15 replies to this topic

[SophieG]

Hello everyone,

I need your urgent help. Since last Friday my internet browser IE and Explorer have been hijacked by

yourprivacyguard.com for Mozilla and a similar program IE and everytime I open them new tabs from these sites are opened simultaneously.

I am scared to death about this since I am about to finish my Masters dissertation on this PC and at the moment I dont have enough time to go through the process of a fresh windows reinstall.

I have downloaded multiple spamware programs such as AVG, ADAWARE, SPYBOTSD and SDFIX.

Below is the log file description from HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:50:01, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Aitor\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [CertReg] C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Aitor\LOCALS~1\Temp\2007102012337_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Aitor\LOCALS~1\Temp\2007102012335_mcinfo.exe /insfin
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [VcClnUp.exe] C:\DOCUME~1\Aitor\LOCALS~1\Temp\VcClnUp0.exe -F C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg /RemoveAll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csd: C:\Program Files\Gemplus\eSigner\Plugin\Npcsig.dll
O12 - Plugin for .i4t: C:\Program Files\Gemplus\eSigner\Plugin\Npcsig.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9844 bytes

Please help me out as all my attemps so far have failed.

Thanks for everything,

Sophie

[Scotty]

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Disable Teatimer
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Download and Run ComboFix

• Download this file from below:
  
  Here
  
• Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

[SophieG]

What a quick reply. You guys know what you are doing!

This is the log from the Uninstall of Hijackthis:

Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Skype 3.0
Skype add-on for IE
Skype Plugin Manager
Sonic Activation Module
Sonic Update Manager
SoulSeek Client 156c
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SWiSHmax
Tiscali Internet
Tom Clancy's Rainbow Six 3: Iron Wrath 1.00.000
Tom Clancy's Rainbow Six 3: Raven Shield 1.60.412
TradeSmart 2.2.3_b29
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
URL Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
WinZip 11.1
ZIP Reader 8.00.0018

The following is the log produced by ComboFix:


