Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CyberLog-x and Traojan-spy.win32@mx

Started by ds154 , Jun 09 2007 09:35 AM

  • Please log in to reply

#1
ds154
Posted 09 June 2007 - 09:35 AM

ds154

    New Member

  • Member
  • Pip
  • 6 posts
After browsing other posts I went ahead and downloaded SmitFraudFix. Any help is greatly appreciated.



Here is the result:


SmitFraudFix v2.194

Scan done at 11:21:53.37, Sat 06/09/2007
Run from C:\Documents and Settings\Default\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Handspring\Hotsync.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office\Outlook.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ckimzeb.dll FOUND !
C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Default


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Default\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DEFAULT\FAVORI~1

C:\DOCUME~1\DEFAULT\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyCrush 3.1\ FOUND !
C:\Program Files\Video ActiveX Access\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}"="damkjernite"

[HKEY_CLASSES_ROOT\CLSID\{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}\InProcServer32]
@="C:\WINDOWS\system32\ckimzeb.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}\InProcServer32]
@="C:\WINDOWS\system32\ckimzeb.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\resk.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Instant Wireless USB Network Adapter ver.2.6
DNS Server Search Order: 76.5.159.133
DNS Server Search Order: 63.162.197.69

HKLM\SYSTEM\CCS\Services\Tcpip\..\{722677D1-0D0A-496B-AE3D-0E324680D28B}: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS1\Services\Tcpip\..\{722677D1-0D0A-496B-AE3D-0E324680D28B}: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS3\Services\Tcpip\..\{722677D1-0D0A-496B-AE3D-0E324680D28B}: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=76.5.159.133 63.162.197.69


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements

#2
didom
Posted 10 June 2007 - 02:12 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Do a system scan and save a logfile button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

Bleeping Computer offers a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
  • 0

#3
ds154
Posted 11 June 2007 - 12:58 PM

ds154

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks, Didom, for the easy to follow directions. Here are my scan results:


Activescan report

Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\SMDAT32M.SYS
Potentially unwanted tool:application/altnet Not disinfected c:\windows\SMDAT32A.SYS
Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/instafinder Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Virus:Malware Generic Disinfected C:\Program Files\Morpheus\morpheustoolbar.exe
Adware:Adware/VideoActiveXObject Not disinfected C:\Documents and Settings\Default\Local Settings\Temp\temp.fr1927\IMSMAIN.EXE
Adware:Adware/VideoActiveXObject Not disinfected C:\Documents and Settings\Default\Local Settings\Temp\temp.fr1927\IESPLG.DLL
Adware:Adware/VideoActiveXObject Not disinfected C:\Documents and Settings\Default\Local Settings\Temp\temp.fr1927\IMSMN.EXE
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\CQIS943C\protectstand[1].htm
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Default\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Default\Desktop\SmitfraudFix\RESTART.EXE
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Default\Desktop\SmitfraudFix\SmitfraudFix2.193.zip[SmitfraudFix/Process.exe]
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Default\Desktop\SmitfraudFix\SmitfraudFix2.193.zip[SmitfraudFix/restart.exe]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Default\Cookies\default@casalemedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Default\Cookies\default@atdmt[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Default\Cookies\default@trafficmp[2].txt
Virus:W32/Mimail.I.worm Disinfected Archive Folders\Sent Items\FW: YOUR PAYPAL.COM ACCOUNT EXPIRES\www.paypal.com.scr




Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 2:53:11 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Maverick\MavChat\Pandion.exe
C:\Program Files\Handspring\Hotsync.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Handspring\register.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MavChat.lnk = C:\Program Files\Maverick\MavChat\Pandion.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01042E44-201B-4EA5-A00C-DF534B876123} - http://www.docsvr.co...point/setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\resk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



As directed, I have not made any changes, I've just run the scans.

Thanks again for your help !
  • 0

#4
didom
Posted 11 June 2007 - 01:50 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\resk.dll
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
c:\windows\SMDAT32M.SYS
c:\windows\SMDAT32A.SYS
C:\Documents and Settings\Default\Local Settings\Temp\temp.fr1927\IMSMAIN.EXE
C:\Documents and Settings\Default\Local Settings\Temp\temp.fr1927\IESPLG.DLL
C:\Documents and Settings\Default\Local Settings\Temp\temp.fr1927\IMSMN.EXE
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\CQIS943C\protectstand[1].htm

c:\program files\Need2Find
C:\Program Files\PartyPoker


Reboot your computer normally.

