Hi, I have followed some of the instructions given to us initially, but to no avail.Not sure where i am going wrong, so decided to post here and find out what is going on and what i can do...



Logfile of HijackThis v1.99.1
Scan saved at 13:47:00, on 06/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tvctray] c:\windows\system32\tvctray.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe (file missing)

i am also sure i have seen the infamous "SmitFraud" lurking about somewhere on the comp, tried tracing and deleting, but again, well... you know.

Ty in advance

Hello crystal_sword, I'm just looking over your log and will get back to you soon.

Hello crystal_sword, my name is Rorschach and I'll be helping you with your problems.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm




Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So in your next reply please post the following : the SDFix report, the SmitfraudFix report, the two DSS texts in full, and tell me how your PC is running and if you had any problems.

TY..

gimme a few seconds

This post has been edited by crystal_sword: Aug 6 2007, 11:03 AM

SDFix: Version 1.96

Run by User on 07/08/2007 at 11:02

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Indexingbox
Indexingboxs
Office Source Engine Help

ImagePath:
%WINDIR%\system\svchest.exe
c:\temp\svchost.exe
C:\Program Files\NetMeeting\msmsgs

Indexingbox - Deleted
Indexingboxs - Deleted
Office Source Engine Help - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SDKEW.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCYX32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPEQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSUM.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVARW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLCB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3TX32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSPA32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSUQ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSSZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRLZ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRKB.EXE - Deleted
C:\WINDOWS\system\svchest.reg - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\system32E33A3A2D.dll

Finished

--

Will Post other 2 ASAP

SmitFraudFix v2.208

Scan done at 11:13:39.49, 07/08/2007
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\USER\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3E615B26-7C4F-4D6B-8CBC-354760E8130A}: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

i ran the DSS.exe, but my comp crashed.

Restarted, and my comp keeps getting a popup saying "System recovered from a serious error"

Hello crystal_sword


Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.



Then try run DSS.exe again.

So post the GMER results in your next reply, and the two DSS texts if it runs. Also tell me how your PC is running and if you had any problems.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-07 18:10:39
Windows 5.1.2600


AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F6AC800B] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F6AC806A] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F6AC806A] SYMEVENT.SYS

---- Threads - GMER 1.0.13 ----

Thread 4:308 816D97A0

---- EOF - GMER 1.0.13 ----

----

DSS To Follow

DSS still crashes....

well?

Hello crystal_sword


Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\E33A3A2D.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



Next :

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


So in your next reply please post the following : the results of that file I asked you to scan, the ComboFix log, and a new HijackThis log, and tell me how your PC is running now and if you had any problems.

E33A3A2D.dll

i do not have that file in the system32 folder....

Please continue on with the rest of the steps then.