ComboFix 07-10-21.1 - Aitor 2007-10-20 19:25:50.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.810 [GMT 1:00]
Running from: C:\Documents and Settings\Aitor\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-20 15:39 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-10-20 15:29 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-20 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-20 13:46 <DIR> d-------- C:\Documents and Settings\Aitor\Application Data\Grisoft
2007-10-20 13:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-20 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 12:59 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-20 12:43 <DIR> d-------- C:\Documents and Settings\Aitor\backups
2007-10-20 12:43 <DIR> d-------- C:\Documents and Settings\Aitor\backupreg
2007-10-20 12:43 146,432 --a------ C:\Documents and Settings\Aitor\regedit.exe
2007-10-20 12:43 27,136 --a------ C:\Documents and Settings\Aitor\findstr.exe
2007-10-20 12:43 11,264 --a------ C:\Documents and Settings\Aitor\attrib.exe
2007-10-20 12:43 9,216 --a------ C:\Documents and Settings\Aitor\find.exe
2007-10-20 11:57 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-20 02:18 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-20 02:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-20 02:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-20 02:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-20 02:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-10-20 02:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-20 02:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-20 02:11 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-20 02:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-10-20 01:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 01:16 4,558 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-19 23:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-19 07:15 <DIR> d-------- C:\Documents and Settings\Aitor\.housecall6.6
2007-10-19 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-19 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-19 01:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-19 01:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-19 01:48 <DIR> d-------- C:\Documents and Settings\Aitor\Application Data\SUPERAntiSpyware.com
2007-10-10 06:21 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 14:32 <DIR> d-------- C:\Program Files\TradeSmart
2007-10-07 16:49 <DIR> d-------- C:\WINDOWS\F4C9398FB6C64A4B8B6D795CD86F915D.TMP
2007-10-06 00:51 <DIR> d--hs---- C:\found.000
2007-10-05 22:52 <DIR> dr-h----- C:\Documents and Settings\Aitor\Application Data\SecuROM
2007-10-05 22:52 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-10-05 22:52 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-10-05 22:52 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-10-05 22:52 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-10-05 22:52 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-05 22:52 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-10-04 12:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\You've Got Pictures Screensaver
2007-10-04 12:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Symantec
2007-10-04 12:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\McAfee.com Personal Firewall
2007-10-04 12:37 <DIR> d--h----- C:\Documents and Settings\Guest\Application Data\Gtek
2007-10-04 12:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 18:20 --------- d-----w C:\Documents and Settings\Aitor\Application Data\OpenOffice.org2
2007-10-20 14:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 14:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-20 13:45 --------- d-----w C:\Program Files\Java
2007-10-20 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-20 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-20 11:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-20 11:29 --------- d-----w C:\Program Files\DivX
2007-10-20 10:33 --------- d-----w C:\Program Files\QuickTime
2007-10-20 10:33 --------- d-----w C:\Program Files\KaZaA Lite
2007-10-20 10:32 --------- d-----w C:\Program Files\Dell Network Assistant
2007-10-20 10:32 --------- d-----w C:\Program Files\Dell
2007-10-20 10:32 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-20 00:02 --------- d-----w C:\Program Files\Download Manager
2007-10-16 20:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-16 00:20 --------- d-----w C:\Program Files\Soulseek
2007-10-15 01:23 --------- d-----w C:\Documents and Settings\Aitor\Application Data\Skype
2007-08-23 01:44 --------- d-----w C:\Documents and Settings\Aitor\Application Data\DivX
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 02:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 02:53 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-07-26 02:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 02:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 02:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 02:53 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-07-26 02:50 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-07-26 02:50 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 02:50 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-07-26 02:50 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 02:50 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-07-26 02:50 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-06-09 17:13:15 168 --sh--r C:\WINDOWS\system32\5B7576CDB5.sys
2007-06-09 17:13:17 5,798 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_ 1.50.58.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 08:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 05:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-10-19 23:23:19 3,895,296 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-20 11:43:58 3,895,296 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-10-19 23:23:19 749,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-20 11:43:58 753,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-03-12 15:42:30 1,123,696 ----a-w C:\WINDOWS\LastGood.Tmp\system32\D3DCompiler_33.dll
+ 2007-03-15 15:57:58 443,752 ----a-w C:\WINDOWS\LastGood.Tmp\system32\d3dx10_33.dll
+ 2006-09-28 15:05:20 2,414,360 ----a-w C:\WINDOWS\LastGood.Tmp\system32\d3dx9_31.dll
+ 2007-03-12 15:42:30 3,495,784 ----a-w C:\WINDOWS\LastGood.Tmp\system32\d3dx9_33.dll
+ 2007-04-04 17:53:42 81,768 ----a-w C:\WINDOWS\LastGood.Tmp\system32\xinput1_3.dll
- 2007-03-13 23:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 21:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-13 23:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 21:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 01:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 22:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 17:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 17:50]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 17:47]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 11:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 05:43]
"nwiz"="nwiz.exe" [2006-08-12 05:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 05:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 17:59]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [2004-02-12 09:01]
"CertReg"="C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe" [2004-02-13 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-31 00:22]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"Aim6"="" []
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 22:57]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\Aitor\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys
S2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys
S4 CardServer;CardServer;C:\Program Files\Common Files\Gemplus\Token API\CardServer.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b233e4ae-86fc-11db-bd8c-806d6172696f}]
AutoRun\command - E:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-02-11 12:57:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 19:29:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 19:29:33
C:\ComboFix2.txt ... 2007-10-20 01:52
.
--- E O F ---

I feel things are moving forward finally.

Thanks a lot for your help

Sophie

[Scotty]

Hello

Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    
    + Extended(If available otherwise Standard)
  • Scan Options:
    
    + Scan Archives
    + Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Edited by Scotty, 20 October 2007 - 04:36 PM.

[SophieG]

Hello and thanks again!,

Please find below the requested log file information:

Smitfraud log:

SmitFraudFix v2.240

Scan done at 12:52:02.32, 22/10/2007
Run from C:\Documents and Settings\Aitor\Desktop\ANTIVIR\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aitor