Step #5

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards: Posted Image

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Step #6

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
  • 0

#5
ds154
Posted 11 June 2007 - 03:25 PM

ds154

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
You're awesome !

COMBOFIX and new Hijackthis





ComboFix 07-06-11.3 - C:\Documents and Settings\Default\Desktop\ComboFix.exe
"Default" - 2007-06-11 16:50:52 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\install.log
C:\WINDOWS\start.exe


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-11 16:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 10:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-11 10:51 <DIR> d-------- C:\hijackthis
2007-06-09 11:22 1,802 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-09 11:20 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-06-09 11:20 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-06-09 11:20 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-06-08 15:01 <DIR> d-------- C:\Program Files\SpyCrush 3.1
2007-06-08 15:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-06-11 10:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2002-08-29 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 C:\WINDOWS\SYSTEM32\pctspk.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-31 11:34]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-23 09:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"Spyware Begone"="c:\freescan\freescan.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-11 10:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"rare"=C:\Program Files\Video ActiveX Access\imsmain.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}"="C:\WINDOWS\system32\ckimzeb.dll" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
"SiS KHooker"=C:\WINDOWS\SYSTEM32\khooker.exe
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe
"C-Media Mixer"=C:\Program Files\PCI Audio Applications\Mixer.exe /startup
"PtUDFApp"=C:\WINDOWS\SYSTEM32\PtUDFapp.exe /T

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PTSNOOP"=ptsnoop.exe
"CountrySelection"=pctptt.exe
"WUSB11B.exe"=C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
"vptray"=C:\PROGRA~1\NORTON~1\VPTRAY.EXE

*Newly Created Service* - BROWSER

Contents of the 'Scheduled Tasks' folder
2007-05-02 18:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job







Logfile of HijackThis v1.99.1
Scan saved at 17:25, on 2007-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Handspring\Hotsync.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office\Outlook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Handspring\register.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MavChat.lnk = C:\Program Files\Maverick\MavChat\Pandion.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01042E44-201B-4EA5-A00C-DF534B876123} - http://www.docsvr.co...point/setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#6
didom
Posted 11 June 2007 - 03:53 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Open HijackThis.
  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager.
  • Click Save list (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

  • 0

#7
ds154
Posted 12 June 2007 - 08:46 AM

ds154

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's the uninstall list from hijackthis:


Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Advantage Investors Mortgage POINT Interface
AVG 7.5
BCM Diagnostics
Canon PC1200/iC D700
E210
GdiplusUpgrade
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Update
HSP56 MR Drivers
InstallShield Tuner 7.0 for Adobe Acrobat
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java™ SE Runtime Environment 6 Update 1
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft WSE 2.0 SP3 Runtime
MSXML 4.0 SP2 (KB927978)
Norton AntiVirus Corporate Edition 7.0 for Windows
palmOne
Panda ActiveScan
PCI Audio Applications
Point
Point
QuickTime
Read in Microsoft Reader Add-in for Microsoft Word
Reverse Mortgage Analyzer 2000
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
Snapshot Viewer
Sony abCD 1.3 Uninstall
Sony abCD 1.5
Sony CD Extreme
Sony Spressa Play & Record
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
WebEx
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Safety Alert
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
  • 0

#8
didom
Posted 13 June 2007 - 08:34 AM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Download RogueRemover by RubbeR DuckY from http://www.malwareby...ogueRemover.zip
  • Unzip to a convenient location such as C:\RogueRemover.
  • Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe.
  • Finally, select Scan and the program will walk you through the remaining steps.
Step #2

Please click: Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3

Step #3

Download CCleaner and install it. (Please do not run the CCleaner utility yet.)

Step #4

* Please RE-download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Don't use it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* While still in safe mode Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

* Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

(Warning : running option #2 on a non infected computer will remove your Desktop background and set it blank again. But you can reapply your desktop background again afterwards

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process.

