Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being Redirected To Smartfixer.com


  • This topic is locked This topic is locked
11 replies to this topic

#1 captain vic

captain vic

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 November 2007 - 03:59 AM

I believe that I have completed all of the preliminary steps for posting.

Even after performing the cleaning procedures, I am still being redirected to SMARTFIXER.COM.


Thank you very much.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:21 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S85.tmp" /EF "HKCU"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 3852 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 11 November 2007 - 08:18 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum captain vic :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it later once you're system is clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 captain vic

captain vic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 November 2007 - 07:18 PM

ComboFix 07-11-08.3 - Captain Vic 2007-11-11 14:55:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.613 [GMT -8:00]
Running from: C:\Documents and Settings\Captain Vic\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 14:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 00:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 09:10 <DIR> d-------- C:\Program Files\Sygate
2007-11-10 09:10 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-10 09:10 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-10 09:10 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-10 09:10 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-10 09:10 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-10 09:10 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-10 09:10 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-10 00:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-09 19:35 23,040 --------- C:\WINDOWS\kb913800.exe
2007-11-08 17:11 <DIR> d-------- C:\Program Files\Emsa DLL Register Tool
2007-11-08 13:32 <DIR> d-------- C:\TO KEEP FILES TO DELETE
2007-11-06 20:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-06 20:40 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\SUPERAntiSpyware.com
2007-11-06 19:32 <DIR> d-------- C:\Program Files\AutoRuns
2007-11-05 03:07 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-05 03:07 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-05 03:07 2,059,392 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-05 03:07 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-04 22:00 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-04 22:00 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2007-11-04 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-04 21:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-04 15:57 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-04 15:57 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-01 18:51 <DIR> d-------- C:\Program Files\Sqirlz Morph
2007-10-31 23:05 <DIR> d-------- C:\Program Files\7-Zip
2007-10-31 23:03 <DIR> d-------- C:\Matrix Games
2007-10-30 21:27 <DIR> d-------- C:\Program Files\HiJack This
2007-10-29 19:21 <DIR> d-------- C:\Program Files\MTR MusicTagReporter
2007-10-29 19:11 <DIR> d-------- C:\Program Files\Yoplo
2007-10-29 19:11 <DIR> d-------- C:\Program Files\Winamp
2007-10-29 03:01 <DIR> d-------- C:\Program Files\Free Audio Tag
2007-10-28 22:04 <DIR> d-------- C:\Documents and Settings\Captain Vic\DoctorWeb
2007-10-27 20:35 <DIR> d-------- C:\Program Files\Framing Station
2007-10-27 01:00 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-27 01:00 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-26 13:34 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\Sunbelt Software
2007-10-26 09:54 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\ID3 renamer
2007-10-25 18:50 <DIR> d-------- C:\Documents and Settings\Captain Vic\Shared
2007-10-25 18:50 <DIR> d-------- C:\Documents and Settings\Captain Vic\Incomplete
2007-10-25 18:50 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\MP3Rocket
2007-10-25 18:49 <DIR> d-------- C:\Program Files\MP3 Rocket
2007-10-25 13:42 <DIR> d-------- C:\Program Files\Cartoonist
2007-10-25 13:42 663,040 --a------ C:\WINDOWS\is-DUEST.exe
2007-10-25 08:49 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\vlc
2007-10-24 22:27 <DIR> d-------- C:\Program Files\NCH Software
2007-10-24 22:27 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\Recordpad
2007-10-24 17:25 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\NCH Swift Sound
2007-10-24 13:15 <DIR> d-------- C:\Program Files\HI JACK THIS
2007-10-23 11:49 <DIR> d-------- C:\Program Files\Realsoft
2007-10-22 19:52 <DIR> d-------- C:\Program Files\Anything3D Corp
2007-10-22 14:14 <DIR> d-------- C:\CONNIE
2007-10-22 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-21 20:57 <DIR> d-------- C:\Program Files\Reallusion
2007-10-21 20:55 <DIR> d-------- C:\Program Files\Auto3D
2007-10-20 22:35 <DIR> d-------- C:\BUSINESS
2007-10-20 19:13 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-10-20 19:13 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-10-20 17:45 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\SafeIT Security
2007-10-19 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2007-10-19 20:27 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\GRETECH
2007-10-19 20:26 <DIR> d-------- C:\Program Files\GRETECH
2007-10-19 19:53 <DIR> d-------- C:\Program Files\River Past
2007-10-19 19:53 161,144 --a------ C:\WINDOWS\DirectShow Detective Uninstaller.exe
2007-10-19 19:48 <DIR> d-------- C:\Program Files\ShiftN
2007-10-18 16:49 <DIR> d-------- C:\Program Files\Beneton Movie GIF
2007-10-18 16:47 <DIR> d-------- C:\Program Files\VGEdit
2007-10-18 16:47 <DIR> d-------- C:\Program Files\Photo Toolkit
2007-10-18 16:46 <DIR> d-------- C:\Program Files\Vector Graphics ActiveX
2007-10-17 21:34 <DIR> d-------- C:\Program Files\PHOTOIMPACT
2007-10-17 21:30 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\Ulead Systems
2007-10-17 19:59 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-17 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-17 16:21 <DIR> d-------- C:\Documents and Settings\Captain Vic\Application Data\STOIK
2007-10-15 22:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-11 21:20 <DIR> d-------- C:\Program Files\Free Easy Burner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 22:58 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\Free Download Manager
2007-11-07 04:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-04 08:26 --------- d-----w C:\Program Files\Devotski
2007-11-01 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 07:57 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-30 04:32 --------- d-----w C:\Program Files\CamStudio
2007-10-30 04:18 --------- d-----w C:\Program Files\PeoplePC
2007-10-25 23:59 --------- d-----w C:\Program Files\Web Photo Album
2007-10-25 06:30 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-25 06:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-23 03:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 04:55 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-22 04:55 286,720 ------w C:\WINDOWS\Setup1.exe
2007-10-20 03:57 --------- d-----w C:\Program Files\SoftDepo.com
2007-10-20 03:53 --------- d-----w C:\Program Files\Common Files\River Past
2007-10-20 03:53 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\River Past G5
2007-10-20 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2007-10-16 05:20 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\gtk-2.0
2007-10-11 01:03 --------- d-----w C:\Program Files\Crystalsoftware
2007-10-10 05:54 --------- d-----w C:\Program Files\Konvertor
2007-10-10 01:47 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\XnView
2007-10-09 18:44 --------- d-----w C:\Program Files\Video Edit Converter Gold
2007-10-09 16:17 --------- d-----w C:\Program Files\MainMedia
2007-10-09 16:14 --------- d-----w C:\Program Files\SoftwareClub.ws
2007-10-08 22:53 --------- d-----w C:\Program Files\Hollix Communications
2007-10-08 06:45 --------- d-----w C:\Program Files\JlgSolera
2007-10-08 05:23 --------- d-----w C:\Program Files\FDRLab
2007-10-08 05:20 --------- d-----w C:\Program Files\Dydelf
2007-10-08 05:13 --------- d-----w C:\Program Files\Rolling Thunder 2
2007-10-07 22:57 --------- d-----w C:\Program Files\DVDAuthorGUI
2007-10-07 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\InterVideo
2007-10-07 17:59 --------- d-----w C:\Program Files\InterVideo
2007-10-07 17:59 --------- d-----w C:\Program Files\Common Files\InterVideo
2007-10-07 17:57 --------- d-----w C:\Program Files\Reviewer
2007-10-07 17:27 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\MPEG Streamclip
2007-10-07 05:11 --------- d-----w C:\Program Files\TubeSucker
2007-10-07 05:10 --------- d-----w C:\Program Files\RSlideShow
2007-10-07 05:09 --------- d-----w C:\Program Files\Mobiz-Lite
2007-10-07 05:09 --------- d-----w C:\Program Files\Kimmie Album
2007-10-07 04:30 --------- d-----w C:\Program Files\YouTube FLV Grabber
2007-10-07 04:04 --------- d-----w C:\Program Files\UltraGet Video Downloader
2007-10-06 03:42 --------- d-----w C:\Program Files\SuperDVD Video Editor
2007-10-05 05:49 --------- d-----w C:\Program Files\QE SuperResolution
2007-10-04 22:44 --------- d-----w C:\Program Files\RGB
2007-10-04 22:44 --------- d-----w C:\Program Files\PeoplePC Accelerated
2007-10-04 22:44 --------- d-----w C:\Program Files\Nice Shot Solitaire
2007-10-04 22:44 --------- d-----w C:\Program Files\Globe7
2007-10-04 22:44 --------- d-----w C:\Program Files\GemMaster
2007-10-04 22:44 --------- d-----w C:\Program Files\Free Download Manager
2007-10-04 22:44 --------- d-----w C:\Program Files\ESPNMotion
2007-10-04 22:44 --------- d-----w C:\Program Files\EnglishOtto
2007-10-04 22:44 --------- d-----w C:\Program Files\Easy DVD Player
2007-10-04 22:44 --------- d-----w C:\Program Files\Dark Ages II
2007-10-04 22:44 --------- d-----w C:\Program Files\Bulent's Screen Recorder 4
2007-10-04 07:45 --------- d-----w C:\Program Files\Mediostream
2007-10-04 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-04 06:00 --------- d-----w C:\Program Files\t@b
2007-10-04 05:10 --------- d-----w C:\Program Files\Common Files\Mediostream
2007-10-04 05:10 --------- d-----w C:\Program Files\Common Files\InstallShield Shared
2007-10-04 05:08 --------- d-----w C:\Program Files\Videoraptor
2007-10-04 05:08 --------- d-----w C:\Program Files\PixiePack Codec Pack
2007-10-04 05:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2007-10-03 22:59 --------- d-----w C:\Program Files\MediaJoin
2007-10-03 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\{27ED786F-D773-47F8-93EB-8A249414AD30}
2007-10-03 22:58 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\Seven Zip
2007-10-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\EasyMadeMemories
2007-10-02 07:25 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\ESTSoft
2007-10-02 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESTsoft
2007-10-02 07:24 --------- d-----w C:\Program Files\ESTsoft
2007-10-02 07:14 --------- d-----w C:\Program Files\Wondershare
2007-10-01 18:11 --------- d-----w C:\Program Files\Mpeg2Decoder
2007-10-01 08:52 --------- d-----w C:\Program Files\DVDStyler
2007-10-01 08:44 --------- d-----w C:\Program Files\fix8
2007-10-01 07:16 --------- d-----w C:\Program Files\McFunSoft Video Solution
2007-10-01 04:39 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\DVDforger
2007-10-01 02:19 --------- d-----w C:\Program Files\AviSynth 2.5
2007-10-01 02:09 --------- d-----w C:\Program Files\Complex
2007-09-30 12:36 --------- d-----w C:\Program Files\Deskshare
2007-09-30 12:36 --------- d-----w C:\Program Files\Common Files\DeskShare Shared
2007-09-30 11:30 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-09-30 04:31 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\Apple Computer
2007-09-28 19:39 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\My Pictures 3D
2007-09-28 19:32 --------- d-----w C:\Program Files\My Pictures 3D
2007-09-28 17:39 --------- d-----w C:\Program Files\McFunSoft Video Capture
2007-09-28 16:20 --------- d-----w C:\Program Files\VideoSoft.org
2007-09-28 15:44 --------- d-----w C:\Program Files\WinAVI Video Capture
2007-09-28 06:38 --------- d-----w C:\Program Files\CAPTURE CARD DRIVERS
2007-09-27 16:24 640,957 ----a-w C:\WINDOWS\unins000.exe
2007-09-27 15:58 --------- d-----w C:\Program Files\DCETools
2007-09-27 15:46 --------- d-----w C:\Program Files\DCEnhancer
2007-09-27 15:37 --------- d-----w C:\Program Files\Oriens Solution Inc
2007-09-27 06:43 --------- d-----w C:\Program Files\EggVision
2007-09-26 20:47 --------- d-----w C:\Program Files\Western Digital
2007-09-26 20:26 --------- d-----w C:\Documents and Settings\Captain Vic\Application Data\Audacity
2007-09-26 07:22 --------- d-----w C:\Program Files\Skunk Studios
2007-09-26 01:08 166,536 ----a-w C:\WINDOWS\Dark Ages II - Engel Uninstaller.exe
2007-09-25 22:33 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-25 02:38 --------- d-----w C:\Program Files\Java
2007-09-25 02:38 --------- d-----w C:\Program Files\Common Files\Java
2007-09-25 01:57 --------- d-----w C:\Program Files\Create-Ringtone
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]
2007-10-29 22:04 598016 --a------ C:\WINDOWS\system32\config\smvcsvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Uploader Oe Integration"="C:\Program Files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 18:02]
"Free Upload Manager"="C:\Program Files\Free Download Manager\fum\fum.exe" [2007-07-29 19:13]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2007-09-13 11:12]
"EPSON Stylus Photo R260 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [2006-05-19 03:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\smvcsvs]
C:\WINDOWS\system32\config\smvcsvs.dll 2007-10-29 22:04 598016 C:\WINDOWS\system32\config\smvcsvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\PeoplePC\ISP6500\BIN\PPCOLink.exe -STATION

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
"C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R2 MobiCap;fix8 Virtual Webcam, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\MobiCap.sys
R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 02:08:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:57:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 14:59:12
.
--- E O F ---



I received an error message after ComboFix was done. I attached a picture of the message.

Attached File  SCREENSHOT_AFTER_COMBOFIX_HAD_FINISHED.jpg   77.09KB   11 downloads









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:59 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HiJack This\abc.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B2432DA-E58D-4C9A-AE60-7C856A4E903F} - C:\WINDOWS\system32\config\smvcsvs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S85.tmp" /EF "HKCU"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: smvcsvs - C:\WINDOWS\system32\config\smvcsvs.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4293 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 11 November 2007 - 07:51 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\config\smvcsvs.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\smvcsvs]


Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 captain vic

captain vic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 November 2007 - 09:21 PM

C:\WINDOWS\system32\config\smvcsvs.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\config\smvcsvs.dll scheduled to be moved on reboot.

Created on 11/12/2007 17:59:47





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:58 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJack This\abc.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B2432DA-E58D-4C9A-AE60-7C856A4E903F} - C:\WINDOWS\system32\config\smvcsvs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S85.tmp" /EF "HKCU"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: smvcsvs - C:\WINDOWS\system32\config\smvcsvs.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4399 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 13 November 2007 - 05:40 AM

Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Download/unzip 'unDLL' by ESET to your desktop:
http://www.nod32.it/tools/undll.zip
Double click on the 'UNDLL' icon on your desktopPosted Image
Click on the 'Select infected DLL' button.
In the 'Select infected dynamic library' window,navigate to and double click on:
C:\WINDOWS\system32\config\smvcsvs.dll
Then follow the prompts.
When its finished click on 'Click here to view log'.
The log in the form of a text file can also be found on your desktop 'undll-........'.
Copy and paste the entire contents of that log into your next reply.

Download RegSearch by Bobbi Flekman.
Right click on your desktop 'New',select 'Folder'.
Right click on that new folder and select 'Rename',rename it to RegSearch
Unzip/extract the contents of regsearch.zip to the RegSearch folder.
Open the RegSearch folder and double-click the icon RegSearch.exe to launch the program.
Copy and paste the following string to search for in the top space,then click "OK".
{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same location as RegSearch.exe.
Copy and paste the entire search results into your next reply.
Posted Image
Posted Image

#7 captain vic

captain vic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 13 November 2007 - 03:39 PM

11/13/2007 12:10:53 [SysLog]: UnDLL engine 1.0.0.2 initialized
11/13/2007 12:10:53 [SysLog]: OS: 5.1 build 2600 (Service Pack 2)
11/13/2007 12:11:48 [Action]: + Searching for infected threads...
11/13/2007 12:11:49 [Action]: Suspending thread [1164] in process [C:\WINDOWS\system32\winlogon.exe] - module [C:\WINDOWS\system32\config\smvcsvs.dll]
11/13/2007 12:11:49 [Action]: Suspending thread [1172] in process [C:\WINDOWS\system32\winlogon.exe] - module [C:\WINDOWS\system32\config\smvcsvs.dll]
11/13/2007 12:11:49 [Action]: Suspending thread [1180] in process [C:\WINDOWS\system32\winlogon.exe] - module [C:\WINDOWS\system32\config\smvcsvs.dll]
11/13/2007 12:11:55 [Action]: Deleting file [C:\WINDOWS\system32\config\smvcsvs.dll] - deferred at next reboot
11/13/2007 12:11:57 [Action]: + Searching in AppInit_DLLs...
11/13/2007 12:11:57 [Action]: Writing AppInit_DLLs in the Registry: [Nothing]
11/13/2007 12:11:57 [Action]: + Searching in Winlogon Notify...
11/13/2007 12:11:57 [Action]: + Searching in Browser Helper Objects...
11/13/2007 12:11:57 [Action]: System Reboot


















Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 11/13/2007 12:27:28 PM for strings:
; '6b2432da-e58d-4c9a-ae60-7c856a4e903f'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}\iexplore]

; End Of The Log...

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 13 November 2007 - 04:23 PM

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Backup the registry by doing the following.
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}\iexplore]


Post a new Hijackthis log in your next reply please.
Posted Image
Posted Image

#9 captain vic

captain vic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 13 November 2007 - 05:45 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:44 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJack This\abc.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S85.tmp" /EF "HKCU"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4223 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 13 November 2007 - 07:23 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#11 captain vic

captain vic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 15 November 2007 - 02:30 PM

Dear RichieUK,

I am sure you hear this alot, however I still must tell you how grateful I am for your help.

I noticed a link to Donate. Do I make the donation to you or to the website in general?

If I don't hear from you, I will certainly understand.

Again, thank you so very much.

Mark

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 15 November 2007 - 02:56 PM

You're most welcome Mark :thumbsup:

I noticed a link to Donate. Do I make the donation to you or to the website in general?

The 'Donate' button below is for donating to me personally Mark.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users