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aitor\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Aitor\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: TP-LINK 11b/g Wireless Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB31A0C4-BB63-438D-BBCC-184C8055183A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AB31A0C4-BB63-438D-BBCC-184C8055183A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AB31A0C4-BB63-438D-BBCC-184C8055183A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Kapersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 22, 2007 2:26:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/10/2007
Kaspersky Anti-Virus database records: 442124
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 99692
Number of viruses found: 3
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:08:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\265b8ef7-266c5547.bac_a00528/BaaaaBaa.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\265b8ef7-266c5547.bac_a00528 ZIP: infected - 1 skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\265b8ef7-266c5547.bac_a00528 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\3aa7928d-3a2b93c3.bac_a00528 Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\~.exe.bac_a00528/stream/data0003 Infected: Trojan-Downloader.Win32.Agent.egt skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\~.exe.bac_a00528/stream Infected: Trojan-Downloader.Win32.Agent.egt skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\~.exe.bac_a00528 NSIS: infected - 2 skipped
C:\Documents and Settings\Aitor\.housecall6.6\Quarantine\~.exe.bac_a00528 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Aitor\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUPNP.log Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\cert8.db Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\history.dat Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\key3.db Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\parent.lock Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Aitor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Aitor\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aitor\Desktop\ANTIVIR\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Aitor\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Aitor\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\633285D9d01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\633285D9d01 ZIP: infected - 1 skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aitor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aitor\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Aitor\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14\A0004745.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14\change.log Object is locked skipped

Scan process completed.

Thanks again for your help and I am eagerly waiting for your reply to determine what do.

With best regards,

Sophie

[Scotty]

Hi

We need to remove the following because they may be a slight security risk if left.

Remove programs from Add/Remove Programs List
Please go to:

• Start
• Control Panel
• Add/Remove Programs

Find and remove these programs (if they are present)

• Trend Micro Housecall
• Kaspersky Online Scan

Make sure this folder has gone, if not delete it.
C:\Documents and Settings\Aitor\.housecall6.6

Go to http://www.virustota.../en/indexf.html
Copy the following line into the white textbox:
C:\Documents and Settings\Aitor\find.exe
Click Send.
Please post the results of this scan to this thread.

[SophieG]

Hello again Scotty, I removed the file that you requested. These are the results feature by the VirusTotal scan: Antivirus Version Last Update Result AhnLab-V3 2007.10.20.0 2007.10.19 - AntiVir 7.6.0.27 2007.10.21 - Authentium 4.93.8 2007.10.20 - Avast 4.7.1051.0 2007.10.21 - AVG 7.5.0.488 2007.10.21 - BitDefender 7.2 2007.10.22 - CAT-QuickHeal 9.00 2007.10.20 - ClamAV 0.91.2 2007.10.21 - DrWeb 4.44.0.09170 2007.10.21 - eSafe 7.0.15.0 2007.10.21 - eTrust-Vet 31.2.5225 2007.10.20 - Ewido 4.0 2007.10.21 - FileAdvisor 1 2007.10.22 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.3.2.48 2007.10.20 - F-Secure 6.70.13030.0 2007.10.21 - Ikarus T3.1.1.12 2007.10.21 - Kaspersky 7.0.0.125 2007.10.22 - McAfee 5145 2007.10.19 - Microsoft 1.2908 2007.10.22 - NOD32v2 2604 2007.10.19 - Norman 5.80.02 2007.10.19 - Panda 9.0.0.4 2007.10.21 - Prevx1 V2 2007.10.22 - Rising 19.45.62.00 2007.10.21 - Sophos 4.22.0 2007.10.22 - Sunbelt 2.2.907.0 2007.10.20 - Symantec 10 2007.10.21 - TheHacker 6.2.9.103 2007.10.21 - VBA32 3.12.2.4 2007.10.19 - VirusBuster 4.3.26:9 2007.10.21 - Webwasher-Gateway 6.6.1 2007.10.21 - Additional information File size: 9216 bytes MD5: 09b4e22c86f7e9f1e5c7554ac03b9c9d SHA1: 2329f2c682f5c7896980f5bf0d5dc26af55fca34 I hope they are useful. Thanks for your help and very quick reply. With best regards, Sophie

[Scotty]

Hi

No results were displayed. Follow the Virustotal instruction again but this time upload these files.

C:\Documents and Settings\Aitor\regedit.exe
C:\Documents and Settings\Aitor\findstr.exe

[SophieG]

Hello and thanks for your help.

Please find below the requested results based on the VirusTotal scan.

REGEDIT results

Antivirus Version Last Update Result
AhnLab-V3 2007.10.23.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.22 -
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.22 -
AVG 7.5.0.488 2007.10.22 -
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.22 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.22 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5230 2007.10.22 -
Ewido 4.0 2007.10.22 -
FileAdvisor 1 2007.10.23 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 -
Ikarus T3.1.1.12 2007.10.22 -
Kaspersky 7.0.0.125 2007.10.22 -
McAfee 5146 2007.10.22 -
Microsoft 1.2908 2007.10.22 -
NOD32v2 2607 2007.10.22 -
Norman 5.80.02 2007.10.22 -
Panda 9.0.0.4 2007.10.23 -
Prevx1 V2 2007.10.23 -
Rising 19.46.02.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 -
Sunbelt 2.2.907.0 2007.10.20 -
Additional information
File size: 146432 bytes
MD5: 783afc80383c176b22dbf8333343992d
SHA1: 8829b5a655b9d480d0d4a8ab4faf219c89368ac1

FINDSTR.EXE results


Antivirus Version Last Update Result
AhnLab-V3 2007.10.23.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.22 -
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.22 -
AVG 7.5.0.488 2007.10.22 -
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.22 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.22 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5230 2007.10.22 -
Ewido 4.0 2007.10.21 -
FileAdvisor 1 2007.10.23 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 -
Ikarus T3.1.1.12 2007.10.22 -
Kaspersky 7.0.0.125 2007.10.22 -
McAfee 5146 2007.10.22 -
Microsoft 1.2908 2007.10.23 -
NOD32v2 2607 2007.10.22 -
Norman 5.80.02 2007.10.22 -
Panda 9.0.0.4 2007.10.23 -
Prevx1 V2 2007.10.23 -
Rising 19.46.02.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 -
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.22 -
TheHacker 6.2.9.104 2007.10.22 -
VBA32 3.12.2.4 2007.10.22 -
VirusBuster 4.3.26:9 2007.10.22 -
Webwasher-Gateway 6.6.1 2007.10.22 -
Additional information
File size: 27136 bytes
MD5: e62cb31ae2dffba6836c7cb780ebf7de
SHA1: 65cb69fcef9028f540e6ce13d940203e1ec02243

Thanks for you help.

Please let me know if further file are required as the issue still persists.

Regards,

Sophie

[Scotty]

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[SophieG]

Hello again, Please find below the requested resutls: SDFix: Version 1.109 Run by Aitor on 24/10/2007 at 20:11 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\Aitor\Desktop\ANTIVIR\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\DOCUME~1\Aitor\Desktop\ANTIVIR\SDFix\backups\backups.zip Files with Hidden Attributes: Sat 9 Jun 2007 168 ..SHR --- "C:\WINDOWS\system32\5B7576CDB5.sys" Sat 9 Jun 2007 5,798 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Wed 4 Apr 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 25 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sat 27 Jan 2007 3,570 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK" Tue 16 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT10A.tmp" Sat 2 Jun 2007 19,456 A..H. --- "C:\Documents and Settings\Aitor\Application Data\Microsoft\Word\~WRL0005.tmp" Sat 2 Jun 2007 21,504 A..H. --- "C:\Documents and Settings\Aitor\Application Data\Microsoft\Word\~WRL2472.tmp" Tue 23 Oct 2007 1,301 ...HR --- "C:\Documents and Settings\Aitor\Application Data\SecuROM\UserData\securom_v7_01.bak" Wed 4 Apr 2007 4,348 A..H. --- "C:\Documents and Settings\Aitor\My Documents\My Music\License Backup\drmv1key.bak" Wed 4 Apr 2007 20 A..H. --- "C:\Documents and Settings\Aitor\My Documents\My Music\License Backup\drmv1lic.bak" Sun 11 Feb 2007 312 A..H. --- "C:\Documents and Settings\Aitor\My Documents\My Music\License Backup\drmv2key.bak" Wed 4 Apr 2007 1,536 A..H. --- "C:\Documents and Settings\Aitor\My Documents\My Music\License Backup\drmv2lic.bak" Thu 22 Mar 2007 559,616 A..H. --- "C:\Documents and Settings\Aitor\Desktop\LN UK\Internal Documents\Business PLan\~WRL0005.tmp" Mon 5 Mar 2007 57,856 A..H. --- "C:\Documents and Settings\Aitor\Desktop\LN UK\Internal Documents\Business PLan\~WRL1484.tmp" Sun 23 Apr 2006 302,592 A..H. --- "C:\Documents and Settings\Aitor\Desktop\Data Files\PC Ece\Aitor\Livre Noir\Employee Procedure Manual\~WRL3288.tmp" Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp" Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp" Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp" Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp" Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp" Please let me know what is the following step as the issue persists. Thanks a lot for this help, SophieG

