know if I'm looking the right way. Can this be a false positive?

    I'm using S&D 1.4, latest detection update 2007-06-13, plus AVG Free Edition 7.5.472 and Sygate Personal Firewall 5.6 build 2808. And Spyware Blaster.

  2. #2
    Junior Member
    Join Date
    Jun 2007
    Posts
    6

    Default

    I have the same problem. Oddly enough too, if I scan under my admin account, or in safe mode, spybot doesn't find it.

    However, on my son's account, it finds it each time I re-log in to his userid on the machine.

    --- Search result list ---
    Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-1416163055-3445941883-4294521060-1013\Software\Microsoft\aldd


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

  3. #3
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hi,

    this may be a false positive, but due to the nature of Smitfraud.Toolbar888 it may also still be present.

    We will require Spybot S&D logs of your computers to see if there is anything suspicious left. Please attach them to your next posts.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  4. #4
    Junior Member
    Join Date
    Jun 2007
    Posts
    5

    Default

    Okay, here's my full Spybot log. My system changed since my first post, because my sister bought Norton 360.



    --- Search result list ---
    Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-854245398-1614895754-725345543-1005\Software\Microsoft\aldd

    Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

    Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


    Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-10-10 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2007-05-23 advcheck.dll (1.5.3.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-01-02 Tools.dll (2.0.1.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-06-13 Includes\Cookies.sbi (*)
    2007-05-30 Includes\Dialer.sbi (*)
    2007-06-13 Includes\DialerC.sbi (*)
    2007-06-13 Includes\Hijackers.sbi (*)
    2007-06-13 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2007-06-13 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2007-05-30 Includes\Malware.sbi (*)
    2007-06-13 Includes\MalwareC.sbi (*)
    2007-03-21 Includes\PUPS.sbi (*)
    2007-06-13 Includes\PUPSC.sbi (*)
    2007-06-13 Includes\Revision.sbi (*)
    2007-05-30 Includes\Security.sbi (*)
    2007-06-13 Includes\SecurityC.sbi (*)
    2007-06-06 Includes\Spybots.sbi (*)
    2007-06-13 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2007-05-16 Includes\Trojans.sbi (*)
    2007-06-13 Includes\TrojansC.sbi (*)
    2007-06-06 Plugins\TCPIPAddress.dll



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
    / Windows Media Player 6.4: Atualização de Segurança para o Windows Media Player 6.4 (KB925398)
    / Windows Media Player 9: Atualização de Segurança para o Windows Media Player 9 (KB917734)
    / Windows XP: Atualização de Segurança para Windows XP (KB923689)
    / Windows XP / SP2: Windows XP Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB867282
    / Windows XP / SP3: Windows XP Hotfix - KB873333
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB883939)
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB890046)
    / Windows XP / SP3: Windows XP Hotfix - KB890047
    / Windows XP / SP3: Windows XP Hotfix - KB890175
    / Windows XP / SP3: Windows XP Hotfix - KB890859
    / Windows XP / SP3: Windows XP Hotfix - KB890923
    / Windows XP / SP3: Windows XP Hotfix - KB891781
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB893066)
    / Windows XP / SP3: Windows XP Hotfix - KB893086
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB893756)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Atualização para Windows XP (KB894391)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB896358)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB896422)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB896423)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB896424)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB896428)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB896688)
    / Windows XP / SP3: Atualização para Windows XP (KB896727)
    / Windows XP / SP3: Atualização para Windows XP (KB898461)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB899587)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB899588)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB899589)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB899591)
    / Windows XP / SP3: Atualização para Windows XP (KB900485)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB900725)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB901017)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB901214)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB902400)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB903235)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB904706)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB905414)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB905749)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB905915)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB908519)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB908531)
    / Windows XP / SP3: Atualização para Windows XP (KB910437)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB911280)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB911562)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB911567)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB911927)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB912812)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB912919)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB913446)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB913580)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB914388)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB914389)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB916281)
    / Windows XP / SP3: Atualização para Windows XP (KB916595)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB917159)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB917344)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB917422)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB917953)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB918118)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB918439)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB918899)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB919007)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB920213)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB920214)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB920670)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB920683)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB920685)
    / Windows XP / SP3: Atualização para Windows XP (KB920872)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB921398)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB921883)
    / Windows XP / SP3: Atualização para Windows XP (KB922582)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB922616)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB922760)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB922819)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB923191)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB923414)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB923694)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB923980)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB924191)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB924270)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB924496)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB924667)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB925454)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB925486)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB926255)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB926436)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB927779)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB927802)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB928090)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB928255)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB928843)
    / Windows XP / SP3: Atualização para Windows XP (KB929338)
    / Windows XP / SP3: Atualização de Segurança para Windows XP (KB929969)
    / Windows XP / SP3: Atualização para Windows XP (KB931836)


