HJT Log File (I have the Smitfraud-C.Core Service Trojan...)

J

JeffsDeuce

New member
I have the Smitfraud-C.Core Service Trojan. Please help me get this thing off my computer. I have the log file from Kaspersky Scan, but can't paste entire file. What do I need to do? I have attached the beginning and end of the file only because the events part of the file is way too large too fit.
JeffsDeuce

100% - Scan My Computer
-----------------------
Scanned: 549744
Detected: 45
Untreated: 45
Start time: 1/23/2008 10:32:14 AM
Duration: 07:19:07
Finish time: 1/23/2008 3:06:38 PM
Signatures published: 1/23/2008 5:56:11 AM


Detected
--------
Status Object
------ ------
detected:TrojanprogramTrojan.Win32.BHO.abFile:C:\ProgramFiles\Messenger\lavuha697.dll
detected:TrojanprogramTrojan.Win32.BHO.abFile:C:\ProgramFiles\Messenger\lavuha632.dll
detected:TrojanprogramTrojan.Win32.BHO.abFile:C:\ProgramFiles\Messenger\lavuha.dll
detected:TrojanprogramTrojan.Win32.BHO.abFile:C:\DocumentsandSettings\Dad\LocalSettings\TemporaryInternetFiles\Content.IE5\59QDD4VP\tk58[1].exe
detected:TrojanprogramTrojan.Win32.Agent.cmnFile:C:\DocumentsandSettings\Dad\LocalSettings\Temp\TMP2F2.tmp
detected:TrojanprogramTrojan-Dropper.Win32.VB.luFile:C:\DocumentsandSettings\Dad\MyDocuments\MyMusic\_\xzxzxzxzxzxz.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoRunningmodule:ctfmon.exe\ctfmon.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoRunningmodule:avp.exe\avp.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:c:\windows\system32\geede.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\QuickTime\QTTask.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\MusicMatch\MusicMatchJukebox\mm_tray.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\MusicMatch\MusicMatchJukebox\mimboot.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\MicrosoftWorks\WksSb.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\MicrosoftWorks\wkfud.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\KasperskyLab\KasperskyAnti-Virus6.0SOS\avp.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\Java\jre1.6.0_01\bin\jusched.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\iTunes\iTunesHelper.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\Dot1XCfg\Dot1XCfg\virus.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\CommonFiles\MicrosoftShared\WorksShared\WkUFind.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\ProgramFiles\Adobe\Reader8.0\Reader\Reader_sl.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\DocumentsandSettings\Dad\LocalSettings\Temp\RCX15.tmp
detected:TrojanprogramTrojan-Downloader.WMA.Wimad.lFile:C:\DocumentsandSettings\Lance\Incomplete\T-3200824-07Track7.wma
detected:TrojanprogramTrojan-Downloader.Win32.Agent.hqlFile:C:\DocumentsandSettings\Dad\LocalSettings\Temp\TMP2F5.tmp//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected:TrojanprogramTrojan-Downloader.Win32.Adload.prFile:C:\ProgramFiles\Dot1XCfg\Dot1XCfg\nothing.exe
detected:TrojanprogramTrojan-Downloader.Win32.Adload.prFile:C:\DocumentsandSettings\Dad\LocalSettings\Temp\TMP2C2.tmp
detected:TrojanprogramTrojan-Clicker.Win32.Small.jfFile:C:\DocumentsandSettings\Dad\LocalSettings\TemporaryInternetFiles\Content.IE5\N6SE1VPA\83122[1].exe//data0004
detected:TrojanprogramTrojan-Clicker.HTML.IFrame.dnFile:C:\ProgramFiles\Messenger\profsyvy.html
detected:TrojanprogramTrojan-Clicker.HTML.IFrame.dnFile:C:\DocumentsandSettings\Dad\LocalSettings\TemporaryInternetFiles\Content.IE5\N6SE1VPA\83122[1].exe//data0005
detected:adwarenot-a-virus:AdWare.Win32.TTC.aFile:c:\programfiles\windowsupdate\hoke4444.dll
detected:adwarenot-a-virus:AdWare.Win32.TTC.aFile:C:\DocumentsandSettings\Dad\LocalSettings\TemporaryInternetFiles\Content.IE5\7NCXFB9X\TTC-4444[1].exe//data0002
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\WINDOWS\GWMDMpi.exe
detected:TrojanprogramTrojan.Win32.BHO.abFile:C:\WINDOWS\tk58.exe
detected:adwarenot-a-virus:AdWare.Win32.TTC.aFile:C:\WINDOWS\TTC-4444.exe//data0002
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\WINDOWS\UpdReg.EXE
detected:TrojanprogramTrojan.Win32.Agent.cmnFile:C:\WINDOWS\Fonts\a.zip/Crack.exe
detected:TrojanprogramTrojan.Win32.Agent.cmnFile:C:\WINDOWS\Fonts\Crack.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\WINDOWS\Fonts\svchost.exe
detected:TrojanprogramTrojan.Win32.Agent.cmnFile:C:\WINDOWS\Fonts\'\00jj99uuii66ddxxqqq.zip/Crack.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\WINDOWS\system32\awvvu.exe
detected:TrojanprogramTrojan-Dropper.Win32.Agent.dgoFile:C:\WINDOWS\system32\ctfmon.exe.tmp
detected:TrojanprogramTrojan-Downloader.Win32.Small.hsgFile:C:\WINDOWS\system32\dob3\krovsidll2.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPXdetected:TrojanprogramTrojan-Downloader.Win32.VB.cguFile:C:\WINDOWS\system32\nGpxx18\nGpxx182328.exe
detected:TrojanprogramTrojan-Downloader.Win32.Small.buyFile:C:\WINDOWS\system32\nui4\softidndll3.exe//UPXdetected:adwarenot-a-virus:AdWare.Win32.TTC.aFile:C:\WINDOWS\system32\winzs6\renamd83122.exe//data0002

Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
All objects 549744 45 45 0 0 3482 1200 38 50
System memory 1338 3 3 0 0 0 0 0 0
Startup objects 446 1 1 0 0 0 0 0 0
System Backup storage 0 0 0 0 0 0 0 0 0
Mailboxes 170 0 0 0 0 38 0 0 0
All hard drives 547790 41 41 0 0 3444 1200 38 50
All removable drives 0 0 0 0 0 0 0 0 0
All network drives 0 0 0 0 0 0 0 0 0


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes
 
Here is my HJT log file. Couldn't get the entire Kaspersky file on last thread.
Thanks for your help.
JeffsDeuce

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:01 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVP - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsyvy.html

--
End of file - 5960 bytes

Tashi,
Hi. I'm new to spybot. I have the Trojans Virtumande and Smitfraud-C.Core Service. I was reading your instructions to saibot from his posting and was wondering if I need to follow the same procedures? Please help me.
JeffsDeuce


Edit:
Malware has become complex, people who use tools willy nilly may make their machine unstable.
Going it alone and following advice and fixes specifically given to another member is risky, your symptoms may only appear to be similar.
Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if used on a computer with different infections.
Click to expand...
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

 The Waiting Room: Post here if waiting for help longer than four days
 
Last edited by a moderator:
New HJT andComboFix logs

Sorry it took so long to reply, but I've been out of town.
Couldn't do anything when i Got home so I had to reformat hard drive. Don't know if it helped or not. Here is the new HJT and Combofix logs you wanted. Thanks for your help.

HJT Log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:15 PM, on 2/3/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\JeffsDeuce\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5506 bytes

ComboFix Log-

ComboFix 08-02.03.1 - Dad 2008-02-03 13:08:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.214 [GMT -6:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000103_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 12:20 . 2008-02-03 13:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 12:12 . 2008-02-03 12:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-03 12:12 . 2008-02-03 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 11:15 . 2008-02-03 11:15 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-03 10:42 . 2008-02-03 10:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-03 09:47 . 2008-02-03 09:47 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-03 09:14 . 2008-02-03 09:14 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Talkback
2008-02-03 09:11 . 2008-02-03 09:11 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-03 08:59 . 2008-02-03 08:59 <DIR> d-------- C:\Program Files\SymNetDrv
2008-02-03 08:58 . 2005-01-21 21:30 124,168 --a------ C:\WINDOWS\system32\SymStore.dll
2008-02-03 08:45 . 2008-02-03 09:00 19,708 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2008-02-03 08:45 . 2008-02-03 09:00 19,708 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2008-02-03 08:45 . 2008-02-03 09:00 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-02-03 08:45 . 2008-02-03 09:00 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-02-03 08:45 . 2008-02-03 09:00 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-02-03 08:45 . 2008-02-03 09:00 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-02-03 08:39 . 2008-02-03 08:40 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\MSN6
2008-02-03 08:39 . 2008-02-03 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-02-03 08:31 . 2008-02-03 08:31 4,072,118 --a------ C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-00581102}.CDF
2008-02-03 08:31 . 2008-02-03 08:31 4,072,118 --a------ C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-00581102}.BAK
2008-02-03 08:29 . 2008-02-03 09:00 27,504 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2008-02-03 08:29 . 2008-02-03 09:00 27,504 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2008-02-03 08:24 . 2008-02-03 08:25 <DIR> d-------- C:\Program Files\Microsoft Encarta
2008-02-03 08:20 . 2008-02-03 08:21 <DIR> d-------- C:\Program Files\Microsoft Streets & Trips
2008-02-03 08:12 . 2008-02-03 08:12 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-03 08:11 . 2008-02-03 08:11 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-03 08:11 . 2008-02-03 08:11 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-03 08:10 . 2008-02-03 08:10 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-03 08:04 . 2008-02-03 08:04 <DIR> d-------- C:\Program Files\Microsoft Works Suite 2002
2008-02-03 08:04 . 2008-02-03 08:18 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-03 08:02 . 2008-02-03 08:02 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\ScanSoft
2008-02-03 08:02 . 2008-02-03 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-02-03 08:02 . 2008-02-03 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-02-03 08:02 . 2008-02-03 08:02 532 --a------ C:\WINDOWS\MAXLINK.INI
2008-02-03 08:01 . 2008-02-03 08:01 <DIR> d-------- C:\Program Files\ScanSoft
2008-02-03 08:01 . 2008-02-03 08:02 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-02-03 08:01 . 2008-02-03 08:01 <DIR> d-------- C:\Program Files\ArcSoft
2008-02-03 08:01 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-02-03 08:00 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-02-03 08:00 . 2003-09-18 14:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-03 08:00 . 2003-09-18 14:32 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 17:57 --------- d-----w C:\Documents and Settings\Dad\Application Data\Symantec
2008-02-03 14:59 --------- d-----w C:\Program Files\Symantec
2008-02-03 14:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 14:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 14:00 --------- d-----w C:\Program Files\Canon
2008-02-03 13:59 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-02-03 13:57 --------- d-----w C:\Program Files\InterVideo
2008-02-03 13:55 --------- d-----w C:\Program Files\Creative
2008-02-03 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-02-03 13:50 --------- d-----w C:\Program Files\intel
2008-02-03 13:50 --------- d-----w C:\Program Files\Gateway
2008-02-03 13:47 27,924 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-02-03 13:46 --------- d-----w C:\Program Files\MusicMatch
2008-02-03 13:45 57,136 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-03 13:45 45,056 ----a-w C:\WINDOWS\system32\cdrtc.dll
2008-02-03 13:45 45,056 ----a-w C:\WINDOWS\system32\cdral.dll
2008-02-03 13:45 40,960 ----a-w C:\WINDOWS\uneng.exe
2008-02-03 13:45 24,918 ----a-w C:\WINDOWS\system32\drivers\Mmc_2k.sys
2008-02-03 13:45 24,502 ----a-w C:\WINDOWS\system32\drivers\Dvd_2k.sys
2008-02-03 13:45 233,984 ----a-w C:\WINDOWS\system32\drivers\cdudf_xp.sys
2008-02-03 13:45 23,721 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-03 13:45 110,278 ----a-w C:\WINDOWS\system32\drivers\pwd_2K.sys
2008-02-03 13:45 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-02-03 13:45 --------- d-----w C:\Program Files\Adaptec
2008-02-03 13:42 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-03 13:41 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-03 13:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-03 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-03 13:39 126,976 ----a-w C:\WINDOWS\system32\unzdll.dll
2008-02-03 13:30 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-30 04:30 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27 75384]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-02-03 07:45 675840]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2001-09-12 19:55 86016]
"NvCplDaemon"="NvQTwk" []
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 18:12 65536 C:\WINDOWS\GWMDMMSG.exe]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINDOWS\system32\PROMon.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 18:01 40960 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 09:29 729088]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-04 19:34 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-22 16:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-15 23:41 28738]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-03 08:59 95960]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-06 18:06:54 24633]

R2 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 12:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []

*Newly Created Service* - APPMGMT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 14:57:39 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-03 18:00:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:10:28
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 13:11:22
ComboFix-quarantined-files.txt 2008-02-03 19:11:06
 
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log 7 a description of any remaining problems.
 
Computer locked up again.

Random/random,
I tried the instructions you left for me and my computer locked up when I tried to install the scanner you wanted me to use. Had to reformat hard drive again just to be able to get to this point. When I reformat the system is not asking me for the product key like it should. Is this because of the Trojans backup files? I keep getting these pop ups saying I have 55 critical errors in the system registry files. It tells me to go to helpfixpc.com and registrycleanupxp.com. Are these malware sites? Will run a new HJT log file and scan with spybot again to see if there is anything found and will post new log files as a reply. Thank you again very much for your assistance. Oh yeah, the things you wanted me to check and fix were not in the scan.
Jeffsdeuce
 
I don't know why the ESET scan froze. However, your PC should have been OK after a restart -it should not have required a reformat.

Please tell me what you mean in more detail by reformat. if you actually reformatted the drive it would have removed all the files on the drive.
 
You must log in or register to reply here.
Back
Top