There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod card computer connection crash dell driver error excel firefox freeze freezing google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem reboot redirect router screen server slow sound speakers spyware startup trojan usb video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Smitfraud malware removal - it won't go away! (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
 
Thread Tools
bateman213's Avatar
Junior Member with 3 posts.
  
Join Date: Jan 2008
14-Jan-2008, 10:19 PM #1
Smitfraud malware removal - it won't go away!
So lets begin with the Combofix log.

ComboFix 08-01-14.3 - Michael 2008-01-14 21:16:45.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.617 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-14 20:28 . 2008-01-14 20:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 10:00 . 2008-01-14 10:00 268 --ah----- C:\sqmdata17.sqm
2008-01-14 10:00 . 2008-01-14 10:00 244 --ah----- C:\sqmnoopt17.sqm
2008-01-14 03:01 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-14 03:00 . 2008-01-14 03:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-14 02:53 . 2008-01-14 02:56 <DIR> d-------- C:\Documents and Settings\Michael\.SunDownloadManager
2008-01-14 02:37 . 2008-01-14 02:37 268 --ah----- C:\sqmdata16.sqm
2008-01-14 02:37 . 2008-01-14 02:37 244 --ah----- C:\sqmnoopt16.sqm
2008-01-14 02:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 01:43 . 2008-01-14 02:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 01:43 . 2008-01-14 01:43 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 01:43 . 2008-01-14 01:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 01:43 . 2008-01-14 01:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 01:34 . 2008-01-14 01:45 <DIR> d-------- C:\Documents and Settings\Michael\.housecall6.6
2008-01-14 01:23 . 2008-01-14 01:23 <DIR> d-------- C:\VundoFix Backups
2008-01-14 01:11 . 2008-01-14 01:11 268 --ah----- C:\sqmdata15.sqm
2008-01-14 01:11 . 2008-01-14 01:11 244 --ah----- C:\sqmnoopt15.sqm
2008-01-14 00:39 . 2008-01-14 00:39 268 --ah----- C:\sqmdata14.sqm
2008-01-14 00:39 . 2008-01-14 00:39 244 --ah----- C:\sqmnoopt14.sqm
2008-01-14 00:37 . 2008-01-14 09:57 3,374,149 --a------ C:\WINDOWS\{00000002-00000000-00000002-00001102-00000002-80641102}.BAK
2008-01-14 00:04 . 2008-01-14 00:04 <DIR> d-------- C:\Program Files\CCleaner
2008-01-14 00:03 . 2008-01-14 01:13 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-13 23:51 . 2008-01-13 23:51 268 --ah----- C:\sqmdata13.sqm
2008-01-13 23:51 . 2008-01-13 23:51 244 --ah----- C:\sqmnoopt13.sqm
2008-01-13 22:00 . 2008-01-13 22:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-01-13 20:57 . 2008-01-13 20:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-13 20:46 . 2008-01-13 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 20:33 . 2008-01-13 20:33 268 --ah----- C:\sqmdata12.sqm
2008-01-13 20:33 . 2008-01-13 20:33 244 --ah----- C:\sqmnoopt12.sqm
2008-01-13 20:29 . 2008-01-13 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-13 20:16 . 2008-01-13 20:16 268 --ah----- C:\sqmdata11.sqm
2008-01-13 20:16 . 2008-01-13 20:16 244 --ah----- C:\sqmnoopt11.sqm
2008-01-13 19:58 . 2008-01-13 19:58 268 --ah----- C:\sqmdata10.sqm
2008-01-13 19:58 . 2008-01-13 19:58 244 --ah----- C:\sqmnoopt10.sqm
2008-01-13 19:23 . 2008-01-14 16:13 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 19:23 . 2008-01-13 19:23 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\PC Tools
2008-01-13 19:23 . 2008-01-14 21:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-13 19:23 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-13 19:23 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 19:23 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 19:23 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 19:23 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-13 18:52 . 2008-01-13 18:52 268 --ah----- C:\sqmdata09.sqm
2008-01-13 18:52 . 2008-01-13 18:52 244 --ah----- C:\sqmnoopt09.sqm
2008-01-13 17:52 . 2008-01-14 00:17 3,954 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 17:36 . 2008-01-13 17:36 268 --ah----- C:\sqmdata08.sqm
2008-01-13 17:36 . 2008-01-13 17:36 244 --ah----- C:\sqmnoopt08.sqm
2008-01-13 16:25 . 2008-01-14 01:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-13 16:25 . 2008-01-14 01:13 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com
2008-01-13 16:25 . 2008-01-13 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 16:06 . 2008-01-13 16:06 268 --ah----- C:\sqmdata07.sqm
2008-01-13 16:06 . 2008-01-13 16:06 244 --ah----- C:\sqmnoopt07.sqm
2008-01-13 14:40 . 2008-01-13 14:40 86,144 --a------ C:\WINDOWS\system32\drivers\fipss.sys
2008-01-10 14:58 . 2008-01-10 14:58 268 --ah----- C:\sqmdata06.sqm
2008-01-10 14:58 . 2008-01-10 14:58 244 --ah----- C:\sqmnoopt06.sqm
2008-01-08 01:20 . 2008-01-08 01:20 91 --a------ C:\WINDOWS\EMSDll.INI
2008-01-01 16:26 . 2008-01-01 16:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-01 16:26 . 2008-01-01 16:26 <DIR> d-------- C:\Program Files\iPod
2008-01-01 16:25 . 2008-01-01 16:25 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 23:54 --------- d-----w C:\Documents and Settings\Michael\Application Data\tor
2008-01-14 19:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 16:31 --------- d-----w C:\Documents and Settings\Michael\Application Data\Vidalia
2008-01-14 16:01 --------- d-----w C:\Documents and Settings\Michael\Application Data\OpenOffice.org2
2008-01-14 09:01 --------- d-----w C:\Program Files\Java
2008-01-14 07:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-14 07:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:31 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-14 06:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-13 21:12 --------- d-----w C:\Documents and Settings\Michael\Application Data\.gaim
2008-01-13 20:57 --------- d-----w C:\Documents and Settings\Michael\Application Data\Azureus
2008-01-13 20:37 --------- d-----w C:\Program Files\Azureus
2008-01-09 22:57 --------- d-----w C:\Program Files\eMule
2007-12-14 01:51 --------- d-----w C:\Documents and Settings\Michael\Application Data\CoreFTP
2007-12-06 06:57 --------- d-----w C:\Documents and Settings\Michael\Application Data\Skype
2007-11-24 23:11 --------- d-----w C:\Program Files\Ventrilo
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2005-12-30 21:32 54,855 ----a-w C:\Program Files\tor-bundle-uninstall.exe
2005-12-20 22:31 26,657 ----a-w C:\Program Files\BUNDLE_LICENSE
2006-04-25 17:51 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_ 2.42.36.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 19:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-12-14 06:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 19:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 06:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 21:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-12-14 07:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TorCP"="C:\Program Files\TorCP\torcp.exe" [ ]
"DriveCrypt Startup"="C:\Program Files\DriveCrypt\DriveCrypt.exe" [2004-05-30 03:29 2711552]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-08-26 00:02 11852288]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32 58984]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-03-06 14:53 100048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-12-31 00:45 417838]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-31 00:45 61440]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 19:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 03:00 28672]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 14:29 86016]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2006-08-06 13:51 94208]
"\\PAUL\EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 04:00 99840]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 20:53 180269]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27 1065288]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 19:01:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 16:27:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 08:30:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Peepbox.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\Peepbox.lnk
backup=C:\WINDOWS\pss\Peepbox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
--a------ 2005-12-16 17:59 107008 C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2003-07-25 13:15 536576 C:\Program Files\Eraser\eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-22 23:13 1591808 C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaim]
--a------ 2005-08-11 20:44 69793 C:\Program Files\Gaim\gaim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 12:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-10-31 08:50 190464 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\heart five nurb mix]
C:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five\Dash Type.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Info Bash Intra Mix]
C:\Documents and Settings\All Users\Application Data\creative style mix blue\Amen vc save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lesstransskipfilm]
C:\Documents and Settings\All Users\Application Data\sect memo less trans\lieseach.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2004-12-22 07:21 823296 C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Once win]
C:\DOCUME~1\Michael\APPLIC~1\BINTHA~1\delete real.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-02-09 16:00 25388584 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]
--a------ 2004-10-20 16:05 160256 C:\Program Files\Softick\PPP\Bin\PPPGate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2006-01-07 01:36 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-02-11 17:10 1269760 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-26 20:53 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 03:00 90112 C:\WINDOWS\UpdReg.EXE