    --- Startup entries list ---
    Located: HK_LM:Run, ccApp
    command: "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
    file: C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
    size: 115816
    MD5: 25be770865658cb79100117112819a7c

    Located: HK_LM:Run, EPSON Stylus C43 Series (cópia 1)
    command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P33 "EPSON Stylus C43 Series (cópia 1)" /O5 "LPT1:" /M "Stylus C43"
    file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE
    size: 75776
    MD5: a0d03e1d45ae308ef87bc0a7f04c3bd3

    Located: HK_LM:Run, LanguageShortcut
    command: "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
    file: C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe
    size: 54832
    MD5: 2798313dbb6ae778207eb1b1c68a1988

    Located: HK_LM:Run, NeroFilterCheck
    command: C:\WINDOWS\system32\NeroCheck.exe
    file: C:\WINDOWS\system32\NeroCheck.exe
    size: 155648
    MD5: 3e4c03cefad8de135263236b61a49c90

    Located: HK_LM:Run, QuickTime Task
    command: "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    file: C:\Arquivos de programas\QuickTime\qttask.exe
    size: 282624
    MD5: 7fbe43046efdf24fc9375024e4d02ac9

    Located: HK_LM:Run, RemoteControl
    command: "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
    file: C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
    size: 71216
    MD5: 459ba26605d6721ddef0922a59c2fa29

    Located: HK_LM:RunServices, RegisterDropHandler
    command: C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    file:

    Located: HK_CU:Run, NBJ
    command: "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"
    file: C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe
    size: 1961984
    MD5: a459e38e7c878a57b03280a000038764

    Located: Startup (common), Adobe Reader Speed Launch.lnk
    command: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
    file: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
    size: 40048
    MD5: 54c88bfbd055621e2306534f445c0c8d

    Located: Startup (common), Adobe Reader Synchronizer.lnk
    command: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    file: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    size: 734872
    MD5: 169c293ce9460a05646d17dc6aa2fb2c

    Located: Startup (user), Adobe Gamma.lnk
    command: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
    file: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
    size: 113664
    MD5: c2ff17734176cd15221c10044ef0ba1a

    Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
    command: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
    file: C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
    size: 40048
    MD5: 54c88bfbd055621e2306534f445c0c8d

    Located: Startup (disabled), Adobe Reader Synchronizer (DISABLED)
    command: D:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    file:

    Located: Startup (disabled), Microsoft Office (DISABLED)
    command: D:\Programas\Microsoft Office\Office\OSA9.EXE -b -l
    file:

    Located: Startup (disabled), Utility Tray (DISABLED)
    command: C:\WINDOWS\system32\sistray.exe
    file: C:\WINDOWS\system32\sistray.exe
    size: 331776
    MD5: 75d2905cc72d4deb2771eef42a809c35

    Located: Startup (disabled), Adobe Gamma (DISABLED)
    command: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
    file: C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
    size: 113664
    MD5: c2ff17734176cd15221c10044ef0ba1a

    Located: Startup (disabled), Webshots (DISABLED)
    command: C:\Arquivos de programas\Webshots\Launcher.exe /t
    file:

    Located: System.ini, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: System.ini, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: System.ini, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: System.ini, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: System.ini, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: System.ini, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, WgaLogon
    command:
    file:

