Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Log


  • Please log in to reply
9 replies to this topic

#1 majinsnake

majinsnake

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 06 June 2007 - 07:33 PM

this whole thing is about smitfraud. Earlier today i read a post on someone who had samething as me, i tried to follow through it for my issue. Part of it worked, like the vundofix that got rid of vtsts.dll. Hijackthis that rid biprep, wml, stcloader. I know i do not need to run vundofix again. I tried to run gmer, and in regular pc usage... my system reboots. I probably deleted some file i need or the virus is rebooting my system on its own on whatever i am doing for it to be that. I just like to get rid of it because i know i will be doing a reinstall real soon. Last night, i did get an overflood of memory error when using firefox to run housecall. Hence the error. Like to get rid of it first, than save crap on my 2nd hdd and perform reinstall.

Well i sent a message to him and richie, richie if i sounded too blunt or stubborn... no offense.

There is a reg file i like to remove called the core "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core" and other CS sets. I have core.sys off my pc, but regedit wont lemme remove it. I know thats smitfraud and the base.



Logfile of HijackThis v1.99.1
Scan saved at 8:31:25 PM, on 6/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
E:\programs\netgear\wlancfg5.exe
E:\programs\firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\programs\winrar\WinRAR.exe
C:\DOCUME~1\brad\LOCALS~1\Temp\Rar$EX04.375\HijackThis.exe

O2 - BHO: (no name) - {9F93047F-FCAE-4A7B-B12F-7888E62D2767} - C:\WINDOWS\System32\vtsts.dll (file missing)
O2 - BHO: (no name) - {A3DC6342-18C4-4A80-A5C0-57C32DF598A3} - \
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] E:\programs\avg\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Washer] E:\programs\washer\washer.exe /0
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = E:\programs\netgear\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\programs\java\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\programs\java\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\programs\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\programs\avast\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\programs\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\programs\avg\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - Unknown owner - C:\WINDOWS\System32\PackethSvc.exe (file missing)



smitfraud fix log: i did delete some files in the winlogon pertaining to the dlls at top.

SmitFraudFix v2.192

Scan done at 19:49:17.42, Wed 06/06/2007
Run from C:\Documents and Settings\brad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8F7E9061-EA55-424A-ABD3-E68C3F818BEC}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8F7E9061-EA55-424A-ABD3-E68C3F818BEC}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8F7E9061-EA55-424A-ABD3-E68C3F818BEC}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8F7E9061-EA55-424A-ABD3-E68C3F818BEC}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.132.23


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by majinsnake, 06 June 2007 - 09:10 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 June 2007 - 06:58 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum majinsnake :thumbsup:

You’ve got Avast Antivirus and AVG7 Free Antivirus installed.
Not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one or the other as soon as possible,then restart your pc.

****************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.

Posted Image
Posted Image

#3 majinsnake

majinsnake
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 June 2007 - 10:45 AM

vundofix found no infected files

combofix log

"brad" - 2007-06-07 11:32:34 Service Pack 1 NTFS
ComboFix 07-06-06 - Running from: ""


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\core


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 11:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-07 11:26 <DIR> d-------- C:\VundoFix Backups
2007-06-07 00:28 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-06-07 00:28 <DIR> d-------- C:\DOCUME~1\brad\APPLIC~1\Webroot
2007-06-07 00:27 58,368 --a------ C:\WINDOWS\Unwash6.exe
2007-06-07 00:27 486,400 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-06-06 19:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-06 19:41 1,698 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-06 18:40 5 --ahs---- C:\WINDOWS\system32\adcfac0_g.dll
2007-06-06 17:35 <DIR> d-------- C:\!KillBox
2007-06-06 15:59 3,225 --a------ C:\WINDOWS\mozver.dat
2007-06-06 03:26 <DIR> d-------- C:\DOCUME~1\brad\APPLIC~1\HouseCall 6.6
2007-06-05 18:55 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-06-05 18:55 <DIR> d-------- C:\DOCUME~1\brad\APPLIC~1\Talkback
2007-06-05 16:36 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-05 16:18 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-05 06:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-05 05:44 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-05-31 23:15 <DIR> d-------- C:\Program Files\DivX
2007-05-27 16:18 <DIR> d-------- C:\DOCUME~1\brad\APPLIC~1\Error Safe Free
2007-05-27 16:13 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-05-27 16:07 <DIR> d-------- C:\DOCUME~1\brad\.housecall6.6
2007-05-27 10:30 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-27 10:30 <DIR> d-------- C:\DOCUME~1\brad\SmitfraudFix
2007-05-27 07:35 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-27 07:35 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-27 03:40 1 --a------ C:\WINDOWS\system32\ps.dat
2007-05-26 16:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-26 11:12 1,081,344 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-26 10:08 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-14 10:44 <DIR> d-------- C:\DOCUME~1\brad\APPLIC~1\Lavasoft
2007-05-11 13:37 43,008 --a------ C:\WINDOWS\unwash.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 06:11:47 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-05 05:57:35 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2007-06-03 03:24:03 -------- d-----w C:\Program Files\Messenger
2007-05-18 17:48:50 -------- d-----w C:\Program Files\AOD
2007-05-13 16:05:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-29 06:07:08 37,172 ----a-w C:\WINDOWS\DIIUnin.dat
2007-04-29 06:03:16 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2007-04-29 06:03:16 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2007-04-29 06:03:16 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-04-29 05:52:01 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-04-29 05:52:01 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-04-26 17:50:36 -------- d-----w C:\DOCUME~1\brad\APPLIC~1\Real
2007-04-26 17:46:52 -------- d-----w C:\Program Files\Common Files\xing shared
2007-04-26 17:46:47 -------- d-----w C:\Program Files\Common Files\Real
2007-04-26 17:42:35 -------- d-----w C:\Program Files\Real
2007-04-22 08:29:17 -------- d-----w C:\Program Files\Movie Maker
2007-04-21 21:49:45 -------- d-----w C:\DOCUME~1\brad\APPLIC~1\Apple Computer
2007-04-21 18:06:55 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-20 14:18:37 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-19 17:55:08 -------- d-----w C:\Program Files\Ahead
2007-04-19 17:20:51 49,152 ----a-w C:\WINDOWS\system32\MultiSZ.dll
2007-04-19 17:20:40 757,760 ------w C:\WINDOWS\Unnero.exe
2007-04-18 16:42:48 784 ----a-w C:\DOCUME~1\brad\APPLIC~1\mpauth.dat
2007-04-14 17:51:12 -------- d-----w C:\Program Files\ATI Technologies
2007-04-14 16:04:13 -------- d-----w C:\DOCUME~1\brad\APPLIC~1\Help
2007-04-14 15:57:23 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-08 15:53:00 -------- d-----w C:\Program Files\iPod
2007-04-08 14:36:17 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-08 14:25:00 -------- d-----w C:\Program Files\VIAudioi
2007-04-08 13:09:22 -------- d-----w C:\DOCUME~1\brad\APPLIC~1\Aim
2007-04-08 13:08:59 -------- d-----w C:\Program Files\Viewpoint
2007-04-05 09:44:49 1,392,671 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-03-29 07:17:28 0 --sha-r C:\MSDOS.SYS
2007-03-29 07:17:28 0 --sha-r C:\IO.SYS
2007-03-29 07:17:28 0 ----a-w C:\CONFIG.SYS
2007-03-29 07:17:28 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 07:13:52 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=C:\WINDOWS\pss\Loadout Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^brad^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=C:\Documents and Settings\brad\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=C:\WINDOWS\pss\ERUNT AutoBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2621315687.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
C:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
E:\programs\avast\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
E:\programs\avg\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
C:\WINDOWS\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe "C:\WINDOWS\System32\iitixjtl.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itrtgnyA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\programs\itunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\programs\quicktime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
C:\WINDOWS\System32\vexg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\System32\pkpfbejo.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\System32\spoolsvv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\System32\kernels32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Washer]
E:\programs\washer\washer.exe /0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
E:\programs\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsHive]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMDM PMSP Service]
C:\WINDOWS\system32\cssrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 11:34:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 11:35:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 11:35

--- E O F ---




hijackthis

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
E:\programs\netgear\wlancfg5.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\brad\Desktop\HijackThis.exe

O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = E:\programs\netgear\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\programs\java\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\programs\java\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\programs\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\programs\avast\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - Unknown owner - C:\WINDOWS\System32\PackethSvc.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

the packethsvc.exe... thats aol. Took that off a while ago. Also know that the spyware came on my system may 26th through the june 3rd.

Edited by majinsnake, 07 June 2007 - 10:50 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 June 2007 - 11:03 AM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\adcfac0_g.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\adcfac0_g.dll
Then click on 'Send'.
Post the results into your next reply please.

*********************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Folders to delete:
C:\DOCUME~1\brad\APPLIC~1\Error Safe Free
C:\WINDOWS\system32\T1QaSQ
C:\Program Files\Viewpoint

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*********************

First back up the registry.
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2621315687.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itrtgnyA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]


Restart your pc.
Post the online file scan results and the Avenger output.txt in your next reply.

Let me know how your pc is running now please.

Edited by RichieUK, 07 June 2007 - 11:04 AM.

Posted Image
Posted Image

#5 majinsnake

majinsnake
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 June 2007 - 11:55 AM

that file that was scanned had no virus.


avenger
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: selected file does not appear to be a valid script.
Error code: 1813

thats probably because avenger doesnt like the shortness/shortcut to the first dir. C:\DOCUME~1\brad\APPLIC~1\Error Safe Free

Merged the reg file and it loads sites up slower. It did that for like a few seconds but now it doesnt. Might still happen on reboots. Like when i was getting popups from IE. My pc does not start up slower like it did 2 days ago from that svchost virus off smitfraud that causes high network activity. It made me wait about 3 minutes before I could use the pc.

Edited by majinsnake, 07 June 2007 - 11:58 AM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 June 2007 - 12:17 PM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 majinsnake

majinsnake
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 June 2007 - 02:12 PM

phew, scared me there. I stopped my debit card cause of that keylogger. I paid for college classes last nite.

Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: deleted

Cookies detected
c:\documents and settings\brad\cookies\brad@doubleclick[1].txt


ErrorSafe Rogue Security Program more information...
Details: ErrorSafe is a disabled data repair utility that nags the user to purchase it in order to fix the problems reported in its scan.
Status: deleted

Files detected
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe


NightProwler KeyLogger Key Logger more information...
Details: NightProwler KeyLogger is a keylogger that stealthily records all keystrokes and sends them to a specified FTP server.
Status: deleted

Registry entries detected
HKEY_USERS\S-1-5-21-854245398-1214440339-839522115-1003\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}


Trojan.Win32.Qhost.hf Trojan more information...
Status: deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\URLS


hijack this

Logfile of HijackThis v1.99.1
Scan saved at 2:32:46 PM, on 6/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
E:\programs\netgear\wlancfg5.exe
E:\programs\firefox\firefox.exe
C:\WINDOWS\System32\wwSecure.exe
E:\programs\cs\CounterSpy.exe
E:\programs\cs\SBCSSvc.exe
E:\programs\cs\SBCSTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\brad\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SBCSTray] E:\programs\cs\SBCSTray.exe
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = E:\programs\netgear\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\programs\java\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\programs\java\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\programs\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\programs\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\programs\avast\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - Unknown owner - C:\WINDOWS\System32\PackethSvc.exe (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - E:\programs\cs\SBCSSvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

Edited by majinsnake, 07 June 2007 - 02:23 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 June 2007 - 02:41 PM

Your log is clean,hows your pc running now.
Posted Image
Posted Image

#9 majinsnake

majinsnake
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 June 2007 - 03:06 PM

well i think internet is working decent again. I probably should get started backing things up and reinstalling, knowing of that keylogger. I do appreciate your helping me out.

i dunno if core is a virus or thats what smitfraud altered. Spybot picked it up. Only thought is no software has the definitions to remove it since after searching it up... it came out this year i guess.


Smitfraud-C.CoreService: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\core

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 June 2007 - 03:19 PM

I probably should get started backing things up and reinstalling, knowing of that keylogger.

For your own peace of mind i think thats the best way to go.
After reinstalling XP,don't reconnect to the internet without having virus protection and a third party firewall installed.
It might be a good idea to download them both now and save them to cd/flash drive ready for installing when you're ready.

Download one of the following freeware antivirus options,and one firewall from below:

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

******************************

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users