Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 Liselaime

Liselaime

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 21 April 2008 - 11:49 PM

My task manager is disabled--I've tried deleting the disabled task manager setting via regedit and gpedit.msc, but the malware program creates it again the second that I delete it. I also tried running Spybot and removing Smitfraud, but Spybot froze and the program still shows up. It appears in the taskbar and pops up spyware messages about every minute or so. I'm scared to turn off my computer in case I can't log back in and will thus lose all of my data. I would greatly appreciate any assistance--I am trying to finish my thesis this week and this is the absolute worst time for my computer to be hijacked.

Edited to add that I downloaded and ran Smitfraudfix.exe from this site in safe mode, and it didn't work! The pop up messages are still there and my taskbar is disabled. I ran another scan, with these results. I also am pasting the rapport.txt from the smitfraudfix at the bottom:

m Deckard's System Scanner v20071014.68
Run by Laura on 2008-04-22 00:07:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Laura.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:39 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Laura\My Documents\My Videos\dss.exe
C:\DOCUME~1\Laura\MYDOCU~1\MYVIDE~1\Laura.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://securitysolutions.symantec.com/secu...h8Kj2rvELjb0ea+
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8ED7559F-1DDB-4E1B-B9A6-C16EAA4B867D} - C:\WINDOWS\system32\ljJBttQJ.dll (file missing)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A98D0065-7326-41B5-B8D9-C5B692CDB82F} - C:\WINDOWS\system32\mlJAsQij.dll
O2 - BHO: (no name) - {BBA10321-BFD4-44C7-9D4C-41A21304D829} - C:\WINDOWS\system32\geBststR.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192163691625
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: mlJAsQij - C:\WINDOWS\SYSTEM32\mlJAsQij.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12545 bytes

-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 00:07:18 345 --ahs---- C:\WINDOWS\system32\RtstsBeg.ini2
2008-04-22 00:07:13 272896 --a------ C:\WINDOWS\system32\geBststR.dll
2008-04-21 23:58:46 4520 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-21 23:58:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-21 23:58:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-21 23:58:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-21 23:58:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-21 23:58:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-21 23:58:23 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-21 23:58:23 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-21 23:47:37 24832 --a------ C:\WINDOWS\swin32.dll
2008-04-21 23:47:37 9984 --a------ C:\WINDOWS\stcloader.exe
2008-04-21 23:47:36 15616 --a------ C:\WINDOWS\mspphe.dll
2008-04-21 23:47:36 10240 --a------ C:\WINDOWS\bokja.exe
2008-04-21 23:47:36 32000 --a------ C:\WINDOWS\2020search2.dll
2008-04-21 23:47:36 11776 --a------ C:\WINDOWS\2020search.dll
2008-04-21 22:43:38 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-21 22:38:43 28928 --a------ C:\WINDOWS\voiceip.dll
2008-04-21 22:38:43 31744 --a------ C:\WINDOWS\cdsm32.dll
2008-04-21 22:38:42 16640 --a------ C:\WINDOWS\mssvr.exe
2008-04-21 22:38:41 12032 --a------ C:\WINDOWS\bjam.dll
2008-04-21 22:38:36 21504 --a------ C:\WINDOWS\saiemod.dll
2008-04-21 22:38:35 31488 --a------ C:\WINDOWS\msapasrc.dll
2008-04-21 22:38:34 16384 --a------ C:\WINDOWS\msa64chk.dll
2008-04-21 22:38:33 20992 --a------ C:\WINDOWS\shdocpl.dll
2008-04-21 22:38:33 19456 --a------ C:\WINDOWS\ntnut.exe
2008-04-21 22:38:32 8960 --a------ C:\WINDOWS\winsb.dll
2008-04-21 22:38:32 26880 --a------ C:\WINDOWS\shdocpe.dll
2008-04-21 22:38:32 20736 --a------ C:\WINDOWS\browserad.dll
2008-04-21 22:38:31 27392 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-21 22:38:31 8704 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-21 22:38:31 16128 --a------ C:\WINDOWS\avifile32.dll
2008-04-21 22:38:30 16640 --a------ C:\WINDOWS\autodisc32.dll
2008-04-21 22:38:30 26624 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-21 22:38:30 32768 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-21 22:38:29 20224 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-21 22:38:29 21760 --a------ C:\WINDOWS\athprxy32.dll
2008-04-21 22:38:29 22784 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-21 22:38:28 15872 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-21 22:38:28 20224 --a------ C:\WINDOWS\asferror32.dll
2008-04-21 22:38:28 24064 --a------ C:\WINDOWS\apphelp32.dll
2008-04-21 22:15:13 32867 --ahs---- C:\WINDOWS\system32\JQttBJjl.ini2
2008-04-21 22:11:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-21 22:11:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-04-21 22:10:59 0 d-------- C:\Program Files\webHancer
2008-04-21 22:10:44 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-21 22:10:38 0 d-------- C:\Program Files\WinAVI MP4 Converter
2008-04-21 22:10:33 89515 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-21 22:10:33 89515 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-21 22:10:22 28672 --a------ C:\WINDOWS\winself.exe
2008-04-21 22:10:07 38912 --a------ C:\WINDOWS\system32\cbXQiHXr.dll
2008-04-21 22:10:05 36864 --a------ C:\WINDOWS\system32\mlJAsQij.dll
2008-04-21 09:24:32 0 d-------- C:\Program Files\Apple Software Update
2008-04-19 17:20:13 0 d-------- C:\Program Files\PC TechZone
2008-04-18 04:29:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-17 22:51:13 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-17 22:51:09 0 d-------- C:\Program Files\Red Kawa
2008-04-17 22:42:07 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-04-17 22:41:52 0 d-------- C:\Program Files\Riva
2008-04-17 12:05:22 0 d-------- C:\Documents and Settings\Laura\Application Data\Corel
2008-04-17 12:05:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-04-17 12:00:22 0 d-------- C:\Program Files\Common Files\Corel
2008-04-17 11:53:59 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-17 11:50:44 0 d-------- C:\Program Files\Corel
2008-04-17 11:50:22 0 d-------- C:\Documents and Settings\Laura\Application Data\InstallShield
2008-04-16 23:48:40 348160 --a------ C:\WINDOWS\system32\WMAFile.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-04-16 23:48:40 479232 --a------ C:\WINDOWS\system32\AudioVisu.dll <Not Verified; NCT Company Ltd.; NCTAudioVisualization2 ActiveX DLL>
2008-04-16 23:48:40 454656 --a------ C:\WINDOWS\system32\AudioRecord.dll <Not Verified; NCT Company Ltd.; NCTAudioRecord2 ActiveX DLL>
2008-04-16 23:48:39 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic pour Windows>
2008-04-16 23:48:39 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-04-16 23:48:39 21504 --a------ C:\WINDOWS\system32\TABCTFR.DLL <Not Verified; Microsoft Corporation; Bibliothèque d'objets TabCtl32>
2008-04-16 23:48:39 15360 --a------ C:\WINDOWS\system32\inetfr.DLL <Not Verified; Microsoft Corporation; DLL du contrôle Microsoft Internet Transfer>
2008-04-16 23:48:39 458752 --a------ C:\WINDOWS\system32\AudPlayer.dll <Not Verified; NCT Company Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-04-16 23:48:39 1212416 --a------ C:\WINDOWS\system32\AudioInfos.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-04-16 23:48:39 1986560 --a------ C:\WINDOWS\system32\AudFile.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-04-16 23:48:39 417792 --a------ C:\WINDOWS\system32\AudDisplay.dll <Not Verified; NCT Company Ltd.; NCTAudioDisplay2 ActiveX DLL>
2008-04-16 23:48:39 2084864 --a------ C:\WINDOWS\system32\AudDesign.dll <Not Verified; NCT Company Ltd.; NCTAudioDesign2 ActiveX DLL>
2008-04-16 23:48:38 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-04-16 23:48:38 59904 --a------ C:\WINDOWS\system32\Mscc2fr.dll <Not Verified; Microsoft Corporation; Bibliothèque d'objets de Microsoft Common Controls 2>
2008-04-16 23:48:38 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-04-16 23:45:57 0 d-------- C:\Documents and Settings\Laura\Application Data\Apple Computer
2008-04-16 23:45:43 0 d-------- C:\Program Files\iPod
2008-04-16 23:45:36 0 d-------- C:\Program Files\iTunes
2008-04-16 23:45:16 0 d-------- C:\Program Files\Bonjour
2008-04-16 23:44:13 0 d-------- C:\Program Files\QuickTime
2008-04-16 23:44:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-16 23:43:11 0 d-------- C:\Program Files\Common Files\Apple
2008-04-16 23:43:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-16 15:54:52 0 d-------- C:\Program Files\Free iPod Video Converter
2008-03-31 11:27:46 0 d-------- C:\Documents and Settings\Laura\Application Data\CyberLink
2008-03-30 19:57:58 4484 --a------ C:\WINDOWS\system32\drivers\cpuidlep.sys
2008-03-30 19:57:57 0 d-------- C:\Program Files\CpuIdle
2008-03-28 21:02:32 0 d-------- C:\Program Files\SpeedFan
2008-03-27 19:49:18 0 d-------- C:\Documents and Settings\Laura\Application Data\Mozilla
2008-03-27 19:29:46 335 --a------ C:\WINDOWS\mozregistry.dat
2008-03-26 06:28:07 0 d-------- C:\Program Files\Lavasoft
2008-03-26 06:28:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 06:27:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 06:22:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-04-21 23:38:45 0 d-------- C:\Documents and Settings\Laura\Application Data\uTorrent
2008-04-21 21:05:40 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-04-21 13:47:31 0 d-------- C:\Program Files\Norton 360
2008-04-20 19:51:19 0 d-------- C:\Program Files\Lx_cats
2008-04-18 01:40:14 0 d-------- C:\Documents and Settings\Laura\Application Data\mIRC
2008-04-18 01:00:41 0 d-------- C:\Program Files\mIRC
2008-04-17 22:42:07 0 d-------- C:\Program Files\Common Files
2008-04-16 23:37:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-26 16:43:37 0 d-------- C:\Program Files\SPSS
2008-03-26 06:15:27 0 d-------- C:\Documents and Settings\Laura\Application Data\U3
2008-03-25 15:53:33 0 d-------- C:\Program Files\Java
2008-03-22 00:23:37 0 d-------- C:\Documents and Settings\Laura\Application Data\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ED7559F-1DDB-4E1B-B9A6-C16EAA4B867D}]
C:\WINDOWS\system32\ljJBttQJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A98D0065-7326-41B5-B8D9-C5B692CDB82F}]
04/21/2008 10:10 PM 36864 --a------ C:\WINDOWS\system32\mlJAsQij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBA10321-BFD4-44C7-9D4C-41A21304D829}]
04/22/2008 12:07 AM 272896 --a------ C:\WINDOWS\system32\geBststR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [04/18/2006 06:29 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/04/2006 12:46 AM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 01:11 AM]
"@"="" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 06:30 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [03/23/2006 01:38 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [01/26/2006 06:18 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 12:23 PM]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [02/09/2006 11:52 AM]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [07/20/2005 01:48 PM]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [07/21/2005 02:07 AM]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [08/01/2005 08:05 AM]
"Run StartupMonitor"="StartupMonitor.exe" [05/20/2000 05:23 PM C:\WINDOWS\StartupMonitor.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 08:54 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/21/2006 01:16 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/08/2008 11:02 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 05:35 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 PM]
"FlashMute"="C:\Program Files\FlashMute\FlashMute.exe" [03/11/2006 02:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A98D0065-7326-41B5-B8D9-C5B692CDB82F}"= C:\WINDOWS\system32\mlJAsQij.dll [04/21/2008 10:10 PM 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAsQij]
mlJAsQij.dll 04/21/2008 10:10 PM 36864 C:\WINDOWS\system32\mlJAsQij.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBststR

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-04-22 00:08:10 ------------

SmitFraudFix v2.315

Scan done at 23:58:38.87, Mon 04/21/2008
Run from C:\Documents and Settings\Laura\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\default.htm Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{12ABFE84-57FB-4B52-9D01-1195CDB504AA}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C96BFE6D-BE43-4333-97DC-5105FC9967D5}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{12ABFE84-57FB-4B52-9D01-1195CDB504AA}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C96BFE6D-BE43-4333-97DC-5105FC9967D5}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{12ABFE84-57FB-4B52-9D01-1195CDB504AA}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C96BFE6D-BE43-4333-97DC-5105FC9967D5}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\default.htm Deleted


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by Liselaime, 22 April 2008 - 12:08 AM.


BC AdBot (Login to Remove)

 


m

#2 Liselaime

Liselaime
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 April 2008 - 03:54 AM

Hi, I'm not bumping up my topic, but rather letting you know that it is a moot point because I reformatted my hard drive, thus taking care of the problem (and losing all of my data, but hey, I had the important stuff backed up). At any rate, if anyone has time in a few days, after you take care of people who are still having imminent problems, I would like to know the best way to prevent getting the same kind of malware in the future without ceasing all internet activities, downloads, etc. I had/have Norton antispyware/internet security and Norton antivirus, but they didn't detect these problems at all, and I had Spybot and Adaware, which detected the malware after it was already installed and couldn't remove it. Which programs should I be using?

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:55 PM

Posted 22 April 2008 - 07:26 AM

Thanks for informing us. Sorry to hear you had to reformat.

May I suggest you read some of the pinned topics here and thereafter ask all the other questions you might have.

I'm closing this thread to remove it from the HJT Teams queue.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users