Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: downloader.obfuskated [Smitfraud]

  1. #1
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default downloader.obfuskated [Smitfraud]

    Hi there guys, got a real problem with this one. Have tried everything but it keeps coming back. It first disabled the TaskManager and is now resisting all attempts to remove. I followed the instructions contained in your sticky http://forums.spybot.info/showthread.php?t=4015, and I attach the three log files below.

    Many thanks in advance for your help,
    Keith

    Logfile of HijackThis v1.98.2
    Scan saved at 05:05:10, on 14/09/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Apps\Powercinema\PCMService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\inet20006\services.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\z11.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\HJT\HijackThis.exe

    F3 - REG:win.ini: run=C:\WINDOWS\inet20006\services.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20006\services.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20006\services.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Uninstall.exe
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

  2. #2
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    Here is the Smitfraudfix log..

    SmitFraudFix v2.87

    Scan done at 0:00:19.92, 14/09/2006
    Run from C:\Temp2\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    Killing process


    Generic Renos Fix

    GenericRenosFix by S!Ri


    Deleting infected files

    C:\WINDOWS\system32\cmd32.exe Deleted
    C:\WINDOWS\system32\z11.exe Deleted
    C:\WINDOWS\system32\z12.exe Deleted
    C:\WINDOWS\system32\z13.exe Deleted
    C:\WINDOWS\system32\z14.exe Deleted
    C:\WINDOWS\system32\z15.exe Deleted
    C:\WINDOWS\system32\z16.exe Deleted

    Deleting Temp Files


    Registry Cleaning

    Registry Cleaning done.

    After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    End

  3. #3
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    Finally the ewido log...




    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 04:50:29 14/09/2006

    + Scan result:



    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002213.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002215.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002245.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
    C:\Documents and Settings\KT\Local Settings\Temp\901S5176A36\752.tmp -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002231.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002237.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002240.exe -> Proxy.Small.bt : Cleaned with backup (quarantined).
    C:\WINDOWS\inet20006\socks.exe -> Proxy.Small.bt : Cleaned with backup (quarantined).
    C:\Documents and Settings\KT\Local Settings\Temp\901S5176A36\1724.tmp -> Trojan.Agent.ws : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002238.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002239.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).
    C:\WINDOWS\inet20006\Icq.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).


    ::Report end

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to the forum, It seems you found information Pinned (sticky) to the top, but you seem to have missed this very important information under the title:
    BEFORE you POST and Who will advise you. Preliminary Steps!
    http://forums.spybot.info/showthread.php?t=425
    4) HiJackThis log
    Downloads:
    Please make sure you have the latest version. HJT 1.99.1
    http://www.downloads.subratam.org/hijackthis.zip
    If you are unfamiliar with zip programs get HijackThis.exe here:
    http://www.merijn.org/files/HijackThis.exe
    If you would like my help, this is what I want you to do, and you do still have some nasty stuff on your computer.

    1) Leave HJT where it is located and download the newest version from here:
    http://www.merijn.org/files/HijackThis.exe Save that file in the same folder where HJT is now and it will replace the old version. Post a new HJT log with the new version after you have reviewed the information in the link I just provided.

    2) It appears from a look at the SmitfraudFix report that you did also have Smitfraud. The creator has just released a new version. Delete any SmitfraudFix you have on your computer and follow these directions to be sure none of the infection is left:
    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    3) Post the results of SmitfraudFix scan along with a new HJT log using version 1.99.1 and I will respond with instructions as soon as possible after that.

    Thanks

  5. #5
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    Many thanks for the quick response. I have to admit I barged straight into trying to get rid of the virus before properly checking all of your advice. Sorry about that.

    Updated Hijack file and smitfraudfix logs follow..

    Logfile of HijackThis v1.99.1
    Scan saved at 20:34:46, on 15/09/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\inet20006\services.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Apps\Powercinema\PCMService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\cmd32.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\winstall.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\HJT\HijackThis.exe

    F3 - REG:win.ini: run=C:\WINDOWS\inet20006\services.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20006\services.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20006\services.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Uninstall.exe
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: xkeyshll - C:\WINDOWS\SYSTEM32\xkeyshll.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

  6. #6
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    And the SmitfraudFix log..