    Located: System.ini, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll

  5. #5
    Junior Member
    Join Date
    Jun 2007
    Posts
    5

    Default Continued

    --- Browser helper object list ---
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    BHO name:
    CLSID name: Adobe PDF Reader Link Helper
    description: Adobe Acrobat reader
    classification: Legitimate
    known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
    info link: http://www.adobe.com/products/acrobat/readstep2.html
    info source: TonyKlein
    Path: C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\
    Long name: AcroIEHelper.dll
    Short name: ACROIE~1.DLL
    Date (created): 22/10/2006 23:08:42
    Date (last access): 20/6/2007 18:22:14
    Date (last write): 22/10/2006 23:08:42
    Filesize: 62080
    Attributes: archive
    MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
    CRC32: E388508F
    Version: 8.0.0.456

    {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
    BHO name:
    CLSID name:
    Path: C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\
    Long name: NppBHO.dll
    Short name:
    Date (created): 19/2/2007 00:22:56
    Date (last access): 20/6/2007 22:19:32
    Date (last write): 19/2/2007 00:22:56
    Filesize: 97960
    Attributes: readonly archive
    MD5: FE48BB4C64B6D42EB637732D9D2962E4
    CRC32: 9D5C5BBE
    Version: 2007.1.7.4

    {53707962-6F74-2D53-2644-206D7942484F} ()
    BHO name:
    CLSID name:
    description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
    info link: http://spybot.eon.net.au/
    info source: Patrick M. Kolla
    Path: C:\ARQUIV~1\SPYBOT~1\
    Long name: SDHelper.dll
    Short name:
    Date (created): 12/5/2004 01:03:00
    Date (last access): 20/6/2007 22:50:54
    Date (last write): 31/5/2005 01:04:00
    Filesize: 853672
    Attributes: archive
    MD5: 250D787A5712D7768DDC133B3E477759
    CRC32: D4589A41
    Version: 1.4.0.0

    {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} ()
    BHO name:
    CLSID name:
    Path: C:\WINDOWS\system32\
    Long name: spehiqct.dll

    {5DAB07FD-760C-453F-A9F1-44E5CFB63905} ()
    BHO name:
    CLSID name:
    Path: C:\WINDOWS\system32\
    Long name: sstqq.dll

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ()
    BHO name:
    CLSID name:

    {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    BHO name:
    CLSID name:

    {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
    BHO name:
    CLSID name: CNavExtBho Class
    description: Norton Antivirus
    classification: Legitimate
    known filename: NavShExt.dll
    info link: http://www.symantec.com/nav/nav_9xnt/
    info source: TonyKlein

    {C41A1C0E-EA6C-11D4-B1B8-444553540000} (G-Buster Browser Defense)
    BHO name: G-Buster Browser Defense
    CLSID name: GbIehObj Class
    description: G-Buster Browser Defense
    classification: Legitimate
    known filename: gbieh.dll
    info link:
    info source: TonyKlein
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: gbieh.dll
    Short name:
    Date (created): 16/5/2005 14:21:04
    Date (last access): 20/6/2007 22:18:56
    Date (last write): 22/2/2007 15:00:58
    Filesize: 228392
    Attributes: archive
    MD5: 650265603A66CBE661E01C342C944CEF
    CRC32: 5FA659BD
    Version: 3.1.5.13

    {C41A1C0E-EA6C-11D4-B1B8-444553540007} (G-Buster Browser Defense Real)
    BHO name: G-Buster Browser Defense Real
    CLSID name: GbIehObj Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: gbiehabn.dll
    Short name:
    Date (created): 3/10/2005 09:01:46
    Date (last access): 20/6/2007 22:18:56
    Date (last write): 3/10/2005 09:01:46
    Filesize: 140968
    Attributes: archive
    MD5: ACD40895997247FC46EDE3F5044C1A47
    CRC32: E2840214
    Version: 2.7.2.17



    --- ActiveX list ---
    DirectAnimation Java Classes (DirectAnimation Java Classes)
    DPF name: DirectAnimation Java Classes
    CLSID name:
    Installer:
    Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\dajava.cab
    info link:
    info source: Patrick M. Kolla

    Microsoft XML Parser for Java (Microsoft XML Parser for Java)
    DPF name: Microsoft XML Parser for Java
    CLSID name:
    Installer:
    Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\xmldso.cab
    info link:
    info source: Patrick M. Kolla

    {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
    DPF name:
    CLSID name: ewidoOnlineScan Control
    Installer:
    Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
    description:
    classification: Legitimate
    known filename: EWIDOO~1.DLL
    info link:
    info source: Safer Networking Ltd.
    Path: C:\WINDOWS\DOWNLO~1\
    Long name: ewidoOnlineScan.dll
    Short name: EWIDOO~1.DLL
    Date (created): 11/7/2006 09:41:36
    Date (last access): 20/6/2007 22:18:56
    Date (last write): 11/7/2006 09:41:36
    Filesize: 345656
    Attributes: archive
    MD5: B284992540E0FA2B76DEA56F93D49A16
    CRC32: FD2E709C
    Version: 1.0.0.4

    {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class)
    DPF name:
    CLSID name: GbPluginObj Class
    Installer: C:\WINDOWS\Downloaded Program Files\GbPluginABN.inf
    Codebase: https://wwws.realsecureweb.com.br/mp...bPluginABN.cab
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: gbiehabn.dll
    Short name:
    Date (created): 3/10/2005 09:01:46
    Date (last access): 20/6/2007 22:18:56
    Date (last write): 3/10/2005 09:01:46
    Filesize: 140968
    Attributes: archive
    MD5: ACD40895997247FC46EDE3F5044C1A47
    CRC32: E2840214
    Version: 2.7.2.17

    {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class)
    DPF name:
    CLSID name: GbPluginObj Class
    Installer: C:\WINDOWS\Downloaded Program Files\GbPluginBb.inf
    Codebase: https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
    description:
    classification: Open for discussion
    known filename: GBIEH.DLL
    info link:
    info source: Safer Networking Ltd.
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: gbieh.dll
    Short name:
    Date (created): 16/5/2005 14:21:04
    Date (last access): 20/6/2007 22:18:56
    Date (last write): 22/2/2007 15:00:58
    Filesize: 228392
    Attributes: archive
    MD5: 650265603A66CBE661E01C342C944CEF
    CRC32: 5FA659BD
    Version: 3.1.5.13

  6. #6
    Junior Member
    Join Date
    Jun 2007
    Posts
    5

    Default Continued 2

    --- Process list ---
    PID: 0 ( 0) [System]
    PID: 496 ( 4) \SystemRoot\System32\smss.exe
    PID: 552 ( 496) \??\C:\WINDOWS\system32\csrss.exe
    PID: 576 ( 496) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 620 ( 576) C:\WINDOWS\system32\services.exe
    size: 108544
    MD5: CC73C4430C2FC27FDE16A0A4E3678148
    PID: 632 ( 576) C:\WINDOWS\system32\lsass.exe
    size: 13312
    MD5: 35C6463B3C5F62D2B20C953B6E1538E9
    PID: 812 ( 620) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 5DE3E7B6F7624552F2F06664F110820D
    PID: 860 ( 620) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 5DE3E7B6F7624552F2F06664F110820D
    PID: 924 ( 620) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 5DE3E7B6F7624552F2F06664F110820D
    PID: 1000 ( 620) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 5DE3E7B6F7624552F2F06664F110820D
    PID: 1092 ( 620) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 5DE3E7B6F7624552F2F06664F110820D
    PID: 1200 ( 620) C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
    size: 108648
    MD5: FE69C498B922CE835E2E2123FBD0A272
    PID: 1384 ( 620) C:\WINDOWS\system32\spoolsv.exe
    size: 57856
    MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
    PID: 1784 ( 620) C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
    size: 173616
    MD5: 1D4061CC5BC8E823D05E1E6E6C1224E3
    PID: 1888 ( 620) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 5DE3E7B6F7624552F2F06664F110820D
    PID: 1920 ( 620) C:\WINDOWS\system32\wdfmgr.exe
    size: 38912
    MD5: 49501C6BE752D5043ADA8667AC774F7A
    PID: 408 ( 620) C:\WINDOWS\System32\alg.exe
    size: 44544
    MD5: 379C7AC3EBCB636ECDB704E188A96A13
    PID: 1016 (1492) C:\WINDOWS\Explorer.EXE
    size: 1034240
    MD5: FA61A19050AE14BEC1A26DE82390DD65
    PID: 1528 (1016) C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
    size: 71216
    MD5: 459BA26605D6721DDEF0922A59C2FA29
    PID: 1164 (1016) C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
    size: 115816
    MD5: 25BE770865658CB79100117112819A7C
    PID: 2640 (1016) C:\Arquivos de programas\utorrent.exe
    size: 177152
    MD5: E3013175D75CB6ABBB55F61FDFEF7F50
    PID: 1296 ( 620) C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
    size: 1174664
    MD5: 43CFCA936D211BF7F1CDE1DDF807CB76
    PID: 2852 (1016) C:\Arquivos de programas\Mozilla Firefox\firefox.exe
    size: 7637104
    MD5: 77C6AB4E70E7FC35E17B8ED919408B62
    PID: 3832 (1016) C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
    size: 4393096
    MD5: 09CA174A605B480318731E691DC98539
    PID: 4 ( 0) System


    --- Browser start & search pages list ---
    Spybot - Search & Destroy browser pages report, 20/6/2007 22:59:45

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\windows\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
    http://home.microsoft.com/access/autosearch.asp?p=%s
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\windows\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 3: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 4: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6B9EDF0-41A7-43CF-BD2D-D95AE24BE618}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6B9EDF0-41A7-43CF-BD2D-D95AE24BE618}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C654A62-BACD-4C18-AFC1-FF1A21EE9867}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C654A62-BACD-4C18-AFC1-FF1A21EE9867}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F64A13F9-130E-4F59-B438-98A7038E16BE}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F64A13F9-130E-4F59-B438-98A7038E16BE}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{324DB7AB-4E37-4C80-9E4F-733F398BDD29}] SEQPACKET 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{324DB7AB-4E37-4C80-9E4F-733F398BDD29}] DATAGRAM 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3D281B4E-BAE0-4ED0-86AF-009B44BE0682}] SEQPACKET 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3D281B4E-BAE0-4ED0-86AF-009B44BE0682}] DATAGRAM 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 2: Espaço para nome do reconhecimento de local da rede (NLA)
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace

    //END

    If there's anything in Portuguese in there that you need translated, just ask.

  7. #7
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    thank you for posting your log file, but attach the textfile containing the log file to your post the next time, that way the thread will be more clearly laid out.

    now to your log:

    {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} ()
    BHO name:
    CLSID name:
    Path: C:\WINDOWS\system32\
    Long name: spehiqct.dll

    {5DAB07FD-760C-453F-A9F1-44E5CFB63905} ()
    BHO name:
    CLSID name:
    Path: C:\WINDOWS\system32\
    Long name: sstqq.dll

    these 2 browser helper objects are related to Smitfraud-C.Toolbar888 (also known as Vundo or Virtumonde).

    Alternative A)
    If you send me your email address by pm, I can sent you a quick fix to have Spybot remove this.

    Alternative B)
    You can also remove them manually from the BHOs in the tools section of the Spybot S&D advanced mode, after that you will have to remove the files.


    We will require another log file after the BHOs and files have been removed to check if there is nothing left.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  8. #8
    Junior Member
    Join Date
    Jun 2007
    Posts
    5

    Default

    Oh, very sorry about that, but thanks for taking a look anyway. I just PMed you with my email.

  9. #9
    Junior Member
    Join Date
    Jul 2007
    Posts
    2

    Default The same problem

    Hello,
    After downloading some keygens, i suspect my pc has been infected by spyware. A pop-up advertisement keeps appearing intermitently. when i scanned with spybot the Smitfraud-C.Toolbar appears. Every time i fix it, it appears in the nexr scan.

