Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Smitfraud Variant


  • This topic is locked This topic is locked
18 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:36 AM

Greetings. :thumbsup:

We are more than one person using this computer and not all share of the same "healthy surfing habits" and (even regularly checking the system for virus and malware) yesterday I was to find the computer infected (again for the 3rd time since last December) with (this time I believe one of the latest versions of) a Smitfraud variant (not too sure which exact version/variant though?).

Signs of the infection included:

The infamous pop-ups and fake security alerts prompting to get SpyGuard or Pest Trap or Malware Wipe.

Internet Explorer homepage redirecting to [http://www.theguardservices.com/] (even though in the Internet Options the homepage was still set to "about:blank" as always has been).

Shortcuts on both the Desktop and Start Menu to Online Security Guide (http://realsecurityonline.com/) and Security Troubleshooting (http://youronlinesecurity.com/).

Shortcut on the Favourites to Antivirus Test Online (http://youronlinesecurity.com/).

Presence of Media-Codec 4.0 in Add/Remove Programs (C:\Programas\Media-Codec\uninst.exe).

Presence of the files (which had all been created at about the same time):

C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\regperf.exe



I have therefore, from yesterday, dealt with cleaning the infection, supported by the instructions given in the forum to clean of similar infections (as for ex. in http://www.bleepingcomputer.com/forums/t/51187/infected-by-malwaretrojan/ or http://www.bleepingcomputer.com/forums/topic51388.html).

I believe to be clean of the Smitfraud infection now, yet I would still appreciate your help, in checking the final HijackThis log file, to be fully sure that no trash remains. Trash remaining from Smitfraud or eventually any other trash. I never used HijackThis to no other than scanning, and after cleaning of the previous Smitfraud infections, SpyAxe and SpyFalcon, I ended up never posting the logs for analysis as apparently all was ok afterwards, yet this time, and even though apparently all is ok too, I finally decided I should post the final logs for expert analysis, as I was saying, to be rest sure that no trash remains. I'd thus be most thankful if you might please have a look at it.



Here's the summary of the steps I followed to clean of Smitfraud (followingly I will then post each of the logs in separated replies so you can better analyse):

SmitfraudFix util >>> completed step #1 - Search.

Reboot in Safe Mode.

Deleted the Media-Codec 4.0 from Control Panel > Add/Remove Programs.

SmitfraudFix util >>> completed step #2 - Clean. (At this time there was no prompt for replacing wininet.dll which I take as that this file hadn't been infected? Posteriorly scanned it at both http://virusscan.jotti.org/ and Kaspersky's File Scanner http://www.kaspersky.com/virusscanner and all scans came clean.)

Reboot manually in Safe Mode (as it didn't reboot automatically).

Cleaned the Temporary Internet Files.

There was no Security or related entry to be found in Control Panel > Display > Desktop > Costumize Desktop > Web.

There was nothing to be found in the Recycle Bin to empty.

Ran a Ewido full system scan. (Additionally also scanned with both Ad-Aware and SpyBot. Both scans came clean and no threats were found. If the respective log files are necessary as well, please say and I shall post them.)

Reboot in Normal Mode.

SmifraudFix util >>> completed step #3 - Delete Trusted Zone.

Reboot in Normal Mode. (Coincidentally the Avast Antivirus program auto-updated after this reboot. Autorebooted after update.)

Ran a scan with Panda ActiveScan.

Manually deleted the Smitfraud related shortcuts from both the Desktop and Start Menu as referred above. (Since these hadn't yet been removed neither by the SmitfraudFix util nor none of the anti-malware programs which I had ran so I kept them untill after the Panda ActiveScan to see if they were identified by it. Curiously apparently only one of them was though.)

Next I'll then post each of the log files for your analysis. And again thank you so much for any further advice/assistance.

BC AdBot (Login to Remove)

 


m

#2 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:38 AM

HijackThis log file - scan prior to fixing the Smitfraud infection (for your reference)
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:37:06, on 04-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\ewido anti-malware\ewidoctrl.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IOL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpED4B.tmp
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [websx] C:\Programas\websx\int310785.exe -auto
O4 - HKLM\..\Run: [User Management Configuration] msumc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {134F7664-943D-3BB9-65F5-70B91DF46C86} - http://www.v-codec.com/getcodec/SVideoCodec4_01a.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.popular.com.br/awc/html/voice/voice.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

#3 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:40 AM

SmitfraudFix report log - after completing step #1 - Search
---------------------------------------------------------------------------
---------------------------------------------------------------------------

SmitFraudFix v2.39

Scan done at 21:40:12.24, 04-05-2006
Run from C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\q\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\q\FAVORI~1

C:\DOCUME~1\q\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programas


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="A minha home page actual"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:41 AM

SmitfraudFix report log - after completing step #2 - Clean
--------------------------------------------------------------------------
--------------------------------------------------------------------------

SmitFraudFix v2.39

Scan done at 21:46:54.98, 04-05-2006
Run from C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\q\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

#5 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:42 AM

EWIDO report log
------------------------
------------------------

---------------------------------------------------------
ewido anti-malware - Relatório de verificação
---------------------------------------------------------

+ Criado em: 0:32:04, 05-05-2006
+ Relatório-Checksum: 9183A2D1

+ Resultado da verificação:

Não foram encontrados ficheiros infectados! (Translation: "No infected files were found!")


::Fim do Relatório

-----------------------------------

#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:44 AM

HijackThis log file - scan after completing all of the 3 steps with the SmitfraudFix util
-----------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:18:36, on 05-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\ewido anti-malware\ewidoctrl.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IOL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [websx] C:\Programas\websx\int310785.exe -auto
O4 - HKLM\..\Run: [User Management Configuration] msumc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {134F7664-943D-3BB9-65F5-70B91DF46C86} - http://www.v-codec.com/getcodec/SVideoCodec4_01a.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.popular.com.br/awc/html/voice/voice.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

#7 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:46 AM

Panda ActiveScan report log
----------------------------------------
----------------------------------------

Incident Status Location

Adware:adware/emediacodec Not disinfected c:\documents and settings\all users\ambiente de trabalho\Online Security Guide.url
Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
Adware:adware/twain-tech Not disinfected c:\windows\inf\twaintec.inf
Spyware:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/blazefind Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\q\Ambiente de trabalho\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/OfferOptimizer Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\q@offeroptimizer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected F:\S M\Progs\SmitfraudFix 2.37\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\S M\Progs\smitrem\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\S M\Progs\smitrem 2.8\smitRem.exe[smitRem/Process.exe]

#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:48 AM

HijackThis log file - final (after Panda ActiveScan)
----------------------------------------------------------------
----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:33:17, on 05-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\ewido anti-malware\ewidoctrl.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IOL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [websx] C:\Programas\websx\int310785.exe -auto
O4 - HKLM\..\Run: [User Management Configuration] msumc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {134F7664-943D-3BB9-65F5-70B91DF46C86} - http://www.v-codec.com/getcodec/SVideoCodec4_01a.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.popular.com.br/awc/html/voice/voice.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

Edited by DeLuk, 05 May 2006 - 08:51 AM.


#9 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 05 May 2006 - 08:51 AM

Regarding the Panda ActiveScan please note that all those "alchemy", "twaintech", "bestoffer" and "blazefind" infections/infection-remainders have always been detected, now and in every previous scan, for which I'd as well appreciate your help as to how to safely clean of those, if possible?...

Also I'd take the opportunity to ask your advice about what program(s) would be recommended to prevent getting infected by such malware (as Smitfraud and the likes etc) in the first place (i.e. to avoid such pests from being installed/to be protected beforehand)?...

One more time, thank you greatly, for any further help and support. :thumbsup:

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:41 AM

Posted 10 May 2006 - 03:59 PM

Hello DeLuk and welcome to the BC HijackThis forum. I'm kind of curious about one of the files showing in the log. Let's have it checked out at Jotti's.

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now perform a search for this file and note the location. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.msumc.exe
Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:msumc.exe
Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 11 May 2006 - 06:04 AM

Hi OldTimer and thank you so much for your assistance. :thumbsup:

I have done as you instructed, and looked for that file which you are curious about, msumc.exe, oddly though I can't seem to be able to find it anywhere in the computer... (Though it does keep showing in any new HJT scan I've done already. Might I ask by now what are you curious about this file?... Is it a suspicious entry in the HJT log and why?... I have since done some googleing on this file but couldn't find much about it, thus would appreciate any further enlightenment...)

Yes, I have strictly followed all of your instructions to perform the search, I have even done several tries already. (I have searched for msumc.exe, and nothing was found; for msumc, and also nothing was found; even for all files with only ms in their name, yet none of the files found then was msumc.exe. Also I have searched in My Computer, in All Hard Drives at once, in each of the hard drives separately, then in My Computer all over again, and never msumc.exe was to be found.)

I would thus appreciate your further guidance, please, as to what to do next in regards to this issue?...



Then again, and back about the cleaning done to the Smitfraud infection, I would still wish to ask whether I may by now safely delete the SmitfraudFix folder which has been created in the desktop for the cleaning?... (I'm asking since I noticed that there have been stored some registry entries backups, so I'd wish to be sure whether I can now safely delete the SmitfraudFix folder and all of its contents before I do it.)

Also, speaking of deleting and cleaning things safely, I would also, if I may, like to take the opportunity to clear it with you if I can safely regularly manually empty both C:\Temp and C:\Windows\Temp folders?... (I regularly empty C:\Documents and Settings\user\Local Definitions\Temp already, yet would like to know and be sure if both those other folders can and should also be emptied regularly to avoid from accumulating too much temp stuff?...) Same thing I'd ask regarding the C:\Windows\Prefetch folder, can and should this be manually emptied regularly as well?... (Or is there perhaps some util/tool to do this, to automatically/on-demand empty all temporary folders from the computer?...)

Ultimately if there's any guidance pages/sites dealing with these doubts of mine which you might please direct me to, I would be most appreciated.



Once more thank you greatly already for any further help with my queries! :flowers:

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:41 AM

Posted 11 May 2006 - 03:32 PM

Hi DeLuk. I was curious about that file because I also could not find any information about it. That usually means that it is either something fairly new that no one has investigated yet (and the Jotti scan would tell us whether it was bad or not) or it is an infected file with a random name. Since you could not find the file let's remove that entry from the startup programs along with another file that is showing there that has been reported as bad and then do some additional scans and some cleanup.

Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [websx] C:\Programas\websx\int310785.exe -auto
O4 - HKLM\..\Run: [User Management Configuration] msumc.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Programas\websx\ <--folder
c:\documents and settings\all users\ambiente de trabalho\Online Security Guide.url
c:\windows\inf\alchem.inf
c:\windows\inf\twaintec.inf
c:\windows\smdat32m.sys

Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode just stay in Safe Mode until I tell you to reboot normally.

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #6

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Note: The CCleaner program will clean out the temp folders, the Temporary Internet files and cookies and the System Prefetch. You can use it whenever you like to perform a cleanup (I use it once a week as part of my regular maintenance).

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 17 May 2006 - 04:41 PM

Hi again OldTimer. And also again, thank you greatly for your assistance and further help and info. :thumbsup: Sorry for not having posted back sooner, but I've been away for the past days.

I have now completed the additional clean up you instructed me to do, and will followingly post the final HJT log for you to please review.

---------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 0:19:35, on 17-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\ewido anti-malware\ewidoctrl.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IOL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {134F7664-943D-3BB9-65F5-70B91DF46C86} - http://www.v-codec.com/getcodec/SVideoCodec4_01a.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.popular.com.br/awc/html/voice/voice.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

---------------------------------------------------------------------------------------------------


Some additional info, on how the clean up process went:

Since you had advised that, should I get any error message as trying to delete those files/folders you referred, I should next try deleting them again in Safe Mode, and in this case perform the CCleaner clean up also still in Safe Mode, so I chose to delete the referred files/folders in Safe Mode from the start, and followingly ran CCleaner in Safe Mode too accordingly to your instructions.


Regarding the deletion of the referred files/folders:

C:\Programas\websx\ did not exist anylonger (I think I remember deleting this folder manually some long time ago as I found it "strange")

C:\Documents and Settings\All Users\Ambiente de Trabalho\Online Security Guide.url did not exist either (I had also manually deleted it, following to the previous Panda ActiveScan, as I mentioned at some point above)

The other 3 files (c:\windows\inf\alchem.inf ; c:\windows\inf\twaintec.inf ; c:\windows\smdat32m.sys), all 3 existed, and all 3 were sucessfully deleted.

Something I noticed, as deleting these files though (don't know whether this may be of importance?); each of both files c:\windows\inf\alchem.inf and c:\windows\inf\twaintec.inf had a "pair" .PNF file located in the same directory; c:\windows\inf\alchem.PNF and c:\windows\inf\twaintec.PNF; should these be due to take some action as well?... (I don't know if these .PNF files are in any way related/have anything to do with the .inf ones or actually not at all?...) Also there remains another alchem-related file, c:\windows\alchem.ini, which has posteriorly also been reported in the new Panda ActiveScan, should this one also require some action?... (I know you had said, regarding the results of the online virus scans: "If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.", still I would like to be fully sure, thus why I ask to confirm...)


Regarding the online virus scans:

I ran all the 4 online virus scans which you referred, by this order: Panda ActiveScan, TrendMicro Housecall, BitDefender and eTrust. Below is all relevant reports info.

---------------------------------------------------------------------------------------------------

Panda ActiveScan report was as follows (I have removed the references to the SmitfraudFix tool to cut the log shorter and since that is obviously no actual threat):


Incident Status Location
Adware:adware/clickalchemy Not disinfected c:\windows\alchem.ini
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/blazefind Not disinfected Windows Registry
Adware:adware/emediacodec Not disinfected Windows Registry
Spyware:Cookie/OfferOptimizer Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\q@offeroptimizer[2].txt
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\regperf.exe
---------------------------------------------------------------------------------------------------

TrendMicro's Housecall did not report any threat (no other than some vulnerability related with Windows Media Player which I shall check afterwards).

---------------------------------------------------------------------------------------------------

BitDefender reported the following 3 infections (which it first attempted to disinfect, and followingly I chose it to delete, as disinfections failed):

C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP38\A0012656.exe is infected with Trojan.Downloader.Zlob.BP

C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP44\A0013696.dll is infected with Trojan.Flood.I

C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP84\A0027590.dll is infected with Trojan.Flood.I

---------------------------------------------------------------------------------------------------

eTrust reported the following infection (which again I first chose to disinfect, and followingly to delete, as disinfection failed as well):

File Infection Status Path
regperf.exe Win32.Beovens.FN infected C:\WINDOWS\system32\

---------------------------------------------------------------------------------------------------


Lastly I ran Ad-Aware, as you instructed, and the report came clean, it found no threats.



So, after completing all the 4 online virus scans, I believe that regperf.exe (which I had already mentioned about in my very first post, and which I believe it is also somehow connected with Smitfraud-related infections, if I understand it right?) is finally and safely removed now, correct?

I'm left with a question, however, I was to ask it already before but then didn't, but now after BitDefender's report (I believe that that Zlob trojan is also related with Smitfraud, from what I can read around?) I see the question demands: may I by now already "reset" the System Restore (i.e. turn off and then on again to ensure that any remainder of previous infection(s) that may be left there is permanently removed)? (For my own info, and for future reference, how long after such a clean up of such infections is it advisable to "reset" the System Restore? I understand and am aware that it must not be immediately after completing such cleaning processes, for preventing from having no return point if something turns out to result wrong from the clean up, thus, how long after then, average, how many days?)


Also, still in regards to the online virus scans results, I would ask what to do, if something, regarding this entry in Panda ActiveScan report:

Spyware:Cookie/OfferOptimizer Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\q@offeroptimizer[2].txt

Should and can I safely just manually delete this cookie file? Also I see there is, besides the index.dat file, one other further cookie file (q@element5[2].txt) in this directory, should and can it also be deleted, or?


Finally, regarding those other 3 entries in Panda ActiveScan report, which refer to the registry:

Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM

Adware:adware/blazefind Not disinfected Windows Registry

Adware:adware/emediacodec Not disinfected Windows Registry

Is there any further action to take, in order to eliminate that? (If necessary, I can provide the corresponding registry keys where there is reference to altnet, blazefind and emediacodec, for your analysis. In fact, after running a preliminary search through the registry for those terms, I even got seriously curious, I mean, as I said in the very beginning, we're more than one person using the computer, and not all share of the same "healthy surfing habbits", and now running this search indeed suddenly I got seriously curious, as I see that everywhere where both blazefind and emediacodec are to be found in the registry, there are various other keys which appear to me rather unwanted ones, referring to web domains that look as to be related with such as online gambling and casinos and porn etc. :huh: :huh: :) I wonder whether these keys stand for some sort of "historic" that's kept in the registry of the websites that have been accessed from the computer... And suddenly more than ever I'm left with the feeling that I should finally dare to try Registry Mechanic to do some cleaning and optimization of the registry. Many times before I wanted to try such kind of program, but have always been somewhat afraid of using it, since I'm not too comfortable with the idea of "messing" in the registry when I do not have so much knowledge about it... :huh: But suddenly I do feel each time more tempted to dare to finally do it... Wonder if I should... But then again, I suppose this isn't the thread, nor the forum, to bring on such an issue, and sorry for the extra query... :o )



Then again, thank you yet so much for hinting about CCleaner, which has already proved to be going to be of extreme utility from now on (after just ridding the system of over 180 MB of temp trash, that's all I can conclude!)... :huh: I shall next better analyse the instructions of the program for getting the most of its features. Just a question beforehand, though, if I may? For running CCleaner this first time, for completing the clean up you had instructed me to do, I have left all its settings as they were by default. Later though, I could see that both folders, C:\Temp and C:\Windows\Temp, both keep contents from before to having run CCleaner, which caused me some doubt. Aren't these due to be emptied by CCleaner as well? Or is it dependent upon any setting option which I should be aware of, perhaps, or?... (Then again, all the contents in C:\Temp is an other folder, {9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}, which is empty, can this one just be safely deleted manually if not by CCleaner, or?...)



Lastly, I would only insist in asking to confirm whether I may by now already delete safely the SmitfraudFix folder which had been created in the desktop for the cleaning? (As I said before, I'm asking since I noticed that there have been stored some registry entries backups, so I'd wish to be sure whether I can now safely delete the SmitfraudFix folder and all of its contents before I do it. Or should I just keep this folder, or should I keep the registry backups at least, or?...)



In the end I can only thank you so greatly, one time again, for all your guidance so far, as much as for any further help in advance! :flowers: Thank you so much for your time and patience, and I'm sorry to take so much of it... Thank you sincerely! :huh:

#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:41 AM

Posted 18 May 2006 - 05:43 AM

Hmm, I was just checking the security settings for Internet Explorer, and those for the Restricted Sites, and checking the list of sites in there, I just realized that all those references found in the registry to web domains which I was finding to appear suspicious, those relating to casinos and porn etc, which I referred above, those references in the registry after all must stand for this list of Restricted Sites, for Internet Explorer, would that be it?!... :thumbsup: *oops! duh on me* :flowers: Then again, at least I feel more rested now, knowing that after all that wide list of "fishy smelling" web domains doesn't stand for unproper/unsafe activity going on in the computer, at least that!!... *uff*

Still I feel I should dare to try Registry Mechanic to optimize the registry some day...

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:41 AM

Posted 21 May 2006 - 03:03 PM

Hi DeLuk. The HijackThis log looks good. Good job!

Yes, you can go ahead and delete these files:c:\windows\inf\alchem.PNF
c:\windows\inf\twaintec.PNF
c:\windows\alchem.ini
C:\WINDOWS\system32\regperf.exe (check and see that this one is gone)

As for the registry items, if AdAwaredid not find them then I would say you are Ok. Since it doesn't give a location for the blazefind or emediacodec I can't tell you what to delete. The entry for AltNet is usually placed there when someone installs a file-sharing program. It would be best to uninstall the file-sharing program and not just delete that entry from the registry.

For CCleaner, check the Advanced Options (click the Options button and then the Advanced item) and see if the checkbox for "Only delete files in Windows Temp folders older than 48 hours" is checked or not. If it is, then it iwll not completely clean out the temp folders if there are files which are less than 48 hours old. Clear the checkbox to have it clean out everything.

Ok, we have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good firewall and a good antivirus application intalled and running. It is important to have both to protect your system, and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users