[Scotty]

Hi

Open Notepad and Copy/Paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\WS2Fix.exe 
C:\Documents and Settings\Aitor\regedit.exe
C:\Documents and Settings\Aitor\findstr.exe
C:\Documents and Settings\Aitor\attrib.exe
C:\Documents and Settings\Aitor\find.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\F4C9398FB6C64A4B8B6D795CD86F915D.TMP
C:\found.000

Folder::
C:\Documents and Settings\Aitor\backups
C:\Documents and Settings\Aitor\backupreg
C:\Documents and Settings\Aitor\.housecall6.6
C:\Documents and Settings\Aitor\Desktop\ANTIVIR\SmitfraudFix
C:\Documents and Settings\Aitor\Desktop\SmitfraudFix.zip
C:\Documents and Settings\Aitor\Local Settings\Application Data\Mozilla\Firefox\Profiles\syn4od1y.default\Cache\633285D9d01/SmitfraudFix

Save this as "CFScript"




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Double-click the SuperAntiSpyware icon on your desktop to run it.
� It will ask if you want to update the program definitions, click Yes.
� Under Configuration and Preferences, click the Preferences button.
� Click the Scanning Control tab.
� Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

� On the main screen, under Scan for Harmful Software click Scan your computer.
� On the left check C:\Fixed Drive.
� On the right, under Complete Scan, choose Perform Complete Scan.
� Click Next to start the scan. Please be patient while it scans your computer.
� After the scan is complete a summary box will appear. Click OK.
� Make sure everything in the white box has a check next to it, then click Next.
� It will quarantine what it found and if it asks if you want to reboot, click Yes.
� To retrieve the removal information for me please do the following:

• After reboot, double-click the SUPERAntispyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Please highlight everything in the notepad, then right-click and choose copy.

� Click close and close again to exit the program.
� Please paste that information here for me with a new HijackThis log.

[SophieG]

Hello again,

And sorry for my absence.

Find below the ComboFix log requested:

ComboFix 07-10-21.1 - Aitor 2007-10-30 0:34:52.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.576 [GMT 0:00]
Running from: C:\Documents and Settings\Aitor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aitor\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Aitor\attrib.exe
C:\Documents and Settings\Aitor\find.exe
C:\Documents and Settings\Aitor\findstr.exe
C:\Documents and Settings\Aitor\regedit.exe
C:\found.000
C:\WINDOWS\F4C9398FB6C64A4B8B6D795CD86F915D.TMP
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Aitor\Desktop\SmitfraudFix.zip\

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-22 11:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-22 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-22 00:59 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Grisoft
2007-10-20 14:29 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-10-20 13:37 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-20 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-20 12:46 <DIR> d-------- C:\Documents and Settings\Aitor\Application Data\Grisoft
2007-10-20 12:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-20 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 10:57 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-20 01:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-10-20 01:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-20 01:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-20 01:11 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-20 01:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-10-20 00:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 00:16 4,216 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-19 22:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-19 06:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-19 06:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-19 00:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-19 00:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-19 00:48 <DIR> d-------- C:\Documents and Settings\Aitor\Application Data\SUPERAntiSpyware.com
2007-10-10 05:21 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 13:32 <DIR> d-------- C:\Program Files\TradeSmart
2007-10-07 15:49 <DIR> d-------- C:\WINDOWS\F4C9398FB6C64A4B8B6D795CD86F915D.TMP
2007-10-05 23:51 <DIR> d--hs---- C:\found.000
2007-10-05 21:52 <DIR> dr-h----- C:\Documents and Settings\Aitor\Application Data\SecuROM
2007-10-05 21:52 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-10-05 21:52 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-10-05 21:52 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-10-05 21:52 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-10-05 21:52 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-05 21:52 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-10-04 11:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\You've Got Pictures Screensaver
2007-10-04 11:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Symantec
2007-10-04 11:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\McAfee.com Personal Firewall
2007-10-04 11:37 <DIR> d--h----- C:\Documents and Settings\Guest\Application Data\Gtek
2007-10-04 11:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AOL
2007-09-01 20:05 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-09-01 20:05 7,552 --a------ C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 00:28 --------- d-----w C:\Documents and Settings\Aitor\Application Data\OpenOffice.org2
2007-10-25 00:04 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-20 14:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 14:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-20 13:45 --------- d-----w C:\Program Files\Java
2007-10-20 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-20 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-20 11:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-20 11:29 --------- d-----w C:\Program Files\DivX
2007-10-20 10:33 --------- d-----w C:\Program Files\QuickTime
2007-10-20 10:33 --------- d-----w C:\Program Files\KaZaA Lite
2007-10-20 10:32 --------- d-----w C:\Program Files\Dell Network Assistant
2007-10-20 10:32 --------- d-----w C:\Program Files\Dell
2007-10-20 10:32 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-20 00:02 --------- d-----w C:\Program Files\Download Manager
2007-10-16 00:20 --------- d-----w C:\Program Files\Soulseek
2007-10-15 01:23 --------- d-----w C:\Documents and Settings\Aitor\Application Data\Skype
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 02:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 02:53 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-07-26 02:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 02:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 02:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 02:53 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-07-26 02:50 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-07-26 02:50 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 02:50 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-07-26 02:50 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 02:50 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-07-26 02:50 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-07-09 13:09 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
2007-06-09 17:13:15 168 --sh--r C:\WINDOWS\system32\5B7576CDB5.sys
2007-06-09 17:13:17 5,798 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_ 1.50.58.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 08:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 06:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-10-19 23:23:19 3,895,296 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-24 19:11:12 4,943,872 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-10-19 23:23:19 749,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-24 19:11:12 753,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-03-13 23:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 21:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-13 23:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 21:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 01:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 22:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-03-25 10:35:22 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-28 16:26:35 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-03-25 10:35:22 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-28 16:26:35 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-05 09:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-10-05 10:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
- 2006-11-29 16:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-01-09 09:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 04:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 05:20:34 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 16:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 16:50]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 16:47]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 10:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 07:15]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 04:43]
"nwiz"="nwiz.exe" [2006-08-12 04:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 04:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 16:59]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [2004-02-12 08:01]
"CertReg"="C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe" [2004-02-13 15:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-30 23:22]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"Aim6"="" []
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 21:57]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]

C:\Documents and Settings\Aitor\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys
R2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys
S4 CardServer;CardServer;C:\Program Files\Common Files\Gemplus\Token API\CardServer.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-02-11 12:57:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 00:38:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 0:39:05
C:\ComboFix2.txt ... 2007-10-25 00:01
C:\ComboFix3.txt ... 2007-10-21 18:29
.
--- E O F -

This is the first installment I'll submit the details on the spyware on the next entry.

Thanks a lot,

SophieG

[SophieG]

Hello again,

As promised please find below the requested log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/30/2007 at 01:27 AM

Application Version : 3.9.1008

Core Rules Database Version : 3332
Trace Rules Database Version: 1333

Scan type : Complete Scan
Total Scan Time : 00:29:40

Memory items scanned : 439
Memory threats detected : 0
Registry items scanned : 5615
Registry threats detected : 1
File items scanned : 35152
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Aitor\Cookies\aitor@ads.aol.co[1].txt
C:\Documents and Settings\Aitor\Cookies\aitor@revsci[2].txt
C:\Documents and Settings\Aitor\Cookies\aitor@html[2].txt
C:\Documents and Settings\Aitor\Cookies\aitor@ads.e-planning[1].txt
C:\Documents and Settings\Aitor\Cookies\aitor@2o7[1].txt
C:\Documents and Settings\Aitor\Cookies\aitor@atwola[1].txt
C:\Documents and Settings\Aitor\Cookies\aitor@advertising[1].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-3429915226-1590084197-1380620588-1006\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarerefer...=...6Ojg5&lid=2 ]


Please let me know what are the following steps.

Thanks for all this help,

SophieG

[Scotty]

Hi

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
  
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

And post a new Hijackthis log, and tell me how the computer is behaving now.