    Does it have anything to do with the pop-up ad? Can anyone help me with this problem? Thanks in advance.

    My spybot log is:
    --- Search result list ---
    Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

    Virtumonde: Library (File, fixed)
    C:\WINDOWS\system32\winopn32.dll_tobedeleted_old

    DoubleClick: Tracking cookie (Internet Explorer: user) (Cookie, fixed)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-24 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2007-05-23 advcheck.dll (1.5.3.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-01-02 Tools.dll (2.0.1.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-06-27 Includes\Cookies.sbi (*)
    2007-05-30 Includes\Dialer.sbi (*)
    2007-06-27 Includes\DialerC.sbi (*)
    2007-06-20 Includes\Hijackers.sbi (*)
    2007-06-27 Includes\HijackersC.sbi (*)
    2007-06-27 Includes\Keyloggers.sbi (*)
    2007-06-27 Includes\KeyloggersC.sbi (*)
    2007-06-20 Includes\Malware.sbi (*)
    2007-06-27 Includes\MalwareC.sbi (*)
    2007-03-21 Includes\PUPS.sbi (*)
    2007-06-27 Includes\PUPSC.sbi (*)
    2007-06-27 Includes\Revision.sbi (*)
    2007-05-30 Includes\Security.sbi (*)
    2007-06-27 Includes\SecurityC.sbi (*)
    2007-06-20 Includes\Spybots.sbi (*)
    2007-06-27 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2007-06-27 Includes\Trojans.sbi (*)
    2007-06-27 Includes\TrojansC.sbi (*)
    2007-06-06 Plugins\TCPIPAddress.dll

    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB885884
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Security Update for Windows XP (KB890046)
    / Windows XP / SP3: Windows XP Hotfix - KB890859
    / Windows XP / SP3: Windows XP Hotfix - KB891781
    / Windows XP / SP3: Security Update for Windows XP (KB893066)
    / Windows XP / SP3: Security Update for Windows XP (KB893756)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Update for Windows XP (KB894391)
    / Windows XP / SP3: Security Update for Windows XP (KB896358)
    / Windows XP / SP3: Security Update for Windows XP (KB896422)
    / Windows XP / SP3: Security Update for Windows XP (KB896423)
    / Windows XP / SP3: Security Update for Windows XP (KB896424)
    / Windows XP / SP3: Security Update for Windows XP (KB896428)
    / Windows XP / SP3: Security Update for Windows XP (KB896688)
    / Windows XP / SP3: Update for Windows XP (KB898461)
    / Windows XP / SP3: Security Update for Windows XP (KB899587)
    / Windows XP / SP3: Security Update for Windows XP (KB899589)
    / Windows XP / SP3: Security Update for Windows XP (KB899591)
    / Windows XP / SP3: Update for Windows XP (KB900485)
    / Windows XP / SP3: Security Update for Windows XP (KB900725)
    / Windows XP / SP3: Security Update for Windows XP (KB901017)
    / Windows XP / SP3: Security Update for Windows XP (KB901190)
    / Windows XP / SP3: Security Update for Windows XP (KB901214)
    / Windows XP / SP3: Security Update for Windows XP (KB902400)
    / Windows XP / SP3: Security Update for Windows XP (KB904706)
    / Windows XP / SP3: Security Update for Windows XP (KB905414)
    / Windows XP / SP3: Security Update for Windows XP (KB905749)
    / Windows XP / SP3: Security Update for Windows XP (KB905915)
    / Windows XP / SP3: Security Update for Windows XP (KB908519)
    / Windows XP / SP3: Security Update for Windows XP (KB908531)
    / Windows XP / SP3: Update for Windows XP (KB910437)
    / Windows XP / SP3: Security Update for Windows XP (KB911562)
    / Windows XP / SP3: Security Update for Windows XP (KB911567)
    / Windows XP / SP3: Security Update for Windows XP (KB911927)
    / Windows XP / SP3: Security Update for Windows XP (KB912812)
    / Windows XP / SP3: Security Update for Windows XP (KB912919)
    / Windows XP / SP3: Security Update for Windows XP (KB913446)


