TratBHO and Smitfraud (core.cache.dsk) HELLLLLP! please

Hey it's me

Hey it's me

New Member
I have been infected with TratBHO and Smitfraud. I ahve downloaded numerous fixes but nothing is working!! I'm trying to avoid reinstalling my op system. I have Avast, Smitfraudfix, Hijack This, Norton 2004, Ad-Aware 2007, AVG and...I have tried numerous times to clean them out!
I am sooo frustrated! I can't delete no how, no way the core.cache.dsk file in my drivers section (which I know is the Smitfraud *******!) Tratbho had come come up in one of my searches and I checked the boxes with BHO files and they were deleted but I still am getting pop ups and warnings. I've also been in safe mode. Didn't do anything.

Please help me! I'm losing my mind! I use Firefox (sometimes I have no choice BUT to use IE though) and IE keeps popping up randomly. I fear my something terrible is looming in this virus and it will either hack into my computer and steal private info or cause a crash. Not sure if I should just throw it all in and reinstall.
:eek:

here's the latest result of Smitfraudfix:

SmitFraudFix v2.274

Scan done at 10:26:46.14, Mon 01/14/2008
Run from C:\Documents and Settings\Eve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
D:\NU\NDD32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\NSWSETUP.EXE
C:\WINDOWS\system32\msiexec.exe
D:\Support\Prescan\Prescan.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Eve\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



thanks
:(
 
evilfantasy

evilfantasy

New Member
Need a Hijackthis log.

Download HijackThis (HJT)​
  • Double-click on HJTInstall.
  • Click on the Install button.
  • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  • Upon install, HijackThis should open for you.
  • If using Windows Vista, be sure to Run As Administrator
  • Click on the Do a system scan and save a log file button
  • HijackThis will scan and then a log will open in notepad.
  • Copy and then paste the log in your post.
    • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
Hey it's me

Hey it's me

New Member
Hi evil, that info I included in my post is FROM Hijackthis which I downloaded last night based on the postings I was reading on this site (you guys). I'm confused.
 
Hey it's me

Hey it's me

New Member
oops! no, it was off of smitfraudfix...oy, I have downloaded some many spyware removals and virus removals I'm confused indeed!
I will post the HJT result...
gimme a sec.
 
Hey it's me

Hey it's me

New Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:51 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
D:\NSWSETUP.EXE
D:\Support\Prescan\Prescan.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\xxyabaw.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Norton Disk Doctor.LNK = D:\NU\NDD32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyabaw - C:\WINDOWS\SYSTEM32\xxyabaw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 6497 bytes
 
Hey it's me

Hey it's me

New Member
sorry it took so long I was having trouble...(uhm, right...that's the issue consuming me!!) where's the complete teary smily...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:38 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
D:\NSWSETUP.EXE
D:\Support\Prescan\Prescan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avast4\Alwil Software\setup\avast.setup

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\xxyabaw.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Norton Disk Doctor.LNK = D:\NU\NDD32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyabaw - C:\WINDOWS\SYSTEM32\xxyabaw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 6522 bytes
 
evilfantasy

evilfantasy

New Member
No worries, we will get there eventually.


You still have some old Norton entries. Run the Norton Removal Tool to remove everything left over.

----------

Open HijackThis and select Do a system scan only then place a check mark next to:

O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\xxyabaw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)IMPORTANT - Combofix.exe MUST be saved to your your Desktop.
  • Close any open Web browsers. (Firefox, Internet Explorer, etc)
  • Close/disable all anti virus and anti malware programs so they do not interfere with Combofix. <-- IMPORTANT
    • Click on this link to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe & follow the prompts.

    • [*] From the keyboard select 1 and press Enter
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
Do not mouseclick combofix's window while it's running.
The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.

----------

Run a new Hijackthis scan and post the log.

----------

Next post please add
Combofix log
New Hijackthis log
 
Hey it's me

Hey it's me

New Member
Ok, 1st off THANK YOU so much Evil, for helping me. it's very much appreciated.
As for what's happening...it's such a mess! I swear I'm getting Mac next time. In the meantime...I'm attaching the HJT log. I have noticed it's different. not sure which thing did it since I have SOOO uany things running and trying to hit the attack. one thing is the BHo file is not there any more, HOWEVER, I'm still getting IE pop ups. I'll try and post the Combofix log too but I fear it may shut down my computer. that's what it seems to do??

here's HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:24 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 5782 bytes


OH and I need to see if the core.cache.dsk file is still in the, Windows\system32\drivers folder. That's the Smitfraud bugger.


Oh and as for Norton? I was running that off a disk. I didn;t do anything more about it but take out the disk. it seems SUPERAntispyware may have been effective in Some way??? or was it AVG, or avast finally?) or could combofix have done something to remove that one BHO file?

ok, here's this post and I'll try and get the combofix report too now...
 
evilfantasy

evilfantasy

New Member
After this I will need you to follow the steps in order. Combofix run first, then run a Hijackthis scan.

It does more good to see a Hijackthis log after the other tools have done their cleaning.

The log does look better, you can have Hijackthis fix this entry.

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

I am curious also if this was done by you?
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
Click to expand...
 
Hey it's me

Hey it's me

New Member
here, is the combfix...I'm STILL getting those insidious IE pop-ups. especially ones from wallst.com (or something like that)
as to your question....I'm not that literate to understand the inquiry. I know the path, but not sure what I'm looking for.
again.THANK YOU! I'm so grateful for this help. even if it ends up I have to reinstall windows, I need guidance. This BITES!


ComboFix 08-01-14.4 - Eve 2008-01-14 14:34:20.2 - NTFSx86
Running from: C:\Documents and Settings\Eve\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 14:42 . 2008-01-14 14:42 <DIR> d----c--- C:\temp\tn3
2008-01-14 13:31 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-14 12:19 . 2008-01-14 12:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 12:18 . 2008-01-14 14:19 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-01-14 12:18 . 2008-01-14 12:18 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\SUPERAntiSpyware.com
2008-01-14 09:27 . 2008-01-14 09:27 <DIR> d----c--- C:\Program Files\Lavasoft
2008-01-14 09:27 . 2008-01-14 09:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 09:24 . 2008-01-14 12:16 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 08:32 . 2008-01-14 14:41 932 -----c--- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 22:05 . 2008-01-13 22:05 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-13 21:38 . 2008-01-13 21:38 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\Grisoft
2008-01-13 21:38 . 2008-01-13 21:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:38 . 2007-05-30 07:10 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-13 21:30 . 2008-01-14 10:28 1,550 --a--c--- C:\WINDOWS\system32\tmp.reg
2008-01-13 21:26 . 2007-09-05 23:22 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 21:26 . 2006-04-27 16:49 288,417 --a--c--- C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 21:26 . 2007-12-20 23:11 81,920 --a--c--- C:\WINDOWS\system32\IEDFix.exe
2008-01-13 21:26 . 2003-06-05 20:13 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2008-01-13 21:26 . 2004-07-31 17:50 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2008-01-13 21:26 . 2007-10-03 23:36 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2008-01-11 17:36 . 2008-01-11 18:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 17:14 . 2008-01-11 17:14 <DIR> d----c--- C:\Program Files\Plato Video To PSP Converter
2008-01-11 16:49 . 2007-12-11 13:14 151,552 --a--c--- C:\WINDOWS\system32\rushlqll.exe
2008-01-11 16:49 . 2007-12-11 13:14 151,552 --a--c--- C:\WINDOWS\system32\bkmoopob.exe
2008-01-11 16:49 . 2007-12-13 12:25 139,264 --a--c--- C:\WINDOWS\system32\mobjchku.exe
2008-01-11 16:49 . 2008-01-11 16:49 54,033 --a--c--- C:\WINDOWS\system32\memouint.exe
2008-01-11 16:48 . 2008-01-11 16:48 86,016 --a--c--- C:\WINDOWS\system32\drivers\redbookk.sys
2008-01-11 16:47 . 2008-01-14 10:16 <DIR> d----c--- C:\WINDOWS\system32\vt8
2008-01-11 16:47 . 2008-01-11 16:47 <DIR> d----c--- C:\WINDOWS\system32\ob3
2008-01-11 16:47 . 2008-01-11 16:47 <DIR> d----c--- C:\WINDOWS\system32\nz0
2008-01-11 16:47 . 2008-01-11 16:47 <DIR> d----c--- C:\WINDOWS\system32\mp2
2008-01-11 16:47 . 2008-01-11 19:06 <DIR> d----c--- C:\WINDOWS\system32\ez4
2008-01-11 16:47 . 2008-01-11 16:47 <DIR> d----c--- C:\WINDOWS\system32\che9
2008-01-11 16:47 . 2008-01-11 16:47 692,149 --a--c--- C:\temp\liHco0109.exe
2008-01-11 16:46 . 2008-01-11 16:46 <DIR> d----c--- C:\WINDOWS\system32\edcA16
2008-01-11 16:46 . 2008-01-11 16:47 <DIR> d----c--- C:\temp\Ryuan1
2008-01-11 16:46 . 2008-01-11 16:46 111,835 --a--c--- C:\WINDOWS\system32\ope58.exe
2008-01-11 16:46 . 2008-01-11 16:46 0 --a--c--- C:\WINDOWS\system32\ope58.tmp
2008-01-11 16:44 . 2008-01-11 16:44 352,410 --a--c--- C:\WINDOWS\system32\ope4F.exe
2008-01-11 16:44 . 2008-01-11 16:44 0 --a--c--- C:\WINDOWS\system32\ope4F.tmp
2008-01-11 16:44 . 2008-01-11 16:44 0 --a--c--- C:\WINDOWS\ope55.tmp
2008-01-11 12:04 . 2008-01-11 15:52 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-01-11 12:04 . 2008-01-11 12:04 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-01-11 12:03 . 2008-01-11 12:03 <DIR> d----c--- C:\Program Files\iPod
2008-01-11 10:11 . 2008-01-11 15:12 <DIR> d----c--- C:\Program Files\uTorrent
2008-01-11 10:10 . 2008-01-14 08:50 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\uTorrent
2008-01-10 12:40 . 2008-01-10 12:40 <DIR> d----c--- C:\Program Files\MAPILab Ltd
2008-01-10 12:40 . 2008-01-10 12:40 <DIR> d----c--- C:\Program Files\Common Files\MAPILab Ltd
2008-01-05 00:22 . 2008-01-05 00:22 <DIR> d----c--- C:\Program Files\AWS
2008-01-04 10:09 . 2008-01-04 10:09 <DIR> d----c--- C:\Program Files\Microsoft Silverlight
2008-01-03 19:34 . 2008-01-11 15:03 <DIR> d----c--- C:\iPodMusic
2008-01-03 19:26 . 2008-01-03 19:26 <DIR> d----c--- C:\Program Files\iDumpPro
2008-01-03 19:26 . 2008-01-03 19:26 1,521,113 --a--c--- C:\WINDOWS\iDumpPro Uninstaller.exe
2008-01-03 19:26 . 2008-01-03 19:26 3,120 --a--c--- C:\WINDOWS\system32\2bad2884-02a9-488c-9f8c-13fecc7c77f9.dll
2008-01-03 19:26 . 2008-01-03 19:26 3,120 --a--c--- C:\WINDOWS\db7a9e38-547e-4544-bf7c-a4beabe1c61a.ocx
2007-12-25 21:31 . 2007-12-25 21:31 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\EPSON
2007-12-23 14:35 . 2007-11-02 09:36 1,763,248 --a--c--- C:\WINDOWS\system32\Codejock.CommandBars.v11.2.1.ocx
2007-12-23 14:35 . 2007-11-02 09:37 518,064 --a--c--- C:\WINDOWS\system32\Codejock.SkinFramework.v11.2.1.ocx
2007-12-23 14:33 . 2007-10-02 05:47 849,920 --a--c--- C:\WINDOWS\system32\AdjMmsEng.dll
2007-12-23 14:33 . 2007-10-01 07:38 827,392 --a--c--- C:\WINDOWS\system32\asrecmms.ocx
2007-12-23 14:33 . 2007-10-01 05:43 425,984 --a--c--- C:\WINDOWS\system32\amp3dj.ocx
2007-12-20 09:16 . 2007-12-20 09:16 <DIR> d----c--- C:\Program Files\MailWasher Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 19:10 --------- dc----w C:\Documents and Settings\Eve\Application Data\MailWasherPro
2008-01-14 15:19 --------- dc----w C:\Documents and Settings\Eve\Application Data\Symantec
2008-01-11 18:03 --------- dc----w C:\Program Files\itunes
2008-01-11 17:01 --------- dc----w C:\Program Files\QuickTime
2008-01-11 16:35 --------- dc----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-01-11 16:34 --------- dc----w C:\Program Files\Jasc Software Inc
2008-01-11 16:00 --------- dc----w C:\Program Files\Dell
2008-01-11 15:35 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-01-11 15:35 --------- dc----w C:\Program Files\Common Files\Nikon
2008-01-11 15:30 --------- dc----w C:\Documents and Settings\Eve\Application Data\ArcSoft
2008-01-11 15:18 --------- dc----w C:\Program Files\Azureus
2008-01-11 15:18 --------- dc----w C:\Documents and Settings\Eve\Application Data\Azureus
2008-01-09 20:41 --------- dc----w C:\Program Files\Google
2008-01-08 02:06 --------- dc----w C:\Program Files\WeatherBug
2007-12-07 17:30 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-07 17:05 --------- dc----w C:\Documents and Settings\Eve\Application Data\Jasc Software Inc
2007-12-06 19:37 --------- dc----w C:\Documents and Settings\Eve\Application Data\Final Draft
2007-12-06 14:28 --------- dc----w C:\Documents and Settings\All Users\Application Data\Final Draft
2007-12-06 14:07 --------- dc----w C:\Program Files\SteepAndCheap
2007-12-04 19:00 --------- dc----w C:\Program Files\Eusing Free Registry Cleaner
2007-12-04 18:59 --------- dc----w C:\Program Files\Skype
2007-12-04 16:33 --------- dc----w C:\Documents and Settings\Eve\Application Data\Skype
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:56 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 14:56 --------- dc----w C:\Program Files\Common Files\Skype
2007-12-04 14:56 --------- dc----w C:\Documents and Settings\Eve\Application Data\skypePM
2007-12-04 14:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 15:59 688 -c--a-w C:\WINDOWS\Fonts\CompleteinHim-TOU.txt
2007-11-20 23:47 --------- dc----w C:\Program Files\Soulseek
2007-11-07 09:26 721,920 -c--a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-17 11:24 2,526,800 -c--a-w C:\WINDOWS\Install_B4Playing.exe
2006-12-21 03:27 92,064 -c--a-w C:\Documents and Settings\Eve\mqdmmdm.sys
2006-12-21 03:27 9,232 -c--a-w C:\Documents and Settings\Eve\mqdmmdfl.sys
2006-12-21 03:27 79,328 -c--a-w C:\Documents and Settings\Eve\mqdmserd.sys
2006-12-21 03:27 66,656 -c--a-w C:\Documents and Settings\Eve\mqdmbus.sys
2006-12-21 03:27 6,208 -c--a-w C:\Documents and Settings\Eve\mqdmcmnt.sys
2006-12-21 03:27 5,936 -c--a-w C:\Documents and Settings\Eve\mqdmwhnt.sys
2006-12-21 03:27 4,048 -c--a-w C:\Documents and Settings\Eve\mqdmcr.sys
2006-12-21 03:27 25,600 -c--a-w C:\Documents and Settings\Eve\usbsermptxp.sys
2006-12-21 03:27 22,768 -c--a-w C:\Documents and Settings\Eve\usbsermpt.sys
2006-03-24 15:18 56 -csh--r C:\WINDOWS\system32\EBEAD39BB3.sys
2006-03-24 15:18 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_14.05.52.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-14 19:41:53 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe" [2007-12-04 08:00 79224]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 05:00 158208]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Eve\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2007-12-20 09:16:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
backup=C:\WINDOWS\pss\SAC-Desktop-Alert.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eve^Start Menu^Programs^Startup^Norton Disk Doctor.LNK]
path=C:\Documents and Settings\Eve\Start Menu\Programs\Startup\Norton Disk Doctor.LNK
backup=C:\WINDOWS\pss\Norton Disk Doctor.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
--a--c--- 2007-12-13 12:25 139264 C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a--c--- 2004-07-30 11:04 245760 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX8400 Series]
--a--c--- 2007-02-15 06:00 179200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 23:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 23:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 23:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCamPro.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2007-07-18 20:04 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2005-06-07 13:58 1339392 C:\Program Files\WeatherBug\Weather.exe

R1 redbookk;redbookk;C:\WINDOWS\system32\drivers\redbookk.sys [2008-01-11 16:48]
R2 NMSAccessU;NMSAccessU;C:\Program Files\iDumpPro\NMSAccessU.exe [2007-10-12 04:34]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 20:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 14:42:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 14:46:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 19:46:12
ComboFix2.txt 2008-01-14 19:06:14
.
2008-01-09 20:46:04 --- E O F ---
 
Hey it's me

Hey it's me

New Member
Ok Evil, I fixed the inquiry you made and the one you requested I fix and here's the latest HJT log.
mind you I did some tweaking the other day when this virus hit. Stupid tings like deleting programs I don;t need and downloading things I thought i needed, but then realized they may have been the culprit (example...I heard adobe acrobat took up a lot of space and I tried to download foxit. I'm suspicious that was it...not sure there were other things)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:43 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe

--
End of file - 5511 bytes
 
evilfantasy

evilfantasy

New Member
Delete these files/folders, as follows:

1. Please open Notepad. It must be Notepad, not Wordpad.
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Copy the quoted text below by highlighting all the text and pressing Ctrl+C

KillAll::

Driver::
core.cache.dsk

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\rushlqll.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\memouint.exe
C:\temp\liHco0109.exe
C:\WINDOWS\system32\ope58.exe
C:\WINDOWS\system32\ope58.tmp
C:\WINDOWS\system32\ope4F.exe
C:\WINDOWS\system32\ope4F.tmp
C:\WINDOWS\ope55.tmp

Folder::
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\edcA16
C:\temp\Ryuan1

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
Click to expand...

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

CFScript.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Next post
Combofix log
 
Hey it's me

Hey it's me

New Member
ok, here's the log as a result to your instructions. you should know that as soon as I opened firefox to get to you, an IE window popped up. the problem is STILL alive. It's hard to believe it can survive such aggressive action. This is just so bad!

:(

ComboFix 08-01-14.4 - Eve 2008-01-14 15:40:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.838 [GMT -5:00]
Running from: C:\Documents and Settings\Eve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eve\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\temp\liHco0109.exe
C:\WINDOWS\ope55.tmp
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\ope4F.exe
C:\WINDOWS\system32\ope4F.tmp
C:\WINDOWS\system32\ope58.exe
C:\WINDOWS\system32\ope58.tmp
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\rushlqll.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\liHco0109.exe
C:\temp\Ryuan1
C:\temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\ope55.tmp
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\che9\farstadcom2.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\edcA16
C:\WINDOWS\system32\edcA16\edcA162291.exe
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\nz0\jetzcomz22.exe
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\ope4F.exe
C:\WINDOWS\system32\ope4F.tmp
C:\WINDOWS\system32\ope58.exe
C:\WINDOWS\system32\ope58.tmp
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\rushlqll.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 15:46 . 2008-01-14 15:46 <DIR> d----c--- C:\temp\tn3
2008-01-14 13:31 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-14 12:19 . 2008-01-14 12:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 12:18 . 2008-01-14 15:13 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-01-14 12:18 . 2008-01-14 12:18 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\SUPERAntiSpyware.com
2008-01-14 09:27 . 2008-01-14 09:27 <DIR> d----c--- C:\Program Files\Lavasoft
2008-01-14 09:27 . 2008-01-14 09:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 09:24 . 2008-01-14 12:16 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 08:32 . 2008-01-14 15:45 932 -----c--- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 22:05 . 2008-01-13 22:05 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-13 21:38 . 2008-01-13 21:38 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\Grisoft
2008-01-13 21:38 . 2008-01-13 21:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:38 . 2007-05-30 07:10 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 17:36 . 2008-01-11 18:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 17:14 . 2008-01-11 17:14 <DIR> d----c--- C:\Program Files\Plato Video To PSP Converter
2008-01-11 16:48 . 2008-01-11 16:48 86,016 --a--c--- C:\WINDOWS\system32\drivers\redbookk.sys
2008-01-11 12:04 . 2008-01-11 15:52 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-01-11 12:04 . 2008-01-11 12:04 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-01-11 12:03 . 2008-01-11 12:03 <DIR> d----c--- C:\Program Files\iPod
2008-01-11 10:11 . 2008-01-11 15:12 <DIR> d----c--- C:\Program Files\uTorrent
2008-01-11 10:10 . 2008-01-14 08:50 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\uTorrent
2008-01-10 12:40 . 2008-01-10 12:40 <DIR> d----c--- C:\Program Files\MAPILab Ltd
2008-01-10 12:40 . 2008-01-10 12:40 <DIR> d----c--- C:\Program Files\Common Files\MAPILab Ltd
2008-01-04 10:09 . 2008-01-04 10:09 <DIR> d----c--- C:\Program Files\Microsoft Silverlight
2008-01-03 19:34 . 2008-01-11 15:03 <DIR> d----c--- C:\iPodMusic
2008-01-03 19:26 . 2008-01-03 19:26 <DIR> d----c--- C:\Program Files\iDumpPro
2008-01-03 19:26 . 2008-01-03 19:26 1,521,113 --a--c--- C:\WINDOWS\iDumpPro Uninstaller.exe
2008-01-03 19:26 . 2008-01-03 19:26 3,120 --a--c--- C:\WINDOWS\system32\2bad2884-02a9-488c-9f8c-13fecc7c77f9.dll
2008-01-03 19:26 . 2008-01-03 19:26 3,120 --a--c--- C:\WINDOWS\db7a9e38-547e-4544-bf7c-a4beabe1c61a.ocx
2007-12-25 21:31 . 2007-12-25 21:31 <DIR> d----c--- C:\Documents and Settings\Eve\Application Data\EPSON
2007-12-23 14:35 . 2007-11-02 09:36 1,763,248 --a--c--- C:\WINDOWS\system32\Codejock.CommandBars.v11.2.1.ocx
2007-12-23 14:35 . 2007-11-02 09:37 518,064 --a--c--- C:\WINDOWS\system32\Codejock.SkinFramework.v11.2.1.ocx
2007-12-23 14:33 . 2007-10-02 05:47 849,920 --a--c--- C:\WINDOWS\system32\AdjMmsEng.dll
2007-12-23 14:33 . 2007-10-01 07:38 827,392 --a--c--- C:\WINDOWS\system32\asrecmms.ocx
2007-12-23 14:33 . 2007-10-01 05:43 425,984 --a--c--- C:\WINDOWS\system32\amp3dj.ocx
2007-12-20 09:16 . 2007-12-20 09:16 <DIR> d----c--- C:\Program Files\MailWasher Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 20:21 --------- dc----w C:\Documents and Settings\Eve\Application Data\MailWasherPro
2008-01-14 15:19 --------- dc----w C:\Documents and Settings\Eve\Application Data\Symantec
2008-01-11 18:03 --------- dc----w C:\Program Files\itunes
2008-01-11 17:01 --------- dc----w C:\Program Files\QuickTime
2008-01-11 16:35 --------- dc----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-01-11 16:34 --------- dc----w C:\Program Files\Jasc Software Inc
2008-01-11 16:00 --------- dc----w C:\Program Files\Dell
2008-01-11 15:35 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-01-11 15:35 --------- dc----w C:\Program Files\Common Files\Nikon
2008-01-11 15:30 --------- dc----w C:\Documents and Settings\Eve\Application Data\ArcSoft
2008-01-11 15:18 --------- dc----w C:\Program Files\Azureus
2008-01-11 15:18 --------- dc----w C:\Documents and Settings\Eve\Application Data\Azureus
2008-01-09 20:41 --------- dc----w C:\Program Files\Google
2007-12-07 17:30 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-07 17:05 --------- dc----w C:\Documents and Settings\Eve\Application Data\Jasc Software Inc
2007-12-06 19:37 --------- dc----w C:\Documents and Settings\Eve\Application Data\Final Draft
2007-12-06 14:28 --------- dc----w C:\Documents and Settings\All Users\Application Data\Final Draft
2007-12-04 19:00 --------- dc----w C:\Program Files\Eusing Free Registry Cleaner
2007-12-04 18:59 --------- dc----w C:\Program Files\Skype
2007-12-04 16:33 --------- dc----w C:\Documents and Settings\Eve\Application Data\Skype
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:56 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 14:56 --------- dc----w C:\Program Files\Common Files\Skype
2007-12-04 14:56 --------- dc----w C:\Documents and Settings\Eve\Application Data\skypePM
2007-12-04 14:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 15:59 688 -c--a-w C:\WINDOWS\Fonts\CompleteinHim-TOU.txt
2007-11-20 23:47 --------- dc----w C:\Program Files\Soulseek
2007-11-07 09:26 721,920 -c--a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-17 11:24 2,526,800 -c--a-w C:\WINDOWS\Install_B4Playing.exe
2006-12-21 03:27 92,064 -c--a-w C:\Documents and Settings\Eve\mqdmmdm.sys
2006-12-21 03:27 9,232 -c--a-w C:\Documents and Settings\Eve\mqdmmdfl.sys
2006-12-21 03:27 79,328 -c--a-w C:\Documents and Settings\Eve\mqdmserd.sys
2006-12-21 03:27 66,656 -c--a-w C:\Documents and Settings\Eve\mqdmbus.sys
2006-12-21 03:27 6,208 -c--a-w C:\Documents and Settings\Eve\mqdmcmnt.sys
2006-12-21 03:27 5,936 -c--a-w C:\Documents and Settings\Eve\mqdmwhnt.sys
2006-12-21 03:27 4,048 -c--a-w C:\Documents and Settings\Eve\mqdmcr.sys
2006-12-21 03:27 25,600 -c--a-w C:\Documents and Settings\Eve\usbsermptxp.sys
2006-12-21 03:27 22,768 -c--a-w C:\Documents and Settings\Eve\usbsermpt.sys
2006-03-24 15:18 56 -csh--r C:\WINDOWS\system32\EBEAD39BB3.sys
2006-03-24 15:18 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe" [2007-12-04 08:00 79224]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 05:00 158208]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Eve\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2007-12-20 09:16:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
backup=C:\WINDOWS\pss\SAC-Desktop-Alert.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eve^Start Menu^Programs^Startup^Norton Disk Doctor.LNK]
backup=C:\WINDOWS\pss\Norton Disk Doctor.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a--c--- 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a--c--- 2004-07-30 11:04 245760 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX8400 Series]
--a--c--- 2007-02-15 06:00 179200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 23:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 23:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 23:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCamPro.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2007-07-18 20:04 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

R1 redbookk;redbookk;C:\WINDOWS\system32\drivers\redbookk.sys [2008-01-11 16:48]
R2 NMSAccessU;NMSAccessU;C:\Program Files\iDumpPro\NMSAccessU.exe [2007-10-12 04:34]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 20:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 15:46:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 15:50:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 20:50:00
ComboFix2.txt 2008-01-14 19:46:15
ComboFix3.txt 2008-01-14 19:06:14
.
2008-01-09 20:46:04 --- E O F ---
 
evilfantasy

evilfantasy

New Member
That driver is proving to be hard to crack.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
  • Finally add the contents of the Report.txt in your next post.
 
Hey it's me

Hey it's me

New Member
Ok Evil I'm about to do that..in the meantime I ran smitfraud again. This really IS a hard one to crack, huh? I know it's ALL CONSUMING! It's maddening! If there was a way to get the people that send these viruses out to the world, I swear, they deserve it bad! andway:


SmitFraudFix v2.274

Scan done at 16:03:25.35, Mon 01/14/2008
Run from C:\Documents and Settings\Eve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



brb with the other results form the new instructions you've so kindly given!
 
Hey it's me

Hey it's me

New Member
hi Evil, sorry about the silliness before here's the SDFix log. Also, again, you should know as soon as I reopened FF IE popped up. ARRRGHHH!!!
I refuse to lose hair over this! This is so heinous, I just don't understand how this can be? once again, thank you thank you thank you for going into WAR with me.


SDFix: Version 1.126

Run by Eve on Mon 01/14/2008 at 04:30 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Eve\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Folder C:\Temp\tn3 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 16:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92C041E2-1F38-4238-A3E1-E960C8134B5E}]
"DhcpRetryStatus"=dword:00000002

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 24 Mar 2006 56 ..SHR --- "C:\WINDOWS\system32\EBEAD39BB3.sys"
Fri 24 Mar 2006 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 6 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 6 Nov 2005 4,348 A..H. --- "C:\Documents and Settings\Eve\My Documents\License Backup\drmv1key.bak"
Sat 28 Jan 2006 20 A..H. --- "C:\Documents and Settings\Eve\My Documents\License Backup\drmv1lic.bak"
Fri 27 Jan 2006 400 A.SH. --- "C:\Documents and Settings\Eve\My Documents\License Backup\drmv2key.bak"
Sun 16 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 16 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 16 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Tue 1 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!
 
Hey it's me

Hey it's me

New Member
Also, sadly, the core.cache.dsk file is STILL there, and strangely enough at some point today it went from 164 MB to 134 MB and now it's back up to 164MB.

:(
 
You must log in or register to reply here.
Top