Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888 And Revenue Links


  • This topic is locked This topic is locked
8 replies to this topic

#1 CanaryRob

CanaryRob

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 28 November 2006 - 03:04 PM

I recently had a bad Spyware and Virus spat. I used numerous tools (ad-adware, spybot s&d, AVG and Zone Alarm). All seemed to remove every bit apart from 1. smitfraud-c.toolbar888. Ad-ware and Spybot seem to remove it. But it will come back when I turn the PC back on. AVG Resident shield picked up the .dll file it drops in temp now and again. And sometimes a .dll file in Windows Root.

Even scanning in Safemode it will come back. Fed up I found and used the SmitFraud fix. smitfraud-c.toolbar888 doesn't appear in any more scans after following the instructions. But I'm still getting new tabs in both firefox and IE re-directing to some revenue links. Funny thing is, according to those programs I mentioned earlier my PC is now clean of any viruses. Is this another piece of spyware that is being missed? or has Smit gone rogue?

Logfile of HijackThis v1.99.1
Scan saved at 19:57:36, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\nhksrv.exe
R:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
R:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
R:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
R:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
R:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
R:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
R:\Program Files\Mozilla Firefox\firefox.exe
R:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\unzipped\hijackthis\hjtrenamedfiley.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {75E827CF-BC07-E986-7D51-BECE6DECB7C6} - C:\WINDOWS\system32\sarbmyq.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20F68E07-9BC4-010F-09C8-000E2A02DD90} - C:\WINDOWS\system32\xnvpscc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - R:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E3987E7-5A2E-4911-B937-BE8279616E59} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: (no name) - {75E827CF-BC07-E986-7D51-BECE6DECB7C6} - C:\WINDOWS\system32\sarbmyq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEWorkaround Class - {88C5C070-8C60-4f45-9345-3FFB96334CAD} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in_1.dll (file missing)
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "R:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EndTask Pro] R:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] R:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Logitech SetPoint.lnk = R:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...soft/wtinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: wbsys.dll c:\windows\system32\wmfhotfix.dll
O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll
O20 - Winlogon Notify: winwgl32 - winwgl32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - R:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - R:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dacsm1 - - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Control Panel (Javacotr) - Unknown owner - C:\WINDOWS\system32\javacotr.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ATX Control Driver (msatxctrl) - Unknown owner - C:\WINDOWS\system32\ntosatx.exe (file missing)
O23 - Service: SMTP Server (mssmtp) - Unknown owner - c:\Progra~1\Microsoft.NET\Common\Binn\smtpsrv.exe (file missing)
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINDOWS\system32\rsvterm.exe (file missing)
O23 - Service: TVersityMediaServer - Unknown owner - R:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 28 November 2006 - 05:44 PM

Hello CanaryRob, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
======

Open HijackThis
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

======

Please post me back the Uninstall list.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 CanaryRob

CanaryRob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 28 November 2006 - 08:23 PM

AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Stock Photos 1.0
Age of Empires III
Anark Client 2.0
AOL Instant Messenger
AVG Free Edition
AviSynth 2.5
Battlefield 2™
Belarc Advisor 7.0
Birmingham Motorplex
BitComet 0.70
CCleaner (remove only)
Celestia 1.4.1
ClockWise 3.30a
ColorNick v2 plugin for Messenger Plus!
ConTEXT
CreationCentre 2005
DAEMON Tools
Defcon
DH Driver Cleaner Professional Edition
DivX
DivX 5.0.2 Pro Bundle
DivX Player
Eastern Creek International Raceway Track for rFactor
English Superpack
EVE-ONLINE (remove only)
Exact Audio Copy PSP Edition 1.0
FaceGen Modeller 3.1 Demo
File Transfer Plus 1.1 RELEASE
FileZilla (remove only)
FireTune
Fraps
FTP Commander Pro
Fusion Pack Source
Google Earth
Grand Theft Auto Vice City
GTA2
GTAIII
Half-Life® 2
HattrickOk
HD Tune 2.50
Hex Workshop v4.23
HijackThis 1.99.1
Hot CPU Tester Pro 4.2.2 Lite Edition
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IconPackager
IE Host R3
IMG Tool (remove only)
Ink
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Konfabulator
Labtec WebCam
LAGO Emma Field 2004
LAGO FS Enhancer 1.02
Logitech IM Video Companion
Logitech SetPoint
Lost Dharma Project
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
MediaTickets by OIN
Messenger Plus! 3
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft ActiveX Control Pad
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser and SDK
MINERVA: Metastasis 2
mIRC
Motherboard Monitor 5
Mozilla Firefox (0.8.)
Mozilla Firefox (1.5.0.7)
Mozilla Firefox (2.0)
Mozilla Thunderbird (0.7.3)
Mozilla Thunderbird (1.0)
Mozilla Thunderbird (1.0.7)
MSXML 4.0 SP2 Parser and SDK
MySQL Servers and Clients 3.23.52
Narbacular Drop version 1.4
New Star Soccer 3
NVIDIA Drivers
Object Desktop
OpenOffice.org 2.0
Openwares IE Security Patch
Opera
Paint Shop Pro 7
PBP Unpacker v0.94
Pivot Stickfigure Animator
Privateer
Project64 1.6
PSP Video 9 1.74
PSP WIFI Max
QuickTime
Radeon Omega Drivers v3.8.231 Setup Files and Tools
RealPlayer
Remove UK2000 Part 4 files
rFactor (remove only)
RocketDock
Rockstar Custom Tracks 1.0
Rockstar North Gangs Screen Saver
RPG Maker XP - Postality Knights Edition ENHANCED
RPGToolkit, Version 3.0.6
Saitek NT Controller Drivers
SCC 1.0
screen_1024x768 Screen Saver
SecondLife (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Sensational Soccer
Shareaza version 2.2.1.0
Shockwave
SigmaTel C-Major Audio
SketchUp 4.0
SketchUp 5
SkinStudio
Skype 2.0
SpeedFan (remove only)
Spybot - Search & Destroy 1.4
Steam™
StuffPlug-NG (Messenger Plus! Plugins)
System Requirements Lab
TeamSpeak 2 RC2
Texturizer
Theme Creator Pro 3.1.260 SR-1
Trillian
TuneXP 1.5
TVersity Media Server 0.9.8.2a (beta)
TVUPlayer 2.2.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VERITAS RecordNow DX
VideoLAN VLC media player 0.8.5
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Wave11 MSN
WBE_PSP
Winamp (remove only)
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows WMF Metafile Vulnerability HotFix 1.2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
XBCD 1.07
Xbox 360 Controller for Windows
XBOX to USB converter
Xfire (remove only)
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME)
ZModeler (remove only)
ZoneAlarm
Zune Desktop Theme
ZyDAS IEEE 802.11 b+g Wireless LAN - USB

Thanks

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 29 November 2006 - 03:41 PM

Hello CanaryRob, sorry for the delay in getting back to you.

======

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

======

Please post me back a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 CanaryRob

CanaryRob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 29 November 2006 - 08:11 PM

No problem.

Logfile of HijackThis v1.99.1
Scan saved at 01:06:37, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
R:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
R:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
R:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
R:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
R:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
R:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
R:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
R:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 7\psp.exe
C:\unzipped\hijackthis\hjtrenamedfiley.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {75E827CF-BC07-E986-7D51-BECE6DECB7C6} - C:\WINDOWS\system32\sarbmyq.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20F68E07-9BC4-010F-09C8-000E2A02DD90} - C:\WINDOWS\system32\xnvpscc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - R:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E3987E7-5A2E-4911-B937-BE8279616E59} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: (no name) - {75E827CF-BC07-E986-7D51-BECE6DECB7C6} - C:\WINDOWS\system32\sarbmyq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEWorkaround Class - {88C5C070-8C60-4f45-9345-3FFB96334CAD} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in_1.dll (file missing)
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "R:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EndTask Pro] R:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] R:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Logitech SetPoint.lnk = R:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...soft/wtinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: wbsys.dll c:\windows\system32\wmfhotfix.dll
O20 - Winlogon Notify: winwgl32 - winwgl32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - R:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - R:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dacsm1 - - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Control Panel (Javacotr) - Unknown owner - C:\WINDOWS\system32\javacotr.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ATX Control Driver (msatxctrl) - Unknown owner - C:\WINDOWS\system32\ntosatx.exe (file missing)
O23 - Service: SMTP Server (mssmtp) - Unknown owner - c:\Progra~1\Microsoft.NET\Common\Binn\smtpsrv.exe (file missing)
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINDOWS\system32\rsvterm.exe (file missing)
O23 - Service: TVersityMediaServer - Unknown owner - R:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 30 November 2006 - 11:28 AM

Sorry, I didn't make it clear enough- can I have the VundoFix log too, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 CanaryRob

CanaryRob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 30 November 2006 - 06:25 PM

Sorry


VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 19:08:40 29/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\xnvpscc.dll
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xnvpscc.dll
C:\WINDOWS\system32\xnvpscc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xnvpscc.dll
C:\WINDOWS\system32\xnvpscc.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 19:33:57 29/11/2006

Listing files found while scanning....

No infected files were found.

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 02 December 2006 - 05:05 AM

Hello CanaryRob

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

Please disable Spybot S&D TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check Yes to next window.
Click on Tools in bottom left hand corner.
Press on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

If you still need help with how to disable Teatimer please see here.

======

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

BitComet 0.70
ColorNick v2 plugin for Messenger Plus!
IE Host R3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
MediaTickets by OIN
Messenger Plus! 3
Messenger Plus! Live
Shareaza version 2.2.1.0
StuffPlug-NG (Messenger Plus! Plugins)


Viewpoint Manager (Remove Only)
Viewpoint Media Player

Viewpoint components are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting "Disable auto-updating for the Viewpoint Manager" -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.



I recommend that you remove the Viewpoint products; however, decide for yourself.

======

You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 9). Please update to the latest version, as older ones can be exploited by malware:
Download and install the newest version from here:
Java Runtime Environment (JRE) 5.0 Update 9

======

Copy and paste the following text into Notepad:
sc delete Javacotr
sc delete msatxctrl
sc delete tcpsys
del services.bat
Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat. Soon it should disappear from your Desktop; this is fine.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R3 - URLSearchHook: (no name) - {75E827CF-BC07-E986-7D51-BECE6DECB7C6} - C:\WINDOWS\system32\sarbmyq.dll
O2 - BHO: (no name) - {20F68E07-9BC4-010F-09C8-000E2A02DD90} - C:\WINDOWS\system32\xnvpscc.dll (file missing)
O2 - BHO: (no name) - {5E3987E7-5A2E-4911-B937-BE8279616E59} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: (no name) - {75E827CF-BC07-E986-7D51-BECE6DECB7C6} - C:\WINDOWS\system32\sarbmyq.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in_1.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...soft/wtinst.cab
O20 - Winlogon Notify: winwgl32 - winwgl32.dll (file missing)
O23 - Service: Dacsm1 - - (no file)
O23 - Service: Java Control Panel (Javacotr) - Unknown owner - C:\WINDOWS\system32\javacotr.exe (file missing)
O23 - Service: ATX Control Driver (msatxctrl) - Unknown owner - C:\WINDOWS\system32\ntosatx.exe (file missing)
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINDOWS\system32\rsvterm.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Please set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

======

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\sarbmyq.dll
C:\WINDOWS\system32\xnvpscc.dll
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\sarbmyq.dll
C:\WINDOWS\system32\javacotr.exe
C:\WINDOWS\system32\ntosatx.exe
C:\WINDOWS\system32\rsvterm.exe

And delete these folders:

C:\Program Files\VSAdd-in
C:\Program Files\BitComet
C:\Program Files\ColorNick
C:\Program Files\IE Host R3
C:\Program Files\MediaTickets by OIN
C:\Program Files\Messenger Plus! 3
C:\Program Files\Messenger Plus! Live
C:\Program Files\Shareaza
C:\Program Files\StuffPlug-NG

These two folders if you removed Viewpoint Manager:

C:\Program Files\Viewpoint Manager
C:\Program Files\Viewpoint Media Player

======

Reboot into Normal Mode.

======

Please visit the online Jotti Virus Scanner
Click on Browse button.
Copy and paste the following filepath in the box:

C:\Program FIles\Microsoft.NET\Common\Binn\smtpsrv.exe

Click on the Open button.
The scanner will check the file with various AV companies.
Copy and paste the results box into a reply to this thread.

======

Please post me back a new Hijackthis log and the Jotti results.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 09 December 2006 - 05:06 PM

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users