    --- Startup entries list ---
    Located: HK_LM:Run, AVG7_CC
    command: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    file: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    size: 416256
    MD5: 2200c98c049de1a7638ea0edba1c8882

    Located: HK_LM:Run, DataLayer
    command: C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    file: C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    size: 986624
    MD5: 9c31d663ad677563f206c9aa2f577217

    Located: HK_LM:Run, IMJPMIG8.1
    command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
    size: 208952
    MD5: 7bbe4cf421aecc7f0226edd75f12079f

    Located: HK_LM:Run, IMONTRAY
    command: C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    file: C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    size: 32768
    MD5: 3ddae3fe5de161f6a70ef94f98ebb7db

    Located: HK_LM:Run, InCD
    command: C:\Program Files\Ahead\InCD\InCD.exe
    file: C:\Program Files\Ahead\InCD\InCD.exe
    size: 1200178
    MD5: d80b1f959e2ce36a0d8bd171262e2fe5

    Located: HK_LM:Run, MSPY2002
    command: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    file: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
    size: 59392
    MD5: 1b17e09c1223f6d17336d2dd7a1af4f4

    Located: HK_LM:Run, NeroCheck
    command: C:\WINDOWS\system32\\NeroCheck.exe
    file: C:\WINDOWS\system32\\NeroCheck.exe
    size: 155648
    MD5: 3e4c03cefad8de135263236b61a49c90

    Located: HK_LM:Run, NvCplDaemon
    command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    file: C:\WINDOWS\system32\RUNDLL32.EXE
    size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

    Located: HK_LM:Run, NvMediaCenter
    command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    file: C:\WINDOWS\system32\RUNDLL32.EXE
    size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

    Located: HK_LM:Run, nwiz
    command: nwiz.exe /install
    file: C:\WINDOWS\system32\nwiz.exe
    size: 782336
    MD5: ea7b37b0aca0d471629eb92270402322

    Located: HK_LM:Run, PCSuiteTrayApplication
    command: C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    file: C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    size: 148992
    MD5: a4919f47cf60fcfea71a372a506dde5e

    Located: HK_LM:Run, PHIME2002A
    command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
    size: 455168
    MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

    Located: HK_LM:Run, PHIME2002ASync
    command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
    size: 455168
    MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

    Located: HK_LM:Run, ServiceHost
    command: "C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe" ""
    file: C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe
    size: 147968
    MD5: 6fd938c263c1ab6e7272c88953dc8887

    Located: HK_LM:Run, SoundMAX
    command: "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
    file: C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    size: 585728
    MD5: 5fa14654b827bc70dc14de586dc5d493

    Located: HK_LM:Run, SoundMAXPnP
    command: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    file: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    size: 790528
    MD5: 8a6ef2d20da01fc5934f63de43752c1b

    Located: HK_LM:Run, SunJavaUpdateSched
    command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    size: 36975
    MD5: 61a3a9d5d98bf0331df5b716144a8100

    Located: HK_LM:Run, TkBellExe
    command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    size: 180269
    MD5: 006220ee86eb71c5884f415eaa9e8058

    Located: HK_LM:Run, WinampAgent
    command: C:\Documents and Settings\user\My Documents\Winamp\winampa.exe
    file:

    Located: HK_LM:RunOnce, SpybotDeletingA4407
    command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
    file:

    Located: HK_LM:RunOnce, SpybotDeletingA8858
    command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
    file:

    Located: HK_LM:RunOnce, SpybotDeletingC4385
    command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
    file:

    Located: HK_LM:RunOnce, SpybotDeletingC4980
    command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
    file:

    Located: HK_CU:Run, ctfmon.exe
    command: C:\WINDOWS\system32\ctfmon.exe
    file: C:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996a38c0b0cf151c2140ae29fc8

    Located: HK_CU:Run, WinPop
    command: C:\Program Files\WinPop\winpop.exe
    file: C:\Program Files\WinPop\winpop.exe
    size: 49152
    MD5: 279ee361f8efa463b3edc2d488bfb6c8

    Located: HK_CU:RunOnce, SpybotDeletingB4631
    command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
    file:

    Located: HK_CU:RunOnce, SpybotDeletingB841
    command: command /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
    file:

    Located: HK_CU:RunOnce, SpybotDeletingD5271
    command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old"
    file:

    Located: HK_CU:RunOnce, SpybotDeletingD5797
    command: cmd /c del "C:\WINDOWS\system32\winopn32.dll_tobedeleted_old_tobedeleted_old"
    file:

    Located: Startup (common), Adobe Reader Speed Launch.lnk
    command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    size: 29696
    MD5: 43362b96870ce8649f4f2ec893da93f0

    Located: Startup (common), Microsoft Office.lnk
    command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
    file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
    size: 83360
    MD5: 5bc65464354a9fd3beaa28e18839734a

    Located: WinLogon, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: WinLogon, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: WinLogon, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: WinLogon, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: WinLogon, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: WinLogon, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: WinLogon, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: WinLogon, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: WinLogon, WgaLogon
    command: WgaLogon.dll
    file: WgaLogon.dll

    Located: WinLogon, winopn32
    command: winopn32.dll
    file: winopn32.dll

    Located: WinLogon, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll

    --- Browser helper object list ---
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    BHO name:
    CLSID name: Adobe PDF Reader Link Helper
    description: Adobe Acrobat reader
    classification: Legitimate
    known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
    info link: http://www.adobe.com/products/acrobat/readstep2.html
    info source: TonyKlein
    Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
    Long name: AcroIEHelper.dll
    Short name: ACROIE~1.DLL
    Date (created): 12/14/2004 1:56:50 AM
    Date (last access): 7/3/2007 8:32:14 PM
    Date (last write): 1/12/2006 8:38:22 PM
    Filesize: 63128
    Attributes: archive
    MD5: F17B2B264072B921FC66A0BE16626BAB
    CRC32: 5184CFEA
    Version: 7.0.7.142

    {53707962-6F74-2D53-2644-206D7942484F} ()
    BHO name:
    CLSID name:
    description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
    info link: http://spybot.eon.net.au/
    info source: Patrick M. Kolla
    Path: C:\Program Files\Spybot - Search & Destroy\
    Long name: SDHelper.dll
    Short name:
    Date (created): 12/24/2005 4:25:26 PM
    Date (last access): 7/3/2007 8:32:14 PM
    Date (last write): 5/31/2005 1:04:00 AM
    Filesize: 853672
    Attributes: archive
    MD5: 250D787A5712D7768DDC133B3E477759
    CRC32: D4589A41
    Version: 1.4.0.0

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    BHO name:
    CLSID name: SSVHelper Class
    Path: C:\Program Files\Java\jre1.5.0_06\bin\
    Long name: ssv.dll
    Short name:
    Date (created): 3/2/2006 1:53:00 PM
    Date (last access): 7/3/2007 12:04:52 PM
    Date (last write): 11/10/2005 1:22:12 PM
    Filesize: 184423
    Attributes: archive
    MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
    CRC32: 0111B892
    Version: 5.0.60.5

    {86C510E9-97EF-4749-914F-0280247BE3A6} (CVirtualDNSObj Object)
    BHO name:
    CLSID name: CVirtualDNSObj Object
    Path: C:\WINDOWS\
    Long name: VirtualDNS.dll

  10. #10
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Hello icebluerose,

    please refrain from posting your log files in the forums, as you could see that makes the posts less readable. For further log files, save them to text files and attach them to your post.

    Your computer appears to be infected with Virtumonde and Virtumonde.Winpop.
    This file
    C:\WINDOWS\system32\winopn32.dll
    is being loaded by the winlogon.exe and currently cannot be removed while your windows is running. You will need to start your computer using a different operating system which can write on your ntfs partition.
    For example you can use NTFS4Dos by avira, you can find a download here:
    http://www.free-av.com/
    you will need to be able to use a command console to browser your directories and delete the file named above.
    NTFS4Dos is owned by Avira and is free for personal use only.



    The latest detection update should detect the Virtumonde.Winpop component and delete it.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •