Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-spy.html.smitfraud.c


  • This topic is locked This topic is locked
10 replies to this topic

#1 fredrik1982

fredrik1982

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 October 2007 - 03:01 PM

Trojan-Spy.HTML.Smitfraud.c

Hi.
I would appriciate any help I can get getting rid of this virus. I've done all the steps with adaware, spybot etc..
Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:22:13, on 2007-10-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9389 bytes

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 PM

Posted 16 October 2007 - 10:25 AM

Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 fredrik1982

fredrik1982
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 16 October 2007 - 01:32 PM

Here is the smitfraudfix scan u requested, and thanks for helping me!

SmitFraudFix v2.240

Scan done at 20:29:36,40, 2007-10-16
Run from C:\Documents and Settings\Fredrik\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinRAR\WinRAR.exe
D:\Spel\COH\RelicCOH.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Fredrik


C:\Documents and Settings\Fredrik\Application Data


Start Menu


C:\DOCUME~1\Fredrik\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 81.26.227.3
DNS Server Search Order: 195.54.122.204
DNS Server Search Order: 195.54.122.198
DNS Server Search Order: 195.54.122.200

HKLM\SYSTEM\CCS\Services\Tcpip\..\{22AEB825-A9BC-4D51-BD80-6F462F102D18}: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{22AEB825-A9BC-4D51-BD80-6F462F102D18}: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS2\Services\Tcpip\..\{22AEB825-A9BC-4D51-BD80-6F462F102D18}: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200


Scanning for wininet.dll infection


End

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 PM

Posted 17 October 2007 - 10:57 AM

Post a new hjt log.

#5 fredrik1982

fredrik1982
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 17 October 2007 - 11:53 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:52:37, on 2007-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20661)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Spel\COH\RelicCOH.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10111 bytes

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 PM

Posted 17 October 2007 - 04:10 PM

What makes you think you are having a problem? I do not see any signs of the infection.

Let's dig deeper.
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#7 fredrik1982

fredrik1982
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 18 October 2007 - 01:56 AM

Hello Grinler.

I got the infection by clicking on an .exe file. Right away i got a message of norton telling me i just got infected by this smitfraud.c trojan. Whenever i started the computer alot of messages came up telling me i was infected with smitfraud c. When i scan with norton it tells me i have a trojan and that it can't be removed. After reading on diffrent sites I downloaded smitfraudfix and ran the nr 2 option in safe mode as told on all these sites. Now i don't get the warning messages anymore and the computer seem to be working abit better, but whenever i scan with norton it still detects the trojan threat.

I don't know much about trojans, only what i have read since i got it. Might it be possible that the smitfraudfix got most of it but left some of it still there? Harder to detect? What i understand the smitfraudfix replace certain files that is usually infected?

I'm at work right now so i will post the new logs as soon as i get back home.

Thanks again grinler for helping me out.

#8 fredrik1982

fredrik1982
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 18 October 2007 - 09:40 AM

When i did the scan with Combofix it detected a trojan. I did not take remove since I don't know what kind of file it is so I just took ignore. it kept popping up and finally i got the log. Hope this helps you to understand the problem and i really hope we can solve it :thumbsup:

ComboFix 07-10-18.6 - Fredrik 2007-10-18 16:31:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1514 [GMT 2:00]
Running from: C:\Documents and Settings\Fredrik\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 16:30 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-12 23:09 <DIR> dr-h----- C:\Documents and Settings\Fredrik\Application Data\SecuROM
2007-10-12 23:09 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-12 22:40 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-11 21:08 <DIR> d-------- C:\WINDOWS\Sun
2007-10-11 21:06 <DIR> d-------- C:\Program Files\Java
2007-10-11 21:05 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-11 16:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-11 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-10 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-10 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 19:56 3,462 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-10 15:32 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-10 15:24 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 15:24 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 15:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 15:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 15:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 15:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 15:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 15:24 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-09 19:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-09 19:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-09 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-09 19:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-09 18:32 <DIR> d-------- C:\Documents and Settings\Fredrik\Application Data\Grisoft
2007-10-09 18:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-09 18:20 <DIR> d-------- C:\WINDOWS\pss
2007-10-08 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-07 23:48 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-10-07 23:48 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-10-07 23:43 <DIR> d-------- C:\Documents and Settings\Fredrik\Application Data\InstallShield
2007-10-07 22:36 <DIR> d-------- C:\Program Files\Avira
2007-10-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-07 21:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-07 21:59 <DIR> d-------- C:\Documents and Settings\Fredrik\Application Data\PC Tools
2007-10-07 21:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-07 21:59 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-07 21:59 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-07 21:59 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-07 21:59 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-07 21:59 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-07 20:15 <DIR> d-------- C:\Program Files\directx
2007-10-05 22:08 <DIR> d-------- C:\Documents and Settings\Fredrik\Application Data\vlc
2007-10-05 22:07 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-05 20:28 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-05 20:28 <DIR> d-------- C:\Program Files\Google
2007-10-05 20:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-04 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2007-10-04 09:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 21:42 <DIR> d-------- C:\Temp\EN Win_XP_Pro_w_SP2
2007-10-03 21:05 <DIR> d-------- C:\Temp
2007-10-03 20:19 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-03 20:02 <DIR> d-------- C:\WINDOWS\NV29641324.TMP
2007-10-03 20:00 <DIR> d-------- C:\Program Files\ASUS
2007-10-03 20:00 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2007-10-03 20:00 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2007-10-03 20:00 12,096 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2007-10-03 20:00 10,304 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2007-10-03 18:57 <DIR> d-------- C:\Documents and Settings\Fredrik\Application Data\Creative
2007-10-03 18:57 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-10-03 18:57 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-10-03 18:56 <DIR> d-------- C:\WINDOWS\system32\Data
2007-10-03 18:18 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-03 18:18 <DIR> d-------- C:\Program Files\DIFX
2007-10-03 18:18 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2007-10-03 12:29 <DIR> d-------- C:\Documents and Settings\Fredrik\Application Data\My Games
2007-10-03 10:07 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-10-03 10:06 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-03 10:06 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-10-03 10:05 <DIR> dr------- C:\Program Files
2007-10-03 10:04 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 14:30 --------- d-----w C:\Documents and Settings\Fredrik\Application Data\uTorrent
2007-10-18 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-17 23:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 19:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 20:08 --------- d-----w C:\Documents and Settings\Fredrik\Application Data\vlc
2007-10-03 18:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 18:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 18:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 18:19 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 18:19 --------- d-----w C:\Program Files\Symantec
2007-10-03 18:19 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-03 07:56 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-03 07:12 --------- d-----w C:\Program Files\MagicISO
2007-10-03 07:10 --------- d-----w C:\Program Files\PowerISO
2007-10-03 07:06 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-03 07:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-03 06:43 --------- d-----w C:\Program Files\uTorrent
2007-10-03 06:38 --------- d-----w C:\Program Files\Creative
2007-10-03 06:38 --------- d-----w C:\Documents and Settings\Fredrik\Application Data\ATI
2007-10-03 06:35 --------- d-----w C:\Program Files\Creative Installation Information
2007-10-03 06:35 --------- d-----w C:\Program Files\Common Files\Creative
2007-10-03 06:29 --------- d-----w C:\Program Files\ATI Technologies
2007-10-03 06:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-03 06:20 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-03 06:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-20 04:59 69,632 ----a-w C:\WINDOWS\system32\wshext.dll
2007-09-20 04:59 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-09-20 04:59 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-09-20 04:59 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-09-20 04:59 36,864 ----a-w C:\WINDOWS\system32\wshcon.dll
2007-09-20 04:59 32,768 ----a-w C:\WINDOWS\system32\dispex.dll
2007-09-20 04:59 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
2007-09-20 04:59 23,552 ----a-w C:\WINDOWS\system32\normaliz.dll