Step #5

Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.


Post the log from smitfraudfix in your next reply together with the combofix log and a new hijackthislog.
The smitfraudreport can also be found at the root of the system drive, usually at C:\rapport.txt
  • 0

#9
ds154
Posted 14 June 2007 - 09:42 AM

ds154

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK....took me a while but I got them all done.



New smitfraudfix

SmitFraudFix v2.195

Scan done at 10:44:55.98, 2007-06-14
Run from C:\Documents and Settings\Default\Desktop\Smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted
C:\DOCUME~1\DEFAULT\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{722677D1-0D0A-496B-AE3D-0E324680D28B}: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS1\Services\Tcpip\..\{722677D1-0D0A-496B-AE3D-0E324680D28B}: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS3\Services\Tcpip\..\{722677D1-0D0A-496B-AE3D-0E324680D28B}: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=76.5.159.133 63.162.197.69
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=76.5.159.133 63.162.197.69


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





New Combofix

ComboFix 07-06-11.3 - C:\Documents and Settings\Default\Desktop\ComboFix.exe
"Default" - 2007-06-14 11:29:26 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-13 11:28 <DIR> d-------- C:\Program Files\CCleaner
2007-06-13 11:19 <DIR> d-------- C:\Program Files\RogueRemover
2007-06-13 11:06 <DIR> d-------- C:\RogueRemovr
2007-06-11 16:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 10:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-11 10:51 <DIR> d-------- C:\hijackthis
2007-06-09 11:22 1,794 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-08 15:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-06-11 10:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2002-08-29 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 C:\WINDOWS\SYSTEM32\pctspk.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-31 11:34]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-23 09:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-11 10:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
"SiS KHooker"=C:\WINDOWS\SYSTEM32\khooker.exe
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe
"C-Media Mixer"=C:\Program Files\PCI Audio Applications\Mixer.exe /startup
"PtUDFApp"=C:\WINDOWS\SYSTEM32\PtUDFapp.exe /T

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PTSNOOP"=ptsnoop.exe
"CountrySelection"=pctptt.exe
"WUSB11B.exe"=C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
"vptray"=C:\PROGRA~1\NORTON~1\VPTRAY.EXE


Contents of the 'Scheduled Tasks' folder
2007-05-02 18:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job





New Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:05, on 2007-06-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\Program Files\Handspring\Hotsync.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Handspring\register.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MavChat.lnk = C:\Program Files\Maverick\MavChat\Pandion.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01042E44-201B-4EA5-A00C-DF534B876123} - http://www.docsvr.co...point/setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe




THANKS !!
  • 0

#10
didom
Posted 14 June 2007 - 02:40 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please fix this line:

O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
    • Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • Check "Turn off System Restore".
      • Click Apply, and then click OK.
    • Reboot your computer.
    • Turn ON System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • UN-Check "Turn off System Restore".
      • Click Apply, and then click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image

  • 0

#11
ds154
Posted 15 June 2007 - 09:21 AM

ds154

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for the quick response. I have had some issues since my last post...

As you said, the Smitfraudfix removed my desktop background. After my last post I went to re-apply my background. My system seemed to hang as I re-applied the desktop background. The background finally applied itself, however, since then my desktop icons have disappeared. This did not occur until after I re-applied my desktop background.

Additionally, my computer seems to be running tragically slow when tasked with opening new programs. Since my desktop icons are no longer present I must go through the Start button to access my programs. Not a big deal. However, if I Go through the Start button to access My Documents, My Pictures, My Computer, or the Control Panel, the computer locks up and I cannot do anything except log off as a user and log back in.

I have not been able to work on the instruction included in your most recent post as a result.

Any ideas here ?

I really appreciate all your help. I know you have invested a lot of time in assisting me.
  • 0

#12
didom
Posted 15 June 2007 - 12:43 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Can you please try one of these workarounds for your desktop icons:
http://xphelpandsupp..._my_desktop.htm

You might need to create a new user account:

Go to Start > Control Panel

Double-Click User Accounts
Choose Create a new Account
Type any name for the account then click Next
Choose Computer Administrator then click Create Account

Log off your current account.

Reboot your computer, then log-in to the new account you just created.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP