miserymachine Posted September 20, 2008 ID:28502 Share Posted September 20, 2008 (edited) I have the exact same problem this other guy has." I ran the tests you guys recommended in the pre-hijackthis thread and now I am not finding any malware with malwarebytes or spybot. What I cant get rid of now is a fake windows security alert popup wanting me to click enable protection which takes you to hxxp://www.antispyware-review.biz/?wmid=46...fLn0pimL&a= Its an anitspyware program.Update spybot found a Smitfraud-C. located in C:\Documents and Setting\Bradbury\Local Settings\Temp\x.icoMalwarebytes still comes up clean. "I have a hijack this log. i'd appreciate it if anyone can help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:25:53, on 9/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\eTCrtMng.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\WINDOWS\system32\qzuxgfgn.exeC:\Program Files\Jeppesen Marine\WorkboatNavigator\WNMonitor.exeC:\Program Files\Jeppesen Marine\WorkboatNavigator\WorkboatNavigator.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\system32\cwClient.exeC:\Program Files\C-Map Professional SDK Runtime\System\cmapsvc.exeC:\WINDOWS\system32\eTSrv.exeC:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exeC:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Codework\BrowseControl\BCServer\BCServer.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\AVG\AVG8\avgui.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gotoassist.com/sb/mtcO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [eTCertManger] C:\WINDOWS\system32\eTCrtMng.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [PASMonitor] "C:\Program Files\Common Files\PersonalAntiSpy\pbm.exe" dm=http://personalantispy.com;http://load.personalantispy.com ad=http://personalantispy.com;http://load.personalantispy.com sd=http://log.personalantispy.comO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hiddenO4 - HKCU\..\Run: [shWin] C:\WINDOWS\system32\qzuxgfgn.exeO4 - HKLM\..\Policies\Explorer\Run: [pwE4FvNkMf] C:\Documents and Settings\All Users\Application Data\ivqbslsl\upwpmlaz.exeO4 - Startup: Workboat Navigator.lnk = C:\Program Files\Jeppesen Marine\WorkboatNavigator\WNMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: BrowseControl Client (BC-Agent) - Codework Limited - C:\WINDOWS\system32\cwClient.exeO23 - Service: BrowseControl Server (BCServer) - Codework Limited - C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exeO23 - Service: C-Map Service - C-Map Russia - C:\Program Files\C-Map Professional SDK Runtime\System\cmapsvc.exeO23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exeO23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exeO23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe--End of file - 6382 bytes Edited September 20, 2008 by JeanInMontana break malicious link!!!! Link to post Share on other sites More sharing options...
JeanInMontana Posted September 20, 2008 ID:28519 Share Posted September 20, 2008 Hi miserymachine and welcome to Malwarbytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 Link to post Share on other sites More sharing options...
nosirrah Posted September 21, 2008 ID:28551 Share Posted September 21, 2008 O4 - HKCU\..\Run: [shWin] C:\WINDOWS\system32\qzuxgfgn.exeThis is the problem here and i can tell just looking that this is a new version of this malware (5 letters for the run name is shorter than before) .Head hear :http://www.malwarebytes.org/forums/index.php?showforum=55Copy the file in question , zip it and attach it to a new thread . I will take a look at the file from there and get it into the next set of updates . Link to post Share on other sites More sharing options...
miserymachine Posted September 21, 2008 Author ID:28627 Share Posted September 21, 2008 Alright I zipped up the file you requested and posted it in the forum. Here is my mbab, panda, and hijackthis logs.Malwarebytes' Anti-Malware 1.28Database version: 1186Windows 5.1.2600 Service Pack 29/21/2008 11:53:54 AMmbam-log-2008-09-21 (11-53-54).txtScan type: Quick ScanObjects scanned: 43580Time elapsed: 1 minute(s), 44 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 5Registry Data Items Infected: 0Folders Infected: 16Files Infected: 47Memory Processes Infected:C:\WINDOWS\system32\qzuxgfgn.exe (Trojan.FakeAlert) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PASMonitor (Rogue.PersonalAntiSpy) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shwin (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Jeppesen\Application Data\rhcjl6j0el5k\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\PersonalAntiSpy (Rogue.PersonalAntiSpy) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\PersonalAntiSpy\Data (Rogue.PersonalAntiSpy) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\PersonalAntiSpy\Data\Abbr (Rogue.PersonalAntiSpy) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\PersonalAntiSpy\Data\ProductCode (Rogue.PersonalAntiSpy) -> Quarantined and deleted successfully.C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\qzuxgfgn.exe (Trojan.FakeAlert) -> Delete on reboot.C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.;***********************************************************************************************************************************************************************************ANALYSIS: 2008-09-21 12:36:55PROTECTIONS: 1MALWARE: 13SUSPECTS: 2;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================AVG Anti-Virus Free 8.0 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@doubleclick[1].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@atdmt[2].txt00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP3\A0000127.exe00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP3\A0000100.exe00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP3\A0000152.exe00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Jeppesen\My Documents\SmitfraudFix\SmitfraudFix\Process.exe00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP3\A0000223.exe00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Jeppesen\My Documents\SmitfraudFix\Process.exe00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP3\A0000068.exe00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@mediaplex[2].txt00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@com[1].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@ad.yieldmanager[2].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@apmebf[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@advertising[2].txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@ads.pointroll[2].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@questionmarket[1].txt00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Jeppesen\Cookies\jeppesen@adultfriendfinder[2].txt00383955 Joke/Bluescreen Jokes No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP4\A0000287.scr03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\System Volume Information\_restore{9D405FF2-EE8E-4C1C-A4D5-43712625BFB2}\RP3\A0000114.exe03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\Jeppesen\My Documents\SmitfraudFix.exe;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================No C:\Documents and Settings\Jeppesen\My Documents\SmitfraudFix\AntiXPVSTFix.exe No C:\Documents and Settings\Jeppesen\My Documents\SmitfraudFix\SmitfraudFix\AntiXPVSTFix.exe ;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;=================================================================================================================================================================================== 182048 HIGH MS07-069 137571 HIGH MS06-070 126092 MEDIUM MS06-050 126082 HIGH MS06-041 126081 HIGH MS06-040 114666 HIGH MS06-015 93454 MEDIUM MS05-049 ;===================================================================================================================================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:39:34, on 9/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\eTCrtMng.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files\Jeppesen Marine\WorkboatNavigator\WNMonitor.exeC:\Program Files\Jeppesen Marine\WorkboatNavigator\WorkboatNavigator.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\system32\cwClient.exeC:\Program Files\C-Map Professional SDK Runtime\System\cmapsvc.exeC:\WINDOWS\system32\eTSrv.exeC:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exeC:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Codework\BrowseControl\BCServer\BCServer.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gotoassist.com/sb/mtcO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [eTCertManger] C:\WINDOWS\system32\eTCrtMng.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hiddenO4 - HKLM\..\Policies\Explorer\Run: [pwE4FvNkMf] C:\Documents and Settings\All Users\Application Data\ivqbslsl\upwpmlaz.exeO4 - Startup: Workboat Navigator.lnk = C:\Program Files\Jeppesen Marine\WorkboatNavigator\WNMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: BrowseControl Client (BC-Agent) - Codework Limited - C:\WINDOWS\system32\cwClient.exeO23 - Service: BrowseControl Server (BCServer) - Codework Limited - C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exeO23 - Service: C-Map Service - C-Map Russia - C:\Program Files\C-Map Professional SDK Runtime\System\cmapsvc.exeO23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exeO23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exeO23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe--End of file - 6166 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted September 22, 2008 ID:28728 Share Posted September 22, 2008 Hi there, looking good. Delete the SmitFraud Fix from your desktop. Update MBAM run a quick scan and post that log with a new HJT log. Give me some feed back as to how your running. Link to post Share on other sites More sharing options...
miserymachine Posted September 22, 2008 Author ID:28744 Share Posted September 22, 2008 Yeah I haven't had any popups after i ran the MBAM program and the panda. My only concern is that after i ran MBAM the first time, i had to reboot for it to delete the file that i zipped up and uploaded. Well when i started back up i ran spybot and it found smitfraud and "fixed" it again, but this time it never came back up. Also at about the same my avg found a trojan in my system restore files. I haven't had any problems after that though, it's been over 24hours. And none of the spyware programs have picked anything up since i the trojan after i rebooted when i ran mbam the first time. Thanks for all the help.here's the logsMalwarebytes' Anti-Malware 1.28Database version: 1186Windows 5.1.2600 Service Pack 29/22/2008 6:06:11 PMmbam-log-2008-09-22 (18-06-11).txtScan type: Quick ScanObjects scanned: 43515Time elapsed: 1 minute(s), 42 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:08:16, on 9/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\eTCrtMng.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files\Jeppesen Marine\WorkboatNavigator\WNMonitor.exeC:\Program Files\Jeppesen Marine\WorkboatNavigator\WorkboatNavigator.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\system32\cwClient.exeC:\Program Files\C-Map Professional SDK Runtime\System\cmapsvc.exeC:\WINDOWS\system32\eTSrv.exeC:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exeC:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Codework\BrowseControl\BCServer\BCServer.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\msiexec.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gotoassist.com/sb/mtcO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [eTCertManger] C:\WINDOWS\system32\eTCrtMng.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hiddenO4 - HKLM\..\Policies\Explorer\Run: [pwE4FvNkMf] C:\Documents and Settings\All Users\Application Data\ivqbslsl\upwpmlaz.exeO4 - Startup: Workboat Navigator.lnk = C:\Program Files\Jeppesen Marine\WorkboatNavigator\WNMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO10 - Unknown file in Winsock LSP: wsck32.dllO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: BrowseControl Client (BC-Agent) - Codework Limited - C:\WINDOWS\system32\cwClient.exeO23 - Service: BrowseControl Server (BCServer) - Codework Limited - C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exeO23 - Service: C-Map Service - C-Map Russia - C:\Program Files\C-Map Professional SDK Runtime\System\cmapsvc.exeO23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exeO23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exeO23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe--End of file - 6183 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted September 24, 2008 ID:28875 Share Posted September 24, 2008 The reboot to delete is common for lots of software. I don't know what SBS&D might have found, but I would appreciate you don't run scans unless requested. Cleaning System Restore is the last step in this process.Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP and Vista is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29366 Share Posted October 1, 2008 Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts