Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c. Coreservice And Core.cache.dsk Help


  • This topic is locked This topic is locked
9 replies to this topic

#1 m_shafiq

m_shafiq

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 02 February 2008 - 06:48 PM

Hi there,

Please can someone help me rid me of this problem. I have IE popups appearing sporadically. Spybot finds an infection Smitfraud-c. Coreservice related to the file core.cache.dsk but cannot remove this file. I've tried other solutions to rid me of this file but nothing has worked. Your help is appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:31, on 02/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\wuauclt.exe
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\PROGRA~1\Grisoft\AVG7\avgcc.exe
G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
G:\Programs\Apps\Microsoft ActiveSync\Wcescomm.exe
G:\Programs\Apps\MICROS~1\rapimgr.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Downloads\stinger.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Program Files\Apps\Microsoft Office\Office12\WINWORD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\Apps\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - G:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] G:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] G:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "G:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Programs\Apps\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\Apps\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\Apps\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\Apps\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM WebSphere Application Server V6.1 - mohammed-ea4b2cNode01 (IBMWAS61Service - mohammed-ea4b2cNode01) - Unknown owner - G:\Programs\Dev\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8850 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 February 2008 - 01:22 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum m_shafiq
My name is Richie and i'll be helping you to fix your problems.

You have BitDefender 2008 and AVG7 installed.
Its definitely not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one of them now,then restart your pc.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 m_shafiq

m_shafiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 12 February 2008 - 05:55 PM

Thank you for your reply. Firstly apologies for the delay in replying. I have been waiting for an email notification from this thread but I never received one. I only returned to see why noone had replied and found that you had. Again apologies.

The popups on my system seem to have disappeared. But spybot still continues to find smitfraud. The only reason I had two anti-virus apps running was because I recently downloaded bitdefender to see if it could fix the problem. I believe it did fix the popup problem and I decided to replace AVG with it. I was just in the tranisiton process. :thumbsup:

I have followed your instructions and have the combofix log and hijackthis log posted below.


ComboFix 08-02-13.2 - Mohammed Shafiq 2008-02-12 22:38:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1581 [GMT 0:00]
Running from: G:\Documents and Settings\Mohammed Shafiq\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\WINDOWS\system32\drivers\core.cache.dsk
G:\WINDOWS\system32\drivers\diskdumpp.sys
G:\WINDOWS\system32\drivers\core.cache.dsk
G:\WINDOWS\system32\drivers\diskdumpp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DISKDUMPP
-------\diskdumpp


((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 22:31 . 2004-08-03 23:56 388,608 --a------ G:\kmd.exe
2008-02-05 21:05 . 2008-02-05 21:05 <DIR> d--h----- G:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-02-03 11:46 . 1996-09-30 19:46 24,576 --------- G:\WINDOWS\UniFISH.exe
2008-02-02 23:42 . 2008-02-02 23:42 <DIR> d-------- G:\Program Files\Trend Micro
2008-02-02 20:30 . 2008-02-02 21:36 <DIR> d-------- G:\SDFix
2008-02-02 17:41 . 2008-02-02 17:41 1,593,209 --a------ G:\ComboFix.exe
2008-02-02 17:13 . 2008-02-02 17:13 <DIR> d-------- G:\WINDOWS\ERUNT
2008-02-02 14:29 . 2008-02-02 14:29 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Bitdefender
2008-02-02 14:28 . 2008-02-02 14:28 <DIR> d-------- G:\Program Files\BitDefender
2008-02-02 14:28 . 2008-02-02 14:29 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\BitDefender
2008-02-02 14:13 . 2008-02-02 14:15 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\SmitfraudFix
2008-02-02 14:13 . 2007-09-05 23:22 289,144 --a------ G:\WINDOWS\system32\VCCLSID.exe
2008-02-02 14:13 . 2006-04-27 16:49 288,417 --a------ G:\WINDOWS\system32\SrchSTS.exe
2008-02-02 14:13 . 2008-02-02 00:55 83,456 --a------ G:\WINDOWS\system32\VACFix.exe
2008-02-02 14:13 . 2008-01-27 14:37 81,920 --a------ G:\WINDOWS\system32\IEDFix.exe
2008-02-02 14:13 . 2003-06-05 20:13 53,248 --a------ G:\WINDOWS\system32\Process.exe
2008-02-02 14:13 . 2004-07-31 17:50 51,200 --a------ G:\WINDOWS\system32\dumphive.exe
2008-02-02 14:13 . 2007-10-03 23:36 25,600 --a------ G:\WINDOWS\system32\WS2Fix.exe
2008-02-02 14:13 . 2008-02-02 14:22 2,792 --a------ G:\WINDOWS\system32\tmp.reg
2008-01-31 17:06 . 2008-01-31 17:07 <DIR> d-------- G:\temp2
2008-01-31 16:15 . 2008-01-31 16:15 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Command & Conquer 3 Tiberium Wars
2008-01-31 16:12 . 2008-01-31 17:06 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\GetRightToGo
2008-01-31 10:26 . 2008-01-31 10:26 <DIR> d-------- G:\Images
2008-01-22 17:02 . 2008-02-12 22:19 421 --a------ G:\WINDOWS\wininit.ini
2008-01-22 16:48 . 2008-02-13 22:40 121 --a------ G:\WINDOWS\bdagent.INI
2008-01-22 16:44 . 2008-02-02 14:28 <DIR> d-------- G:\Program Files\Common Files\BitDefender
2008-01-22 16:34 . 2008-01-22 17:35 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 13:29 . 2008-02-05 17:57 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\AVG7
2008-01-22 13:29 . 2008-01-22 13:29 <DIR> d-------- G:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-22 13:23 . 2008-02-12 22:26 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Avg7
2008-01-22 09:06 . 2008-01-22 09:06 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Grisoft
2008-01-22 09:06 . 2007-05-30 12:10 10,872 --a------ G:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 08:56 . 2008-01-22 08:56 <DIR> d-------- G:\VundoFix Backups
2008-01-22 08:26 . 2008-01-22 08:26 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 22:32 --------- d-----w G:\Documents and Settings\Mohammed Shafiq\Application Data\uTorrent
2008-02-12 22:31 --------- d-----w G:\Program Files\Java
2008-02-12 22:25 --------- d-----w G:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-12 21:41 --------- d-----w G:\Program Files\Mozilla Thunderbird
2008-02-07 15:13 --------- d-----w G:\Documents and Settings\Mohammed Shafiq\Application Data\ZoomBrowser EX
2008-02-04 23:05 --------- d-----w G:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-22 08:25 --------- d-----w G:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 15:23 --------- d--h--w G:\Program Files\InstallShield Installation Information
2008-01-07 17:41 196,368 ----a-w G:\WINDOWS\system32\drivers\bdfsfltr.sys
2008-01-05 23:02 --------- d-----w G:\Documents and Settings\Mohammed Shafiq\Application Data\Thunderbird
2007-12-26 20:27 --------- d-----w G:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-16 21:27 --------- d-----w G:\Program Files\BitCtrl Systems GmbH
2007-11-14 19:53 160,721 ----a-w G:\WINDOWS\Star Assault Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}

[HKEY_CLASSES_ROOT\clsid\{381ffde8-2394-4f90-b10d-fc6124a40f8c}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"NVIDIA nTune"="G:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 14:18 94208]
"H/PC Connection Agent"="G:\Programs\Apps\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="G:\WINDOWS\JM\JMInsIDE.exe" [2006-10-31 04:44 36864]
"36X Raid Configurer"="G:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-17 01:05 1953792]
"Adobe Reader Speed Launcher"="G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"GrooveMonitor"="G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"NWEReboot"="" []
"NeroFilterCheck"="G:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"!AVG Anti-Spyware"="G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"BitDefender Antiphishing Helper"="G:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-05 17:58 360448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

