Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log W Smitfraud Can't Get Rid Of


  • Please log in to reply
37 replies to this topic

#1 amoebasinger

amoebasinger

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 08 June 2007 - 09:41 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:30:16 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\yafdfoio.dll",realset
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180978601734
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://70.60.51.165/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Word Process (msproc) - Unknown owner - C:\WINDOWS\winpad.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Please see my other post:
http://www.bleepingcomputer.com/forums/t/95258/persistant-reinfection-smitfraud-tool-seems-to-be-confounded/


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 08 June 2007 - 10:14 AM

First, make sure HijackThis is run from its own folder. This will ensure we have back ups made and are kept securely. Backups allow the restoring of fixed entries when necessary.
On the Desktop, right click an empty area, select New > Folder, and name the folder Hijack This. place the HijackThis.exe file in it, and then run the program from its own folder from now on...

Next, download SmitfraudFix (by S!Ri) to the Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the files to the Desktop

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Only select option #1 - Search by typing 1 and press Enter
This program scans large amounts of files on your computer, so please be patient while it works.
When it is done, a log named rapport.txt is created, listing infected files (if present).

Please post C:\rapport.txt in your reply.

After you post the report, we'll tackle what shows on the HijackThis log.

Old duck...


#3 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 08 June 2007 - 10:48 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:40:17 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180978601734
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://70.60.51.165/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Word Process (msproc) - Unknown owner - C:\WINDOWS\winpad.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

rapport.txt:

SmitFraudFix v2.192

Scan done at 11:38:08.10, Fri 06/08/2007
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 10.1.1.21
DNS Server Search Order: 10.1.1.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DE12E196-031C-4437-8AD9-432AF0DF592A}: DhcpNameServer=10.1.1.21 10.1.1.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DE12E196-031C-4437-8AD9-432AF0DF592A}: DhcpNameServer=10.1.1.21 10.1.1.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DE12E196-031C-4437-8AD9-432AF0DF592A}: DhcpNameServer=10.1.1.21 10.1.1.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.21 10.1.1.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.21 10.1.1.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.21 10.1.1.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 08 June 2007 - 10:25 PM

Did you run any program sometime between the first HijackThis log, and this last one? Noticed a malware entry is now gone…


Please go to Start > Run, and type in the following commands one at a time and hit Enter after each line:
sc stop msproc
sc delete msproc


Run HijackThis, Scan
Check box for:

O20 - AppInit_DLLs:

O23 - Service: Word Process (msproc) - Unknown owner - C:\WINDOWS\winpad.exe (file missing)

Select: Fix checked

(For the O20 entry, you may get an error message "Error #X invalid procedure call or argument......etc.” Click OK and press on.)

~~~~
Restart the computer.

~~~~
Next, download FindAWF:
http://noahdfear.geekstogo.com/FindAWF.exe

Save the file to the Desktop
Double-click: FindAWF.exe

If a Security Alert shows, allow the program to run.

When done, a text file awf.txt is produced.

~~~~
Please post the contents the awf.text, and a new HijackThis log.

Old duck...


#5 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 09 June 2007 - 06:21 PM

Thanks for your help and interest.
I am trying to learn but I admit I am pretty much "self-taught."

I did run that Smitfraud fix on scan mode only. I prob. removed the entry by hand from within HThis, but I don't recall for sure.

The PC is at work. I will hit it again Monday.

Thanks.

J

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 09 June 2007 - 07:39 PM

See you Monday when you post the info.

Old duck...


#7 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 11 June 2007 - 01:49 PM

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 11:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/16/2005 10:51 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

04/03/2006 06:12 PM 777,424 MSASCui.exe
1 File(s) 777,424 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 11:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 07:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

04/25/2007 08:06 AM 416,256 avgcc.exe
1 File(s) 416,256 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

10/11/2004 10:11 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

03/27/2007 03:22 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

07/26/2006 03:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
155648 Nov 16 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
416256 Apr 30 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Apr 25 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
26112 Oct 11 2004 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
32881 Aug 9 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"


end of report


Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 2:42:09 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Utilities\Security\Hijack This\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180978601734
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://70.60.51.165/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 11 June 2007 - 10:22 PM

Looks as if the HijackThis log acquired additional malware: ntos.exe
Please do the following:

Download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

You need to provide the information in the SuperAntiSpyware log in your reply.

~~~~
Also download ComboFix to the Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, the SuperAntiSpyware log, and a new HijackThis log in your reply.

Old duck...


#9 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 12 June 2007 - 06:38 AM

Should I be doing this in Safe Mode or does it matter?
Smitfraud continues to show up in Spybot.

J

#10 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 12 June 2007 - 08:51 AM

COMBOFIX

ComboFix 07-06-11.3 - C:\Utilities\Security\ComboFix.exe
"Anthony" - 2007-06-12 9:22:31 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\yafdfoio.dll
C:\WINDOWS\system32\oiofdfay.ini
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\cccdd.tmp
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\cccdd.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\opera6.ini
C:\WINDOWS\system32\RunOnce2.t__
C:\WINDOWS\system32\winlogon.exe.tmp


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_EXAMPLE
-------\LEGACY_GB
-------\LEGACY_NDNET1
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\ntldr.sys


((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))


2007-06-12 09:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 15:53 <DIR> d-------- C:\DOCUME~1\Anthony\APPLIC~1\SUPERAntiSpyware.com
2007-06-08 14:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-08 14:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-08 14:28 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-08 14:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-07 16:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-07 16:08 1,724 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-07 14:14 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-07 14:14 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-07 14:14 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-07 14:13 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-07 14:13 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-07 14:12 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-07 10:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-07 09:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-07 07:53 <DIR> d-------- C:\DOCUME~1\Anthony\.housecall6.6
2007-06-07 07:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-06 15:46 <DIR> d-------- C:\DOCUME~1\Anthony\APPLIC~1\Lavasoft
2007-06-06 15:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-06 15:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 14:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-06 14:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-05 08:52 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-05 08:34 <DIR> d-------- C:\Utilities
2007-06-04 15:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-04 14:46 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-04 13:26 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-06-04 13:25 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-04 13:25 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-05-19 12:22 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-05-19 12:10 <DIR> d-------- C:\WINDOWS\pss
2007-05-19 12:03 <DIR> d--hs---- C:\DOCUME~1\ADMINI~1\UserData
2007-05-19 11:28 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-19 11:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-19 11:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-19 11:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-05-18 03:03 <DIR> d-------- C:\Program Files\MSXML 4.0


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 13:25:42 -------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-06-07 11:50:46 -------- d-----w C:\Program Files\Windows Defender
2007-06-04 19:43:07 -------- d-----w C:\Program Files\Microsoft Works
2007-06-04 18:12:14 -------- d-----w C:\Program Files\Yahoo!
2007-06-04 18:00:07 -------- d-----w C:\Program Files\LimeWire
2007-06-04 17:59:34 -------- d-----w C:\Program Files\Help and Support Additions
2007-06-04 17:55:43 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-04 17:52:20 -------- d-----w C:\Program Files\BroadJump
2007-05-13 00:16:59 1,471,642 --sha-w C:\WINDOWS\system32\ijjlm.bak2
2007-05-11 19:36:17 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-05-09 01:20:33 1,472,550 --sha-w C:\WINDOWS\system32\ijjlm.bak1
2007-05-03 12:29:18 -------- d-----w C:\Program Files\QuickTime
2007-04-26 22:13:05 -------- d-----w C:\Program Files\Incomplete
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-30 21:13]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b529b44-0b89-11db-adca-00038a000015}]
AutoRun\command- J:\LaunchU3.exe

*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 09:26:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-12 9:27:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-12 09:27

--- E O F ---

SUPERANTISPYWARE


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/12/2007 at 08:56 AM

Application Version : 3.8.1002

Core Rules Database Version : 3252
Trace Rules Database Version: 1263

Scan type : Complete Scan
Total Scan Time : 00:33:51

Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 6637
Registry threats detected : 0
File items scanned : 30029
File threats detected : 0

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 9:44:26 AM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Utilities\Security\Hijack This\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180978601734
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://70.60.51.165/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

See anything useful?

J

#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 12 June 2007 - 10:16 PM

The HijackThis log looks fine. No apparent malware issues.

Let's deal with the results of FindAWF.

Please launch Notepad (Start > Run, type in: notepad)
Copy/paste all the blue text below to it:

if exist "C:\hp\KBD\KBD.EXE" del /q "C:\hp\KBD\KBD.EXE"
copy /y "C:\hp\KBD\bak\KBD.EXE" "C:\hp\KBD\KBD.EXE"
del /q "C:\hp\KBD\bak\KBD.EXE"
rmdir "C:\hp\KBD\bak"

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"
del /q "C:\Program Files\QuickTime\bak\qttask.exe"
rmdir "C:\Program Files\QuickTime\bak"

if exist "C:\Program Files\Windows Defender\MSASCui.exe" del /q "C:\Program Files\Windows Defender\MSASCui.exe"
copy /y "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\Program Files\Windows Defender\MSASCui.exe"
del /q "C:\Program Files\Windows Defender\bak\MSASCui.exe"
rmdir "C:\Program Files\Windows Defender\bak"

if exist "C:\WINDOWS\SMINST\RECGUARD.EXE" del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"
copy /y "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" "C:\WINDOWS\SMINST\RECGUARD.EXE"
del /q "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
rmdir "C:\WINDOWS\SMINST\bak"

if exist "C:\WINDOWS\system\hpsysdrv.exe" del /q "C:\WINDOWS\system\hpsysdrv.exe"
copy /y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system\hpsysdrv.exe"
del /q "C:\WINDOWS\system\bak\hpsysdrv.exe"
rmdir "C:\WINDOWS\system\bak"

if exist "C:\WINDOWS\system32\ctfmon.exe" del /q "C:\WINDOWS\system32\ctfmon.exe"
copy /y "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\ctfmon.exe"
del /q "C:\WINDOWS\system32\bak\ctfmon.exe"
rmdir "C:\WINDOWS\system32\bak"

if exist “C:\Program Files\Grisoft\AVG Free\avgcc.exe” del /q “C:\Program Files\Grisoft\AVG Free\avgcc.exe”
copy /y “C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe” “C:\Program Files\Grisoft\AVG Free\avgcc.exe”
del /q "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
rmdir "C:\Program Files\Grisoft\AVG Free\bak"

if exist “C:\Program Files\Real\RealPlayer\RealPlay.exe” del /q “C:\Program Files\Real\RealPlayer\RealPlay.exe”
copy /y “C:\Program Files\Real\RealPlayer\bak\RealPlay.exe” “C:\Program Files\Real\RealPlayer\RealPlay.exe”
del /q "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe "
rmdir "C:\Program Files\Real\RealPlayer\bak"

if exist “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” del /q “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”
copy /y “C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe” “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”
del /q "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
rmdir "C:\Program Files\Yahoo!\Messenger\bak"

if exist "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
copy "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_11\bin"
del /q "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
rmdir "C:\Program Files\Java\jre1.5.0_08\bin\bak"


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: AWF_Fix.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on AWF_Fix.bat

~~~~
Please run FindAWF once again, and post the AWF.txt in your reply.

Edited by Aaflac, 12 June 2007 - 10:18 PM.

Old duck...


#12 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 13 June 2007 - 06:40 AM

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

03/27/2007 03:22 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"


end of report

remarkably shorter. What happened?

J

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 13 June 2007 - 10:21 PM

Please post any previous information once again.

There was a problem in the Forum, and some of the posts were lost...

Old duck...


#14 amoebasinger

amoebasinger
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 14 June 2007 - 06:42 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:39:06 AM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Utilities\Security\Hijack This\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180978601734
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://70.60.51.165/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



I am just putting in a HJT log.
Nothing else is missing from this topic.

I ran MS Updates, and afterwords, the browser wanted to go to port 1069 on the local machine, accding to ZoneAlarm.
I denied it at first, but finally gave in.

Smitfraud remarkably is gone from Spybot finally!
Starware was the only thing. That's new so I fixed it in Spybot.

The fact that a new one surfaced: is that cause for alarm?

Also, do you have a moment to help me understand how (and If) smitfraud finally got removed?

J

Edited by amoebasinger, 14 June 2007 - 10:16 AM.


#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:52 PM

Posted 14 June 2007 - 11:43 AM

The HijackThis log is not showing any signs of StarWare.

Do you have a SpyBot log you can post, which shows what you got for StarWare?
Also, if you have the log you were getting showing SmitFraud, wouldn’t mind seeing that also.

Logs are produced during scans and fixes ("Check for problems" and "Fix selected problems").

By default there are two Checks.yymmdd-hhmm logs produced during a scan. The second Checks.yymmdd-hhmm has the details of what the scan found.

There are two methods to view the report:
Method 1:
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Pervious reports. Look for the Checks.yymmdd-hhmm file that contains the desired information. Open it.
Method 2
The Checks.yymmdd-hhmm is stored in the following folder:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs

Using Windows Explorer, navigate to the correct Checks.yymmdd-hhmm file. Double click on it and it should open with Notepad.

~~~~
Now, to finish off the AWF issue, once again, launch Notepad (Start > Run, type in: notepad)
Copy/paste all the blue text below to it:

if exist “C:\Program\Files\Yahoo!\Messenger\YahooMessenger.exe” del /q “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”
copy /y “C:\Program\Files\Yahoo!\Messenger\bak\YahooMessenger.exe” “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: AWF_Fix2.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on AWF_Fix2.bat

~~~~
Please run FindAWF once again, and post the AWF.txt in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users