Located here:
http://www.geekstogo...aud-t91731.html
I was keyed to that since SpybotS&D detected "smitfraud"
Also, I had detection of "adware_commandservice" from the trendmicro housecall virus scan. This virus scan was unable to remove "command service".
After running the tutorial, there were still problems according to Panda. Please help! I attached ewido log file, panda log, and smitRem log file, plus a post-tutorial HJT log file.
HJT has been updated, I disabled "system restore".
Thank you for helping - I just can't do this myself it doesn't look like
(Originally, I attached the log files. I think everyone prefers I paste the contents into my post (so then it is searchable, i assume?). I removed the attchments and pasted their contents below:
<<<<<<<<<<<<<<Ewido_report.txt>>>>>>>>>>>>>>>>>>>
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:48:54 PM 9/2/2006
+ Scan result:
HKU\S-1-5-21-1202660629-117609710-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Lang -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Lang\English.ini -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Logs -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Quarantine -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\msvcp71.dll -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\msvcr71.dll -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\uninst.exe -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\WINDOWS\system32\8494eaeb.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\amcallis\Cookies\amcallis@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\amcallis\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.
::Report end
<<<<<<<<<<<<<<Smitfiles_reportLog.txt (from tutorial)>>>>>>>>>>>>>>>>>>>.
smitRem © log file
version 3.1
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Sat 09/02/2006
The current time is: 16:26:51.81
Running from
C:\Documents and Settings\amcallis\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
checking for drsmartload2 key
drsmartload2 key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
Safety Bar
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
~~~ Favorites ~~~
Antivirus Test Online.url
~~~ system32 folder ~~~
issearch.exe
ixt*.dll
amcompat.tlb
nscompat.tlb
logfiles
~~~ Icons in System32 ~~~
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 796 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
[ note from amcallis: the enthusiastic "CLEAN! " seems to be incorrect, based on the Panda scan below. ]
<<<<<<<<<<<<<<Panda Activescan Log>>>>>>>>>>>>>>>>>>>
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtuurol.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem.exe[smitRem/Process.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\QW5keQ\kqc4yk.vbs
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqpqn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvutssp.dll
<<<<<<<<<<<<<<HijackThis Log>>>>>>>>>>>>>>>>>>>
Logfile of HijackThis v1.99.1
Scan saved at 5:15:05 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netsecurity.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [8494eaeb.exe] C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe
O4 - HKCU\..\Run: [urii] C:\PROGRA~1\COMMON~1\urii\uriim.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Edited by amcallis, 03 September 2006 - 10:56 AM.