Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smithfraud.c - Toolbar888


  • This topic is locked This topic is locked
27 replies to this topic

#16 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 16 November 2006 - 07:36 PM

Hi htv8,

Thanks once more. The PC seems to be working much better but still somewhat slow, especially with internet.


Here's the logs requested:

DrWebb


Process.exe;C:\Documents and Settings\Assaad\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Assaad\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
backup-20061112-173738-439.dll;C:\Program Files\HijackThis\backups;Trojan.Virtumod;Deleted.;
A0029736.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP238;Trojan.DownLoader.13909;Deleted.;
A0029737.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP238;Trojan.DownLoader.13909;Deleted.;
A0030192.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP241;Trojan.Virtumod;Deleted.;
A0031438.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP243;Tool.Prockill;Incurable.Moved.;
A0031500.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP243;Trojan.Virtumod;Deleted.;
A0031553.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP243;Tool.ShutDown.11;Incurable.Moved.;
A0031555.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP243;Tool.Prockill;Incurable.Moved.;
A0031584.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP243;Trojan.Virtumod;Deleted.;
A0031658.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP243;Trojan.Virtumod;Deleted.;
A0031737.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.Prockill;Incurable.Moved.;
A0031795.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Trojan.Virtumod;Deleted.;
A0031848.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.ShutDown.11;Incurable.Moved.;
A0031850.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.Prockill;Incurable.Moved.;
A0031924.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.Prockill;Incurable.Moved.;
A0031926.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.ShutDown.11;Incurable.Moved.;
A0032005.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.Prockill;Incurable.Moved.;
A0032027.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.Prockill;Incurable.Moved.;
A0032029.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.ShutDown.11;Incurable.Moved.;
A0032042.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.Prockill;Incurable.Moved.;
A0032044.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP244;Tool.ShutDown.11;Incurable.Moved.;
A0033418.exe;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP253;Adware.SearchColours;Incurable.Moved.;
A0038624.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP261;Trojan.Virtumod;Deleted.;
A0038961.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP262;Trojan.Virtumod;Deleted.;
A0040007.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP268;Trojan.Virtumod;Deleted.;
A0040008.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP268;Trojan.Virtumod;Deleted.;
A0040009.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP268;Trojan.Virtumod;Deleted.;
A0040010.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP268;Trojan.Virtumod;Deleted.;
A0040011.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP268;Trojan.Virtumod;Deleted.;
A0040012.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP268;Trojan.Virtumod;Deleted.;
A0041399.dll;C:\System Volume Information\_restore{E5F882F2-DB74-4050-90B2-0B233EE08186}\RP270;Trojan.Virtumod;Deleted.;
pmnlk.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmnno.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
yaywuur.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;


HighjackThis


Logfile of HijackThis v1.99.1
Scan saved at 7:29:49 PM, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154558144390
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I await your reply with much appreciation!

S. G.

BC AdBot (Login to Remove)

 


#17 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 17 November 2006 - 12:09 PM

Your log looks clean now. Good work! :thumbsup: However, if you experience any more problems, please report back.
Also see this reference: Slow Computer Checklist.

Now please follow the simple steps below in order to keep your computer clean and secure.

Step #1: defragment hard drive
It is a good option to defragment your hard drive. Windows puts new files in any available open space and defragging will cluster files closer together making your hard drive more efficient. This saves wear and tear while speeding up programs.

First reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now please perform these instructions when in Safe Mode to defragment your hard drive:
1. Open My Computer.
2. Right-click the local disk volume that you want to defragment, and then click Properties.
3. On the Tools tab, click the button labelled "Defragment Now...".
4. Click Defragment. This process takes quite a long time, so be patient.
5. Once done, reboot your computer again to boot into normal mode.

Step #2: re-hide hidden system files and folders
Re-hide your hidden system files and folders again, because above instructions to set your system to show all files, unhide legit files and folders as well, and I don't want you to delete them because they may look suspicious. To hide them again, just perform these instructions:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Place a checkmark in the checkbox labelled "Hide file extensions for known file types".
6. Place a checkmark in the checkbox labelled "Hide protected operating system files".
7. Deselect the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Now your computer is configured to hide all hidden system files and folders.

Step #3: reset and re-enable System Restore
Rest and re-enable System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Run.
3. In the Run field type SYSDM.CPL and press the OK button.
4. Click the System Restore tab.
5. Place a checkmark in the checkbox labelled "Turn off System Restore" to disable System Restore.
6. Click the Apply button.
7. Uncheck the option labelled "Turn off System Restore" to turn System Restore back on.
8. Click the OK button.

You have now flushed your previous restore points, so we will make a new one again since your computer is clean now:
1. Close all programs so that you are at your Desktop.
2. Go to Start > All Programs > Accessories > System Tools > System Restore.
3. Select the radio button labelled "Create a restore point" and press the Next button.
4. Type the name you would like this restore point to be referred and press the Create button.
5. Press the Close button to close the System Restore utility.

Step #4: delete temp files
Please perform these instructions to clean out your temp files:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Run.
3. In the Run field type %temp% and press the OK button.
4. Delete all files that are found in this temp directory.
5. Empty the recycle bin.

If you have trouble deleting a file, reboot into Safe Mode to delete it.

Step #5: delete Temporary Internet files
Please perform these instructions to clean out your Temporary Internet files:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel.
3. Double-click on the Internet Options icon.
4. At the General tab click once on the button labelled "Delete Files".
5. In the upcoming confirmation box, click on the checkbox labelled "Delete all offline content".
6. Click on the OK button which will start the process of deleting all of your Temporary Internet files. This can take a while.
7. When the process of deleting is done, press the OK button to close the window.

Step #6
Finally, and definitely the MOST IMPORTANT step, click on this tutorial and follow each step listed here:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Do not forget to tell your friends about us.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#18 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 19 November 2006 - 12:09 AM

Could you please not close the post, it has been a very hectic few days for me...but will reply soon...

#19 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 20 November 2006 - 11:03 AM

Hey htv8, very good work but just got a few problems...

The malware seems to be gone but I am now having problems with my software that show video or images (what used to take 2 seconds to load now takes over 3 minutes).

Could it be that we deleted something that had to do with the display/graphics? or maybe with all of the added security programs on my computer (added from your last post)

Thanks

#20 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 20 November 2006 - 02:16 PM

Hi super goku,

I have worked on your malware issues. This may or may not have solved other issues you have with your machine. It's more likely your problem is software related. We haven't deleted anything related with your display/graphics software. :thumbsup:
Because of that, I suggest you better start a new thread in the Software part of the forums. I believe they will be better to help you with your software issues. Please describe the problems you are experiencing as good as possible and there will definitely be someone who can help you out with this issue.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#21 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 20 November 2006 - 02:39 PM

htv8, thank you very much for your help and you did indeed kill the malware!!

I just retried that software with a different video and it worked perfectly, I guess the file that I was initially using might have been damaged...

Thank you so much!

#22 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 30 November 2006 - 12:06 PM

As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#23 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 02 December 2006 - 01:45 PM

Re-opened.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#24 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 02 December 2006 - 04:31 PM

Hey htv8,

I ran a scan with Spybot and everything seemed to be normal. However, yesterday Spybot detected Smitfraud-C.Toolbar888 along with VirtuMonde. I clicked on Fix problems and it said it was fixed. After restarting the computer, I ran Spybot again but nothing was found. I fear that traces of the initial infection may still be hidden somewhere?


[size=4]HijackThis Log[size=4]

Logfile of HijackThis v1.99.1
Scan saved at 4:22:59 PM, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154558144390
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#25 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 03 December 2006 - 05:04 AM

Your HijackThis shows up clean. I do not think that traces of the initial infection may still be hidden. Spybot's detection of Smitfraud-C.Toolbar888 is probably a false positive. Its latest detection was. For more information, see this reference: Tablet PC functionality incorrectly labeled at Smitfraud-C.
The Virtumonde entry could easily have been a leftover which Spybot successfully deleted.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#26 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 December 2006 - 10:57 AM

You guys are awesome!

Since I did select to fix the problems, should I do a system restore?

#27 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 03 December 2006 - 01:02 PM

No, a system restore is not needed unless you experience any problems. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#28 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 15 December 2006 - 12:51 PM

As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users