R1 bdftdif;bdftdif;G:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys [2007-11-12 16:28]
R3 bdfsfltr;bdfsfltr;G:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-01-07 17:41]
R3 BDSelfPr;BDSelfPr;G:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys [2008-02-02 14:29]
R3 scan;BitDefender Threat Scanner;G:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
S2 IBMWAS61Service - mohammed-ea4b2cNode01;IBM WebSphere Application Server V6.1 - mohammed-ea4b2cNode01;"G:\Programs\Dev\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS61Service []
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;G:\DOCUME~1\MOHAMM~1\LOCALS~1\Temp\TCCpuInfo.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 22:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2008-02-13 22:46:41 - machine was rebooted [Mohammed Shafiq]
ComboFix-quarantined-files.txt 2008-02-13 22:46:38
ComboFix2.txt 2008-02-02 18:04:47
ComboFix3.txt 2008-02-02 17:35:29
ComboFix4.txt 2008-02-02 16:51:36
ComboFix5.txt 2008-01-22 08:17:40
.
2008-02-05 17:55:02 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:32, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\explorer.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\system32\notepad.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\Apps\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - G:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] G:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] G:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "G:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Programs\Apps\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\Apps\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\Apps\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\Apps\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM WebSphere Application Server V6.1 - mohammed-ea4b2cNode01 (IBMWAS61Service - mohammed-ea4b2cNode01) - Unknown owner - G:\Programs\Dev\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7658 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 21 February 2008 - 07:52 PM

Apologies for the late response,i somehow missed the email notification of your reply.
If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let me know.
If you still require help,please post a new Hijackthis log into this topic in your next reply.
Also post a detailed description of the issues you're experiencing.
Posted Image
Posted Image

#5 m_shafiq

m_shafiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 22 February 2008 - 03:27 AM

Hi, thanks for your reply.

I am issuing no problems at them moment and Spybot does not find Smitfraud anymore. Can I assume the problems fixed? Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:25:59, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Fileas\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
G:\Programs\Apps\Microsoft ActiveSync\wcescomm.exe
G:\Programs\Apps\MICROS~1\rapimgr.exe
G:\Documents and Settings\Mohammed Shafiq\Desktop\utorrent.exe
G:\PROGRA~1\MOZILL~1\FIREFOX.EXE
G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
G:\Program Files\Mozilla Thunderbird\thunderbird.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\Apps\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - G:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] G:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] G:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "G:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Programs\Apps\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\Apps\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\Apps\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\Apps\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM WebSphere Application Server V6.1 - mohammed-ea4b2cNode01 (IBMWAS61Service - mohammed-ea4b2cNode01) - Unknown owner - G:\Programs\Dev\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8152 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 February 2008 - 07:26 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.
If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Edited by RichieUK, 22 February 2008 - 07:28 AM.

Posted Image
Posted Image

#7 m_shafiq

m_shafiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 22 February 2008 - 02:59 PM

Please find hijackthis log below. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:24, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe
G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
G:\Programs\Apps\Microsoft ActiveSync\wcescomm.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Programs\Apps\MICROS~1\rapimgr.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\system32\wuauclt.exe
G:\PROGRA~1\MOZILL~1\FIREFOX.EXE
G:\Documents and Settings\Mohammed Shafiq\Desktop\utorrent.exe
G:\WINDOWS\system32\notepad.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\Apps\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - G:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] G:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] G:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "G:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Programs\Apps\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\Apps\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\Apps\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Programs\Apps\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\Apps\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Programs\Apps\System\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\Apps\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - G:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM WebSphere Application Server V6.1 - mohammed-ea4b2cNode01 (IBMWAS61Service - mohammed-ea4b2cNode01) - Unknown owner - G:\Programs\Dev\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - G:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - G:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - G:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8494 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 February 2008 - 03:32 PM

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore again.

Posted Image

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Hardening Windows Security - Part 1:
http://www.malwarehelp.org/Malware-Prevent...-Security1.html

Hardening Windows Security - Part 2:
http://www.malwarehelp.org/malware-prevent...-security2.html
Posted Image
Posted Image

#9 m_shafiq

m_shafiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 23 February 2008 - 02:49 AM

Thank you very much for your help. Much appreciated.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 23 February 2008 - 04:01 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users