R0 DCR;DCR;C:\WINDOWS\system32\Drivers\DCR.sys [2006-01-01 03:16]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 23:31]
S1 fipss;fipss;C:\WINDOWS\system32\drivers\fipss.sys [2008-01-13 14:40]
S2 DriveCryptService;DriveCrypt Service;C:\Program Files\DriveCrypt\DcrServ.exe [2006-01-01 03:16]
S2 lmgrd;Flexlm;"C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe" []
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys [2002-11-28 20:23]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 RioS10;RioS10 driver;C:\WINDOWS\system32\Drivers\RioS10.sys [2002-07-31 08:45]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 07:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 02:00:02 C:\WINDOWS\Tasks\AB99DF31918A5481.job"
- c:\docume~1\michael\applic~1\bintha~1\ELSECAMPSTORE.exe
"2008-01-08 21:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-12 03:38:13 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Michael.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 21:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
"\\\\PAUL\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P37 \"\\\\PAUL\\EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
.
Completion time: 2008-01-14 21:18:21
ComboFix-quarantined-files.txt 2008-01-15 03:18:13
ComboFix2.txt 2008-01-15 03:14:48
ComboFix3.txt 2008-01-14 16:07:51
ComboFix4.txt 2008-01-14 08:44:00
.
2008-01-10 08:13:40 --- E O F ---
Register for free to hide this ad!
bateman213's Avatar
Junior Member with 3 posts.
  
Join Date: Jan 2008
14-Jan-2008, 10:20 PM #2
and here is the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:45 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [\\PAUL\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P37 "\\PAUL\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [TorCP] C:\Program Files\TorCP\torcp.exe
O4 - HKCU\..\Run: [DriveCrypt Startup] C:\Program Files\DriveCrypt\DriveCrypt.exe /WS
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135939296487
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136024174281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DriveCrypt Service (DriveCryptService) - Unknown owner - C:\Program Files\DriveCrypt\DcrServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Flexlm (lmgrd) - Unknown owner - C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10220 bytes
bateman213's Avatar
Junior Member with 3 posts.
  
Join Date: Jan 2008
14-Jan-2008, 11:16 PM #3
I still have the infection. This is very frustrating.

SDFix: Version 1.126

Run by Michael on Mon 01/14/2008 at 09:34 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 21:42:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:25ae7d0f
"s2"=dword:2f1b130f
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED6 1418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:0c,a6,0e,74,68,7b,21,6a,0d,77,64,19,58,ad,84,07,2f,2f,f7,42,48, ..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418 462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:0c,a6,0e,74,68,7b,21,6a,0d,77,64,19,58,ad,84,07,2f,2f,f7,42,48, ..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\User Data\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xf9\x2022\xd4 w\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\Software\Adobe\FeatureSubscriptions \DVAAdobeDocMeta\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\Registered"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 25 Apr 2006 1,890 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 22 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 1 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12bb35ec2265dce083ec92c86f1e1ffc\ BIT4.tmp"
Mon 1 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1db9e52f9e862450a2af87f2f5a16dbc\ BIT3.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\ BIT2.tmp"
Mon 1 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\ BIT2.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Michael\Application Data\U3\temp\Launchpad Removal.exe"

Finished!
Closed Thread Bookmark and Share

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 06:46 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.