Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Won't Go! Help!


  • Please log in to reply
1 reply to this topic

#1 friskykat1999

friskykat1999

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 29 October 2007 - 11:10 PM

Pop-ups of anti-virus programs won't stop. Ran Spybot and everything said on the forum several times. Please help. Hijack This log below.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:14 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Visual Networks\Visual IP

InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP

InSight\SBC\IPMon32.exe
C:\windows\system32\pumd.exe
C:\Program Files\Lexmark X1100

Series\lxbkbmon.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\3751218.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbar

Notifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\bdir\sdflkj7.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.e

xe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and

Settings\Compaq_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=ieho

me&locale=EN_US&c=Q305&bd=presario&pf=des

ktop
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesea

rch&locale=EN_US&c=Q305&bd=presario&pf=des

ktop
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/ie/defaul

ts/sb/sbcydsl/*http://www.yahoo.com/search/ie.htm

l
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/su/ms

gr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\

yt.dll
F2 - REG:system.ini:

UserInit=C:\WINDOWS\system32\vvgeowbv.exe,

C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) -

{00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) -

{00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper -

{02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\

yt.dll
O2 - BHO: (no name) -

{029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) -

{12F02779-6D88-4958-8AD3-83C12D86ADC7} -

(no file)
O2 - BHO: (no name) -

{1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) -

{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) -

{51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) -

{53C330D6-A4AB-419B-B45D-FD4411C1FEF4} -

(no file)
O2 - BHO: (no name) -

{54645654-2225-4455-44A1-9F4543D34546} - (no

file)
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) -

{669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) -

{6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) -

{944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) -

{a4a435cf-3583-11d4-91bd-0048546a1450} - (no

file)
O2 - BHO: aivskurq.msdn_hlp -

{A6E432B4-D4C2-43B3-BF55-C364F8F7362A} -

C:\WINDOWS\system32\aivskurq.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.7164\

swg.dll
O2 - BHO: (no name) -

{b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) -

{bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) -

{c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) -

{c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: Her -

{C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} -

C:\WINDOWS\system32\ramtmb.dll
O2 - BHO: (no name) -

{c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) -

{ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) -

{d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) -

{e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) -

{e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\

yt.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program

Files\Hewlett-Packard\HP Boot

Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher]

c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series]

"C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program

Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightLAN 02]

"C:\Program Files\Visual Networks\Visual IP

InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02]

"C:\Program Files\Visual Networks\Visual IP

InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [pumd]

c:\windows\system32\pumd.exe /nocomm
O4 - HKLM\..\Run: [Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed

Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [trclc]

C:\WINDOWS\3751218.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA3123]

command /c del

"C:\WINDOWS\settn.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC236]

cmd /c del "C:\WINDOWS\settn.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8412]

command /c del

"C:\WINDOWS\system32\wml.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7888]

cmd /c del

"C:\WINDOWS\system32\wml.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2128]

command /c del

"C:\WINDOWS\system32\vxddsk.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7064]

cmd /c del

"C:\WINDOWS\system32\vxddsk.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA103]

command /c del

"C:\WINDOWS\system32\ace16win.dll_tobedelete

d"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9780]

cmd /c del

"C:\WINDOWS\system32\ace16win.dll_tobedelete

d"
O4 - HKLM\..\RunOnce: [SpybotDeletingA872]

command /c del "C:\Documents and

Settings\Compaq_Owner\Local

Settings\Temp\~DFC1DA.tmp_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3086]

cmd /c del "C:\Documents and

Settings\Compaq_Owner\Local

Settings\Temp\~DFC1DA.tmp_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~

1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbar

Notifier.exe
O4 - HKCU\..\Run: [strkjhk]

C:\WINDOWS\bdir\sdflkj7.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator]

Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce:

[RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar

search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\Office12\EXCEL

.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary

- file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.

DLL
O9 - Extra button: Connection Help -

{E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors

\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\I

EButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help -

{E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors

\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\I

EButton\support.htm
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help -

{E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors

\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\I

EButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help -

{E2D4D26B-0180-43a4-B05F-462D6D54C789} -

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors

\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\I

EButton\support.htm (HKCU)
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF:

{4F1E5B1A-2A80-42CA-8532-2D05CB959537}

(MSN Photo Upload Tool) -

http://by109fd.bay109.hotmail.msn.com/resources/

MsnPUpld.cab
O16 - DPF:

{BB383206-6DA1-4E80-B62A-3DF950FCC697}

(Create & Print ActiveX Plug-in) -

http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Cisco Systems, Inc. Installer service

(CiscoVpnInstallService) - Unknown owner -

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\

WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service

(CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) -

Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common

Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RDFLabel - Unknown owner -

C:\Program

Files\ICRAplus\RDFLabel\RDFLabel.exe (file

missing)
O23 - Service: YPCService - Yahoo! Inc. -

C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11884 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 30 October 2007 - 04:35 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum friskykat1999 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users