Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Agent Winlogonhook


  • Please log in to reply
8 replies to this topic

#1 Inq_PL

Inq_PL

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:01 PM

Posted 23 September 2007 - 02:25 PM

I realized that i have such Trojan on my pc...not Norton neither spysweeper can remove it . It wants me to dowload some softs etc.... I READ your stuff on the same issue and i runned comboFIX.exe and on my desktop the 3 icons that i had which were alltogether somehow related to the trojan disappeared. But when i open explorer i get diff home page..urging me to install some soft to get rid of unwanted stuf. trojans films blah blah blah......

I KNOW YOU ARE THE EXPERT PLEASE HELP AND TELL ME WHAT TO DO NEXT...THANK YOU VERY!!!!!!!VERY!!!!!!! MUCH IN ADVANCE!!!..


Pat

...I did get some errorS while the combofix was finishing off, therefore I was forced to restart PC manually. I am not the expert but it might have had some significat impact on the Blog report that is posted belo..I REALLY HOPE NOT...:thumbsup:

COMBO FIX....

ComboFix 07-09-21.2 - "GMKAMIL" 2007-09-23 16:44:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.336 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\GMKAMI~1\Pulpit\Error Cleaner.url
C:\DOCUME~1\GMKAMI~1\Pulpit\Privacy Protector.url
C:\DOCUME~1\GMKAMI~1\Pulpit\Spyware&Malware Protection.url
C:\DOCUME~1\GMKAMI~1\Ulubione\Error Cleaner.url
C:\DOCUME~1\GMKAMI~1\Ulubione\Privacy Protector.url
C:\DOCUME~1\GMKAMI~1\Ulubione\Spyware&Malware Protection.url
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\VideoAccessCodec\Uninstall.exe
C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx
C:\WINDOWS\dat.txt
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\nsduo.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\winzzd32.dll
C:\WINDOWS\wmphost.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-23 16:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 15:08 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-23 15:08 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-23 15:08 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-09-23 15:08 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-23 15:08 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DANEAP~1\Webroot
2007-09-23 15:08 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Webroot
2007-09-23 15:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Webroot
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-15 23:33 122,884 --a------ C:\WINDOWS\UnGins.exe
2007-09-15 23:33 <DIR> d-------- C:\Program Files\Sims
2007-09-15 20:18 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-15 20:18 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Hamachi
2007-09-15 17:54 <DIR> d-------- C:\Nowy folder
2007-09-14 00:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-11 17:32 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\Phone Browser
2007-09-11 17:32 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Datalayer
2007-09-11 17:11 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-09-11 17:11 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-09-11 17:11 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-09-11 17:11 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-09-11 17:11 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-09-11 17:11 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-09-11 17:11 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-09-11 17:11 <DIR> d-------- C:\Program Files\DIFX
2007-09-11 17:11 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-09-11 17:11 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\PC Suite
2007-09-11 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\PC Suite
2007-09-11 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Downloaded Installations
2007-09-11 17:10 <DIR> d-------- C:\Program Files\Nokia
2007-09-11 17:10 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-09-10 18:02 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-09-10 18:02 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-09-10 18:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-10 18:01 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-09-10 18:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-10 18:01 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-09-07 22:54 <DIR> d-------- C:\Program Files\Axis Communications
2007-09-04 11:38 <DIR> d-------- C:\!KillBox
2007-08-26 00:18 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\My Games
2007-08-25 23:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Microsoft Games
2007-08-25 23:52 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Microsoft Game Studios
2007-08-25 00:30 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-08-25 00:28 <DIR> d-------- C:\Program Files\MSBuild
2007-08-25 00:28 <DIR> d-------- C:\Program Files\Microsoft Works
2007-08-25 00:27 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-08-25 00:25 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-25 00:24 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-25 00:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Microsoft Help
2007-08-25 00:22 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 16:52 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Skype
2007-09-23 16:50 --------- d-------- C:\Program Files\cFosSpeed
2007-09-23 16:35 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec
2007-09-23 15:14 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-23 13:16 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-23 13:16 60800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-23 13:16 123952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-23 13:16 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-23 13:16 --------- d-------- C:\Program Files\Symantec
2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-10 13:43 --------- d-------- C:\Program Files\Winamp
2007-09-09 13:31 --------- d-------- C:\Program Files\SubEdit-Player
2007-09-07 17:22 --------- d-------- C:\Program Files\Gadu-Gadu
2007-08-31 12:42 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-31 10:37 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\BitTyrant
2007-08-22 22:14 --------- d-------- C:\Program Files\Digital Sound Recorder
2007-08-22 22:13 --------- d-------- C:\Program Files\MuvAudio2
2007-08-22 22:12 --------- d-------- C:\Program Files\Arial Sound Recorder
2007-08-21 15:04 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Thinstall
2007-08-20 18:28 231302 --a------ C:\WINDOWS\Peer2Mail_Toolbar_Uninstaller_4984.exe
2007-08-20 18:28 --------- d-------- C:\Program Files\Peer2Mail Toolbar
2007-08-20 18:28 --------- d-------- C:\Program Files\Peer2Mail
2007-08-20 15:57 --------- d-------- C:\Program Files\NextUp-ScanSoft
2007-08-20 09:18 --------- d-------- C:\Program Files\MarBit
2007-08-19 15:42 --------- d-------- C:\Program Files\Audacity
2007-08-19 14:45 --------- d-------- C:\Program Files\ivo
2007-08-19 14:45 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Expressivo
2007-08-17 18:13 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-17 13:08 --------- d-------- C:\Program Files\BitTyrant
2007-08-16 14:54 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Sony Corporation
2007-08-13 23:53 --------- d-------- C:\Program Files\Alcohol Soft
2007-08-13 18:00 --------- d-------- C:\Program Files\Common Files\Vbox
2007-08-09 12:24 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Help
2007-08-08 17:50 --------- d-------- C:\Program Files\Dziobas Rar Player
2007-08-05 22:49 --------- d-------- C:\Program Files\Player Tool
2007-08-05 21:47 --------- d-------- C:\Program Files\Sony Corporation
2007-08-05 21:47 --------- d-------- C:\Program Files\Sony
2007-08-05 21:47 --------- d-------- C:\Program Files\Common Files\Sony Shared
2007-08-05 21:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Sony Corporation
2007-08-05 10:45 --------- d-------- C:\Program Files\Logitech
2007-08-05 10:45 --------- d-------- C:\Program Files\Common Files\Logitech
2007-08-02 19:07 --------- d-------- C:\Program Files\SoundCopy
2007-08-02 19:06 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-02 19:06 249856 --------- C:\WINDOWS\Setup1.exe
2007-08-01 13:06 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\AdobeUM
2007-07-31 13:45 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Real
2007-07-31 13:38 --------- d-------- C:\Program Files\XAudioTools
2007-07-30 19:30 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Media Player Classic
2007-07-30 19:29 --------- d-------- C:\Program Files\Ringz Studio
2007-07-30 19:29 --------- d-------- C:\Program Files\Common Files\Real
2007-07-30 19:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-07-14 17:16 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-01 13:59 4258800 --a------ C:\Program Files\PATRYKA NIE RUSZAC John Marks - Update.mp3
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 10:48 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-25 04:52]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-02 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-08 14:54 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-03-02 14:00 C:\WINDOWS\system32\rundll32.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 16:25]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 19:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 11:22]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-07-29 03:48]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-01-05 18:00]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 18:02]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 17:42]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 20:30]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]
"SpySweeper"="D:\SpySweep\Spy Sweeper\SpySweeperUI.exe" [2006-08-03 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 17:10]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18]

C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-07-16 12:05:06]

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 trial;trial;\??\D:\cheaty\r0_League_Cheat\r0 League Cheat\aeq_suxx.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 19:49:04 C:\WINDOWS\Tasks\Norton Internet Security - Uruchom pełne skanowanie systemu - GM Kamil.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 16:52:09
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\hamachi]
"ImagePath"="system32\DRIVERS\hamachi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H a r m o n o g r a m a u t o m a t y c z n e j u s B u g i L i v e U p d a t e ]
"ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
.
Completion time: 2007-09-23 16:53:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 16:53
.
--- E O F ---

Edited by Inq_PL, 23 September 2007 - 02:32 PM.

Inq_PL

BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:01 PM

Posted 23 September 2007 - 04:58 PM

Use the Smitfraudfix tool in the link below. Read the directions carefully. Then follow up with the other two programs to remove the malware that accompanies the Smitfraud malware.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Please let us know the results of the scans.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 23 September 2007 - 09:11 PM

You should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again.

After following buddy215's instructions, download RogueRemover and save to you Desktop. (This program is for Win XP, 2000, NT only)
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
  • During the installation an icon will automatically be created on your Desktop.
  • Double-click on the RogueRemover icon to launch the program and select Check for Updates.
  • If prompted, click Download to receive the latest updates.
  • When completed, close the update window.
  • Select "Scan" and the program will walk you through the remaining steps.
Then Download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.)
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Inq_PL

Inq_PL
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:01 PM

Posted 25 September 2007 - 11:37 AM

buddy 215.......??? should I do what quietman7 says after I do what you suggested for me to do..???.. By the way as soon as I am done with it all i will copy and paste all logs etc here whenever i will have a chance to copy any. Also I will resume my work on that as soon as i get to that pc...I am doing this for my causin..she has no idea how to get rid f it and she doesn't speak english therefore i found this site and I seek help from Experts like YOU!!!.... talk to you soon :thumbsup:
Inq_PL

#5 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:01 PM

Posted 25 September 2007 - 11:48 AM

After using the three programs I suggested, report back with any problems you are still having. The longer you delay removing the malware and using the infected computer online, the more likely it is that MORE malware will get on the computer.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 25 September 2007 - 12:15 PM

Repeated reports of Trojan Agent Winlogonhook is a known problem with Spysweeper. AVG anti-spyware seems to take care of it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Inq_PL

Inq_PL
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:01 PM

Posted 08 October 2007 - 03:15 PM

this may be the repetition of previous log but i found it in c: so i post it along with quarantined ones and the log i got from as i remember the first program out of 3 that you suggested for me to use: after each step i copied the report to diff location because then it created another one in same location same name and i thought it would replace the old one so here it is....:

combo fix (maybe the same one that i posted above if yes then sorry if it confused anyone):

ComboFix 07-09-21.2 - "GM Kamil" 2007-09-23 16:44:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.336 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\GMKAMI~1\Pulpit\Error Cleaner.url
C:\DOCUME~1\GMKAMI~1\Pulpit\Privacy Protector.url
C:\DOCUME~1\GMKAMI~1\Pulpit\Spyware&Malware Protection.url
C:\DOCUME~1\GMKAMI~1\Ulubione\Error Cleaner.url
C:\DOCUME~1\GMKAMI~1\Ulubione\Privacy Protector.url
C:\DOCUME~1\GMKAMI~1\Ulubione\Spyware&Malware Protection.url
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\VideoAccessCodec\Uninstall.exe
C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx
C:\WINDOWS\dat.txt
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\nsduo.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\winzzd32.dll
C:\WINDOWS\wmphost.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-23 16:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-23 15:08 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-23 15:08 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-23 15:08 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-09-23 15:08 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-23 15:08 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DANEAP~1\Webroot
2007-09-23 15:08 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Webroot
2007-09-23 15:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Webroot
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-15 23:33 122,884 --a------ C:\WINDOWS\UnGins.exe
2007-09-15 23:33 <DIR> d-------- C:\Program Files\Sims
2007-09-15 20:18 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-15 20:18 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Hamachi
2007-09-15 17:54 <DIR> d-------- C:\Nowy folder
2007-09-14 00:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-11 17:32 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\Phone Browser
2007-09-11 17:32 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Datalayer
2007-09-11 17:11 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-09-11 17:11 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-09-11 17:11 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-09-11 17:11 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-09-11 17:11 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-09-11 17:11 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-09-11 17:11 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-09-11 17:11 <DIR> d-------- C:\Program Files\DIFX
2007-09-11 17:11 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-09-11 17:11 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\PC Suite
2007-09-11 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\PC Suite
2007-09-11 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Downloaded Installations
2007-09-11 17:10 <DIR> d-------- C:\Program Files\Nokia
2007-09-11 17:10 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-09-10 18:02 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-09-10 18:02 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-09-10 18:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-10 18:01 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-09-10 18:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-10 18:01 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-09-07 22:54 <DIR> d-------- C:\Program Files\Axis Communications
2007-09-04 11:38 <DIR> d-------- C:\!KillBox
2007-08-26 00:18 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\My Games
2007-08-25 23:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Microsoft Games
2007-08-25 23:52 <DIR> d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Microsoft Game Studios
2007-08-25 00:30 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-08-25 00:28 <DIR> d-------- C:\Program Files\MSBuild
2007-08-25 00:28 <DIR> d-------- C:\Program Files\Microsoft Works
2007-08-25 00:27 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-08-25 00:25 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-25 00:24 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-25 00:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Microsoft Help
2007-08-25 00:22 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 16:52 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Skype
2007-09-23 16:50 --------- d-------- C:\Program Files\cFosSpeed
2007-09-23 16:35 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec
2007-09-23 15:14 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-23 13:16 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-23 13:16 60800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-23 13:16 123952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-23 13:16 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-23 13:16 --------- d-------- C:\Program Files\Symantec
2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-10 13:43 --------- d-------- C:\Program Files\Winamp
2007-09-09 13:31 --------- d-------- C:\Program Files\SubEdit-Player
2007-09-07 17:22 --------- d-------- C:\Program Files\Gadu-Gadu
2007-08-31 12:42 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-31 10:37 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\BitTyrant
2007-08-22 22:14 --------- d-------- C:\Program Files\Digital Sound Recorder
2007-08-22 22:13 --------- d-------- C:\Program Files\MuvAudio2
2007-08-22 22:12 --------- d-------- C:\Program Files\Arial Sound Recorder
2007-08-21 15:04 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Thinstall
2007-08-20 18:28 231302 --a------ C:\WINDOWS\Peer2Mail_Toolbar_Uninstaller_4984.exe
2007-08-20 18:28 --------- d-------- C:\Program Files\Peer2Mail Toolbar
2007-08-20 18:28 --------- d-------- C:\Program Files\Peer2Mail
2007-08-20 15:57 --------- d-------- C:\Program Files\NextUp-ScanSoft
2007-08-20 09:18 --------- d-------- C:\Program Files\MarBit
2007-08-19 15:42 --------- d-------- C:\Program Files\Audacity
2007-08-19 14:45 --------- d-------- C:\Program Files\ivo
2007-08-19 14:45 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Expressivo
2007-08-17 18:13 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-17 13:08 --------- d-------- C:\Program Files\BitTyrant
2007-08-16 14:54 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Sony Corporation
2007-08-13 23:53 --------- d-------- C:\Program Files\Alcohol Soft
2007-08-13 18:00 --------- d-------- C:\Program Files\Common Files\Vbox
2007-08-09 12:24 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Help
2007-08-08 17:50 --------- d-------- C:\Program Files\Dziobas Rar Player
2007-08-05 22:49 --------- d-------- C:\Program Files\Player Tool
2007-08-05 21:47 --------- d-------- C:\Program Files\Sony Corporation
2007-08-05 21:47 --------- d-------- C:\Program Files\Sony
2007-08-05 21:47 --------- d-------- C:\Program Files\Common Files\Sony Shared
2007-08-05 21:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Sony Corporation
2007-08-05 10:45 --------- d-------- C:\Program Files\Logitech
2007-08-05 10:45 --------- d-------- C:\Program Files\Common Files\Logitech
2007-08-02 19:07 --------- d-------- C:\Program Files\SoundCopy
2007-08-02 19:06 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-02 19:06 249856 --------- C:\WINDOWS\Setup1.exe
2007-08-01 13:06 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\AdobeUM
2007-07-31 13:45 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Real
2007-07-31 13:38 --------- d-------- C:\Program Files\XAudioTools
2007-07-30 19:30 --------- d-------- C:\DOCUME~1\GMKAMI~1\DANEAP~1\Media Player Classic
2007-07-30 19:29 --------- d-------- C:\Program Files\Ringz Studio
2007-07-30 19:29 --------- d-------- C:\Program Files\Common Files\Real
2007-07-30 19:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-07-14 17:16 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-01 13:59 4258800 --a------ C:\Program Files\PATRYKA NIE RUSZAC John Marks - Update.mp3
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 10:48 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-25 04:52]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-02 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-08 14:54 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-03-02 14:00 C:\WINDOWS\system32\rundll32.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 16:25]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 19:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 11:22]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-07-29 03:48]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-01-05 18:00]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 18:02]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 17:42]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 20:30]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]
"SpySweeper"="D:\SpySweep\Spy Sweeper\SpySweeperUI.exe" [2006-08-03 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 17:10]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18]

C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-07-16 12:05:06]

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 trial;trial;\??\D:\cheaty\r0_League_Cheat\r0 League Cheat\aeq_suxx.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 19:49:04 C:\WINDOWS\Tasks\Norton Internet Security - Uruchom pełne skanowanie systemu - GM Kamil.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 16:52:09
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\hamachi]
"ImagePath"="system32\DRIVERS\hamachi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H a r m o n o g r a m a u t o m a t y c z n e j u s Bu g i L i v e U p d a t e ]
"ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
.
Completion time: 2007-09-23 16:53:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 16:53
.
--- E O F ---


:combo fix quarantined files: FILE:

2007-07-08 21:23	  15399	--a------	C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-08-13 23:15	  26112	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\winzzd32.dll.vir
2007-09-01 13:25	  221184	--a------	C:\Qoobox\Quarantine\C\WINDOWS\wmphost.dll.vir
2007-09-14 16:02	  4286	--a------	C:\Qoobox\Quarantine\C\Program Files\VideoAccessCodec\install.ico.vir
2007-09-15 08:05	  184320	--a------	C:\Qoobox\Quarantine\C\WINDOWS\msmhost.dll.vir
2007-09-15 08:05	  208896	--a------	C:\Qoobox\Quarantine\C\WINDOWS\nsduo.dll.vir
2007-09-15 08:05	  225280	--a------	C:\Qoobox\Quarantine\C\WINDOWS\msmdev.dll.vir
2007-09-15 08:05	  32256	--a------	C:\Qoobox\Quarantine\C\WINDOWS\main_uninstaller.exe.vir
2007-09-15 23:27	  364544	--a------	C:\Qoobox\Quarantine\C\Program Files\VideoAccessCodec\VideoAccessCodec.ocx.vir
2007-09-15 23:27	  37542	--a------	C:\Qoobox\Quarantine\C\Program Files\VideoAccessCodec\Uninstall.exe.vir
2007-09-17 15:07	  296	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\GMKAMI~1\Pulpit\Error Cleaner.url.vir
2007-09-17 15:07	  296	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\GMKAMI~1\Pulpit\Privacy Protector.url.vir
2007-09-17 15:07	  296	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\GMKAMI~1\Pulpit\Spyware&Malware Protection.url.vir
2007-09-17 15:07	  296	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\GMKAMI~1\Ulubione\Error Cleaner.url.vir
2007-09-17 15:07	  296	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\GMKAMI~1\Ulubione\Privacy Protector.url.vir
2007-09-17 15:07	  296	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\GMKAMI~1\Ulubione\Spyware&Malware Protection.url.vir
2007-09-23 13:12	  18250	--a------	C:\Qoobox\Quarantine\C\WINDOWS\rs.txt.vir
2007-09-23 16:36	  8145	--a------	C:\Qoobox\Quarantine\C\WINDOWS\dat.txt.vir


Zmienna PATH folderu
Numer seryjny woluminu: 5075-FC52
C:\QOOBOX\QUARANTINE
+---C
|   +---ComboFix
|   |	   FProps.vbs.vir
|   |	   
|   +---DOCUME~1
|   |   \---GMKAMI~1
|   |	   +---Pulpit
|   |	   |	   Error Cleaner.url.vir
|   |	   |	   Privacy Protector.url.vir
|   |	   |	   Spyware&Malware Protection.url.vir
|   |	   |	   
|   |	   \---Ulubione
|   |			   Error Cleaner.url.vir
|   |			   Privacy Protector.url.vir
|   |			   Spyware&Malware Protection.url.vir
|   |			   
|   +---Program Files
|   |   \---VideoAccessCodec
|   |		   install.ico.vir
|   |		   Uninstall.exe.vir
|   |		   VideoAccessCodec.ocx.vir
|   |		   
|   \---WINDOWS
|	   |   dat.txt.vir
|	   |   main_uninstaller.exe.vir
|	   |   msmdev.dll.vir
|	   |   msmhost.dll.vir
|	   |   nsduo.dll.vir
|	   |   rs.txt.vir
|	   |   wmphost.dll.vir
|	   |   
|	   \---system32
|			   winzzd32.dll.vir
|			   
\---Registry_backups



report1:

SmitFraudFix v2.239

Scan done at 20:00:44,03, 2007-10-08
Run from C:\Documents and Settings\GM Kamil\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\JMRaidTool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
D:\SpySweep\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\SpySweep\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\GM Kamil\Dane aplikacji\Thinstall\MoorHunt\4000004400002i\mdm.exe
D:\SpySweep\Spy Sweeper\SSU.EXE
C:\Program Files\MoorHunt\MoorHunt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\GM Kamil


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\GM Kamil\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GMKAMI~1\Ulubione


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieľĄca strona gˆ˘wna"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 217.30.129.149
DNS Server Search Order: 217.30.137.200

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: NameServer=217.30.129.149,217.30.137.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: NameServer=217.30.129.149,217.30.137.200
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: NameServer=217.30.129.149,217.30.137.200
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=217.30.129.149


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

report 2:

SmitFraudFix v2.239

Scan done at 20:25:19,45, 2007-10-08
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: NameServer=217.30.129.149,217.30.137.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: NameServer=217.30.129.149,217.30.137.200
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4FDDB86-3A2E-49F0-9DC3-A9871CFD70C1}: NameServer=217.30.129.149,217.30.137.200
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=217.30.129.149
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=217.30.129.149


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Inq_PL

#8 Inq_PL

Inq_PL
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:01 PM

Posted 08 October 2007 - 03:19 PM

as of now i am still running the 3rd program ..takes 1:30 h to finish...maybe then it will remove the anoying site that i cant get rid of. Everytime, it goes to that site. I think it is one of the things that came along with the winlogonhook.

and here is the site:
hxxp://ucleaner.com/main.php?wmid=6010&amp...Q==&lndid=2

Mod Edit: Disabled active link to malware site.

Edited by quietman7, 08 October 2007 - 03:46 PM.

Inq_PL

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 08 October 2007 - 03:47 PM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users