2007-09-20 04:59 163,840 ----a-w C:\WINDOWS\system32\scrobj.dll
2007-09-20 04:59 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-09-20 04:59 155,648 ----a-w C:\WINDOWS\system32\scrrun.dll
2007-09-20 04:59 135,168 ----a-w C:\WINDOWS\system32\wscript.exe
2007-09-20 04:59 114,688 ----a-w C:\WINDOWS\system32\cscript.exe
2007-09-20 04:58 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-09-20 04:58 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-09-20 04:58 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-09-20 04:58 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-09-20 04:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-09-20 04:58 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
2007-09-20 04:58 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-09-20 04:55 86,073 ----a-w C:\WINDOWS\system32\usrfaxa.dll
2007-09-20 04:55 80,128 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2007-09-20 04:55 8,192 ----a-w C:\WINDOWS\system32\tsbyuv.dll
2007-09-20 04:55 8,192 ----a-w C:\WINDOWS\system32\streamci.dll
2007-09-20 04:55 77,891 ----a-w C:\WINDOWS\system32\usrmlnka.exe
2007-09-20 04:55 77,890 ----a-w C:\WINDOWS\system32\usrdpa.dll
2007-09-20 04:55 77,883 ----a-w C:\WINDOWS\system32\usrrtosa.dll
2007-09-20 04:55 72,192 ----a-w C:\WINDOWS\system32\sprio800.dll
2007-09-20 04:55 70,656 ----a-w C:\WINDOWS\system32\sprio600.dll
2007-09-20 04:55 69,700 ----a-w C:\WINDOWS\system32\usrshuta.exe
2007-09-20 04:55 69,699 ----a-w C:\WINDOWS\system32\usrcoina.dll
2007-09-20 04:55 69,632 ----a-w C:\WINDOWS\system32\spnike.dll
2007-09-20 04:55 63,744 ----a-w C:\WINDOWS\system32\drivers\mf.sys
2007-09-20 04:55 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2007-09-20 04:55 61,508 ----a-w C:\WINDOWS\system32\usrprbda.exe
2007-09-20 04:55 61,500 ----a-w C:\WINDOWS\system32\usrcntra.dll
2007-09-20 04:55 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2007-09-20 04:55 58,112 ----a-w C:\WINDOWS\system32\drivers\vdmindvd.sys
2007-09-20 04:55 55,296 ----a-w C:\WINDOWS\system32\dvdplay.exe
2007-09-20 04:55 53,305 ----a-w C:\WINDOWS\system32\usrlbva.dll
2007-09-20 04:55 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2007-09-20 04:55 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2007-09-20 04:55 51,712 ----a-w C:\WINDOWS\system32\drivers\tosdvd.sys
2007-09-20 04:55 49,211 ----a-w C:\WINDOWS\system32\usrvpa.dll
2007-09-20 04:55 49,211 ----a-w C:\WINDOWS\system32\usrsdpia.dll
2007-09-20 04:55 49,209 ----a-w C:\WINDOWS\system32\usrv80a.dll
2007-09-20 04:55 476,160 ----a-w C:\WINDOWS\system32\wzcsvc.dll
2007-09-20 04:55 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
2007-09-20 04:55 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll
2007-09-20 04:55 45,116 ----a-w C:\WINDOWS\system32\usrvoica.dll
2007-09-20 04:55 42,496 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2007-09-20 04:55 41,019 ----a-w C:\WINDOWS\system32\usrsvpia.dll
2007-09-20 04:55 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2007-09-20 04:55 37,376 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2007-09-20 04:55 36,992 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2007-09-20 04:55 36,480 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2007-09-20 04:55 35,456 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2007-09-20 04:55 35,328 ----a-w C:\WINDOWS\system32\pid.dll
2007-09-20 04:55 323,641 ----a-w C:\WINDOWS\system32\usrdtea.dll
2007-09-20 04:55 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2007-09-20 04:55 3,200 ----a-w C:\WINDOWS\system32\wowfax.dll
2007-09-20 04:55 262,528 ----a-w C:\WINDOWS\system32\drivers\cinemst2.sys
2007-09-20 04:55 25,472 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2007-09-20 04:55 23,936 ----a-w C:\WINDOWS\system32\drivers\usbcamd2.sys
2007-09-20 04:55 23,808 ----a-w C:\WINDOWS\system32\drivers\usbcamd.sys
2007-09-20 04:55 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2007-09-20 04:55 21,376 ----a-w C:\WINDOWS\system32\drivers\tsbvcap.sys
2007-09-20 04:55 20,992 ----a-w C:\WINDOWS\system32\hid.dll
2007-09-20 04:55 2,020,864 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-09-20 04:55 18,688 ----a-w C:\WINDOWS\system32\drivers\cdaudio.sys
2007-09-20 04:55 17,408 ----a-w C:\WINDOWS\system32\msyuv.dll
2007-09-20 04:55 16,000 ----a-w C:\WINDOWS\system32\drivers\usbintel.sys
2007-09-20 04:55 157,696 ----a-w C:\WINDOWS\system32\paqsp.dll
2007-09-20 04:55 15,488 ----a-w C:\WINDOWS\system32\drivers\mssmbios.sys
2007-09-20 04:55 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 02:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 09:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 08:25]
"CTHelper"="CTHELPER.EXE" [2006-05-24 06:20 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 22:36]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 19:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-09-20 06:50]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 18:00:26 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Fredrik.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 16:34:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-18 16:34:16
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:38:50, on 2007-10-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20661)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10138 bytes

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 PM

Posted 18 October 2007 - 10:03 AM

It is not uncommong for some AV program to detect certain parts of Combofix as malware. These are fale positives and can be ignored.

but whenever i scan with norton it still detects the trojan threat.


I do not see anything that shows this infection is live anymore. Can you tell me where exactly norton is seeing it?

#10 fredrik1982

fredrik1982
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 18 October 2007 - 11:09 AM

You're right grinler. It's all gone now. Looks like the first time i used smitfraudfix it actually took away the infection.. It was only the file that i actually opened and got it from that was the only thing that showed up on the new scan i did now. It's all deleted and gone and the new scan shows nothing at all!!! :thumbsup:

Kinda my misstake for not checkin again where the virus actually were located. But ive seen it so many times during scans i guess i just forgot to check what files that were involved in this after i did the smitfraudfix.

Anyways, a big thanks to you for putting down time and effort tryin to sort this out for me, i appriciate it alot!

Is there in anyway things u need help with, either just here in the forum or whatever, don't hessitate to ask me, i would gladly help out around here if needed.

You have a very nice day and many thanks again!

Edited by fredrik1982, 18 October 2007 - 11:11 AM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 PM

Posted 18 October 2007 - 11:21 AM

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users