    SmitFraudFix v2.88

    Scan done at 20:38:33.21, 15/09/2006
    Run from C:\Documents and Settings\KT\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    C:\

    C:\winstall.exe FOUND !

    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32

    C:\WINDOWS\system32\cmd32.exe FOUND !
    C:\WINDOWS\system32\z11.exe FOUND !
    C:\WINDOWS\system32\z12.exe FOUND !
    C:\WINDOWS\system32\z13.exe FOUND !
    C:\WINDOWS\system32\z14.exe FOUND !
    C:\WINDOWS\system32\z15.exe FOUND !
    C:\WINDOWS\system32\z16.exe FOUND !

    C:\Documents and Settings\KT\Application Data

    C:\Documents and Settings\KT\Application Data\Install.dat FOUND !

    Start Menu


    C:\DOCUME~1\KT\FAVORI~1


    Desktop


    C:\Program Files


    Corrupted keys


    Desktop Components



    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""

    Scanning wininet.dll infection


    End









    Many thanks in advance for the help,

    Keith

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Thanks Keith, a lot of nasty stuff in the new log you posted and I don't think it is all Smitfraud. Let's follow these instructions the rest of the way. You already have the newest version of SmitfraudFix so you can use it and don't have to download it again. No reason also to run the "Search" start with the "Clean" .

    http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.

    Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

    Thanks...pskelley
    Safer Networking Forums

    If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
    If you have been infected by one of the SpyAxe family
    http://forums.tomcoyote.org/index.php?showtopic=58063
    http://www.malwarecomplaints.info/

  8. #8
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    Right, that's great thanks. All done now so here are the three logs. I still get 2 DOS window pop-ups containing netsh.exe on startup, which close after a minute or so.

    First the Hijackthis log

    Logfile of HijackThis v1.99.1
    Scan saved at 06:43:17, on 16/09/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Apps\Powercinema\PCMService.exe
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Uninstall.exe
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: xkeyshll - C:\WINDOWS\SYSTEM32\xkeyshll.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

  9. #9
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    Now the ewido log..

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 06:26:23 16/09/2006

    + Scan result:



    C:\Documents and Settings\KT\ffdgdsf -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002230.exe -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002318.exe -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002320.exe -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP11\A0002386.exe -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\WINDOWS\inet20006\services.exe -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\z10.exe -> Downloader.CWS : Cleaned with backup (quarantined).
    C:\Documents and Settings\KT\zxczxc -> Downloader.Small.dkt : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP12\A0002433.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
    C:\Documents and Settings\KT\Local Settings\Temp\901S5176A36\1296.tmp -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\Documents and Settings\KT\Local Settings\Temp\901S5176A36\752.tmp -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\Documents and Settings\KT\fdsf -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002231.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002237.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002348.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002359.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP11\A0002388.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP12\A0002429.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP12\A0002431.exe -> Not-A-Virus.Hoax.Win32.Renos.et : Ignored.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002312.exe -> Proxy.Small.bt : Cleaned with backup (quarantined).
    C:\Documents and Settings\KT\Cookies\kt@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\KT\Cookies\kt@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\KT\Cookies\kt@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\KT\Cookies\kt@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
    C:\Documents and Settings\KT\Cookies\kt@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP10\A0002311.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).


    ::Report end

  10. #10
    Junior Member
    Join Date
    Sep 2006
    Posts
    22

    Default

    Lastly the SmitFraudFix log...

    SmitFraudFix v2.88

    Scan done at 23:07:43.82, 15/09/2006
    Run from C:\Documents and Settings\KT\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    Killing process


    Generic Renos Fix

    GenericRenosFix by S!Ri


    Deleting infected files

    C:\winstall.exe Deleted
    C:\WINDOWS\system32\cmd32.exe Deleted
    C:\WINDOWS\system32\z11.exe Deleted
    C:\WINDOWS\system32\z12.exe Deleted
    C:\WINDOWS\system32\z13.exe Deleted
    C:\WINDOWS\system32\z14.exe Deleted
    C:\WINDOWS\system32\z15.exe Deleted
    C:\WINDOWS\system32\z16.exe Deleted
    C:\Documents and Settings\KT\Application Data\Install.dat Deleted

    Deleting Temp Files


    Registry Cleaning

    Registry Cleaning done.

    After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    End




    Thanks again for the help - greatly appreciated.

    Keith

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •