Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clean Of Not Clean? The Ultimate Question.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Hepphepp

Hepphepp

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 12 May 2006 - 05:47 AM

Hey,
I have been infected with SpyFalcon, SpyGuard and Spywarequake.
I have used the cleanup guides posted on the forums and have found them incredible! Thanks for making programs and guides like this for people like me!

Now I belive I am clean of this stuff, but I am not sure and would like som help in confirming that my machine is back to normal.

Is there any good way of knowing that the machine is totaly free from viruses and malware?

Here is the HijackThis log that I just got out.
Would very much appreciate it if somebody could check this for me and give me som help with the final clean up. I just ran Stinger and it didn't find anything.

thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:33:23, on 12.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\Programfiler\Symantec AntiVirus\DefWatch.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
C:\Programfiler\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programfiler\Winamp\Winampa.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Google\Google Talk\googletalk.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\3M\PSNotes2\Psn2.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp1019.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Programfiler\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programfiler\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PC Health.lnk = C:\Programfiler\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs
O4 - Global Startup: Post-it® Software Notes.lnk = C:\Programfiler\3M\PSNotes2\Psn2.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Programfiler\TOSHIBA\TME3\Tmesbs32.exe


This is the latest Panda Scan i did:


Incident Status Location

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Daniel\Cookies\daniel@serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[bs.serving-sys.com/]
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[www.spyfalcon.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.overture.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.888.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.belnk.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.centrport.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.microsoftwga.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.research-int.se/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[bilbo.counted.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[promo.match.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[server.iad.liveperson.net/hc/14835186]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[server.iad.liveperson.net/hc/64770872]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt[www48.seeq.com/]
Potentially unwanted tool:Application/Processor Not disinfected D:\RECYCLER\S-1-5-21-861567501-1580436667-854245398-1003\Dd1\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\RECYCLER\S-1-5-21-861567501-1580436667-854245398-1003\Dd2.exe[smitRem/Process.exe]


Seems like it is only cookies exept for the first and the last two posts.

Edited by Hepphepp, 12 May 2006 - 08:06 AM.


BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 12 May 2006 - 05:40 PM

Hello hepphepp,

Welcome to BC.

Looks like you are still infected. Please discard the old smitremfix from your desktop/computer. It's updated almost everyday.

This tool is Only for Windows XP and Windows 2000


Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Posted Image

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press Enter

Posted Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore your antivirus may alert you about this. Please allow it.

In your next post, please include
  • smitfraudfix log
  • new hijackthis log


#3 Hepphepp

Hepphepp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 15 May 2006 - 01:02 PM

Hi amateur,

thanks for the help. If you have the time I would very much like to know what to look for or how to figure out if I am clean or not and what to do. I try to learn as much as possible from this:) Malware and virus isn't fun, but atleast I can learn how to run my machine:)

Here are the new logs:

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 19:52:55, on 15.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\Programfiler\Symantec AntiVirus\DefWatch.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
C:\Programfiler\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programfiler\Winamp\Winampa.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Google\Google Talk\googletalk.exe
C:\Programfiler\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\3M\PSNotes2\Psn2.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\iTunes\iTunes.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp1019.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Programfiler\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programfiler\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PC Health.lnk = C:\Programfiler\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs
O4 - Global Startup: Post-it® Software Notes.lnk = C:\Programfiler\3M\PSNotes2\Psn2.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Programfiler\TOSHIBA\TME3\Tmesbs32.exe


Smitfraud:

SmitFraudFix v2.44

Scan done at 19:49:08,96, 15.05.2006
Run from D:\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versjon 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Daniel\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Daniel\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min gjeldende hjemmeside"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Thanks alot!!

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 15 May 2006 - 01:17 PM



Thank you for the logs.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.



Please download the trial version of Ewido anti-malware 3.5
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido.



Note: If you have problems with the updater, you can manually update Ewido here and save to your Desktop.

All you need to do then is to double-click it, click Install and then when it has finished, Close.

Make sure to close Ewido before installing the update.



=================================



Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

=================================



Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

Posted Image



Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.



The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.



A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.



=================================



Navigate to C:\Windows\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.



Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.



Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.



Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.



=================================



Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.



Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.



=================================



Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #3 - Delete Trusted zone by typing 3 and press Enter.

Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.



Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.



=================================



Please post:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log

You may need several replies to post the requested logs, otherwise they might get cut off.



If you have the time I would very much like to know what to look for or how to figure out if I am clean or not and what to do. I try to learn as much as possible from this:) Malware and virus isn't fun, but atleast I can learn how to run my machine:)


The answer to that would be too long and complicated as there are so many infections. The best way would be to enroll with a training program. There are several of those, like the one here at Bleeping Computers, CastleCops, SpywareInfo and MRU where I was trained.




#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 21 May 2006 - 05:59 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a moderator with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.

reopened at the request of the poster.

Edited by amateur, 23 May 2006 - 05:49 AM.


#6 Hepphepp

Hepphepp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 May 2006 - 06:52 AM

Hi,

here are the logs:

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:36, on 23.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\Programfiler\Symantec AntiVirus\DefWatch.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
C:\Programfiler\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programfiler\Winamp\Winampa.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Google\Google Talk\googletalk.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\3M\PSNotes2\Psn2.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programfiler\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Programfiler\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programfiler\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PC Health.lnk = C:\Programfiler\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs
O4 - Global Startup: Post-it® Software Notes.lnk = C:\Programfiler\3M\PSNotes2\Psn2.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Programfiler\TOSHIBA\TME3\Tmesbs32.exe


Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:25:33, 22.05.2006
+ Report-Checksum: 5CC23C05

+ Scan result:

:mozilla.13:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Dan
iel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Daniel\Programdata\Mozilla\Firefox\Profiles\tpb1p7n6.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup


::Report End


SmitFraudFix:
SmitFraudFix v2.44

Scan done at 20:48:33,17, 21.05.2006
Run from D:\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versjon 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



thanks

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 23 May 2006 - 07:53 AM

Hello again!

It's looking really good. :thumbsup: The infection is gone. You can go ahead and delete the SmitfraudFix from your desktop. How is the system running?

However, HijackThis cannot see everything. So, let's do another scan to make sure nothing else is hiding around.

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

Post back the Panda results please.

#8 Hepphepp

Hepphepp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 May 2006 - 08:24 AM

Hi,

everything runs perfectly and can find anything that is wrong here.

I will run the Panda scan, but this normaly takes a while.
Will post the log when it is ready.

thanks for the help so far

Hepphepp

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 23 May 2006 - 08:39 AM

:thumbsup: OK. Post the log as soon as you can. :flowers:

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 23 May 2006 - 08:43 AM

If you clean your temp files and cookies prior to the scan it would cut down on the scanning time. Ccleaner is a good tool to do that.

Please download Ccleaner and save it to your desktop.


Tutorial for CCleaner

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"

  • Make sure the Cleaner block on the left is selected. (Do not use the "Issues" block)
  • Choose the Windows tab.

  • Check everything EXCEPT Advanced part of the Menu.

  • Click on "Analyze". This process could take a while.

    If you don't want to loose your login passwords to certain sites, click on Options, select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.

  • When CCleaner shows how much has been removed, cleaning is finished.
  • Click Exit.


If you have more than one users, run Ccleaner for every user.



#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:47 AM

Posted 30 May 2006 - 08:39 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a moderator with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users