Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

need help removing smitfraud and others

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: need help removing smitfraud and others

Unread postby Bio-Hazard » April 28th, 2008, 6:35 am

USE HOSTS EXPERT TO UPDATE MVPS HOSTS FILE


  • Run HostsXpert
  • If Hosts file is Read Only, click on Make Writeable, otherwise move on to next stage.
  • Click Download button.
  • Click MVPs Hosts
  • Click Merge File
  • Press OK to download latest MVPs update and merge it with your Hosts.
  • When finished click File Handling
  • Click Make Read Only to secure your Hosts file.
  • Exit HostsXpert.

Remove bad HijackThis entries



Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
  • Did you manage to follow all the instructions on my last post?
  • How is your computer running now?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Top
Advertisement
Register to Remove

Re: need help removing smitfraud and others

Unread postby jsmith052277 » April 29th, 2008, 10:22 pm

Its getting better!! Thanks for your help...Im kinda slow at this, SRY!!!



ComboFix 08-04-27.3 - Compaq_Owner 2008-04-28 19:26:06.1 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\crosof~1
C:\Program Files\ystem~1
C:\Program Files\ystem~1\?ystem\
C:\WINDOWS\BM93a71598.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\mcroso~1
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-22 07:40 . 2008-04-22 07:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 07:40 . 2008-04-22 07:40 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-22 07:40 . 2008-04-22 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-21 20:55 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-21 20:53 . 2008-04-21 20:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 19:44 . 2008-04-21 19:45 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.SunDownloadManager
2008-04-20 23:06 . 2008-04-20 23:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 23:06 . 2008-04-20 23:06 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-04-20 23:06 . 2008-04-20 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 13:53 . 2008-04-19 13:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 19:30 . 2006-10-10 12:29 95,232 -ra------ C:\WINDOWS\system32\HPcam_03.dll
2008-03-31 19:30 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-31 19:30 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 00:55 --------- d-----w C:\Program Files\Java
2008-04-21 11:14 --------- d-----w C:\Program Files\Imikimi
2008-04-17 07:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-28 12:25 --------- d-----w C:\Program Files\Easy Internet signup
2008-03-27 21:59 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2008-03-27 21:49 --------- d-----w C:\Program Files\iTunes
2008-03-27 03:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 03:33 --------- d-----w C:\Program Files\Napster
2008-03-27 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-03-19 23:48 --------- d-----w C:\Program Files\MySpace
2008-03-16 15:17 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-06 03:56 --------- d-----w C:\Program Files\Common Files\HP
2008-02-28 04:17 --------- d-----w C:\Program Files\The Weather Channel FW
2008-02-28 04:01 --------- d-----w C:\Program Files\Bonjour
2008-02-28 04:00 --------- d-----w C:\Program Files\QuickTime
2008-02-28 03:57 --------- d-----w C:\Program Files\Apple Software Update
2008-02-28 02:42 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Sonic
2008-02-28 02:42 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Leadertech
2007-05-27 05:27 388 ----a-w C:\Documents and Settings\Tracy\Application Data\wklnhst.dat
.
Code: Select all
<pre>
----a-w            27,136 2007-12-23 04:41:27  C:\hp\bin\cloaker .exe
----a-w           622,080 2008-01-14 02:19:48  C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
----a-w           525,312 2008-02-23 22:02:36  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            58,488 2008-01-14 02:19:38  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            68,856 2007-12-29 05:09:05  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           171,448 2008-01-05 02:06:14  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w           245,760 2008-01-03 03:06:18  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp                .exe
----a-w           245,760 2008-01-05 02:05:34  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp               .exe
----a-w           590,848 2008-01-05 02:04:42  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp              .exe
----a-w           590,848 2008-01-01 18:49:01  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp             .exe
----a-w           590,848 2007-12-29 05:06:09  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp            .exe
----a-w           590,848 2007-12-28 06:40:06  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp           .exe
----a-w           590,848 2007-12-28 06:02:07  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp          .exe
----a-w           590,848 2007-12-28 05:16:39  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp         .exe
----a-w           590,848 2007-12-27 22:40:51  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp        .exe
----a-w           590,848 2007-12-27 07:51:02  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp       .exe
----a-w           590,848 2007-12-27 03:10:47  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp      .exe
----a-w           590,848 2007-12-26 13:26:39  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp     .exe
----a-w           590,848 2007-12-26 01:08:49  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp    .exe
----a-w           590,848 2007-12-25 21:12:47  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp   .exe
----a-w           590,848 2007-12-25 14:30:43  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp  .exe
----a-w           590,848 2007-12-25 05:30:35  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w            49,152 2008-01-05 02:05:52  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w         1,694,208 2008-02-11 15:43:33  C:\Program Files\Messenger\msmsgs .exe
----a-w           286,720 2007-12-27 22:41:40  C:\Program Files\QuickTime\QTTask      .exe
----a-w           657,920 2007-12-27 22:41:17  C:\Program Files\QuickTime\QTTask     .exe
----a-w           657,920 2007-12-27 07:51:26  C:\Program Files\QuickTime\QTTask    .exe
----a-w           657,920 2007-12-27 03:11:06  C:\Program Files\QuickTime\QTTask   .exe
----a-w           657,920 2007-12-26 13:26:46  C:\Program Files\QuickTime\QTTask  .exe
----a-w           286,720 2008-01-05 02:15:46  C:\Program Files\QuickTime\QTTask .exe
----a-w                 0 2008-04-17 01:45:50  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           100,056 2008-01-05 02:05:53  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w           267,216 2007-12-27 22:41:43  C:\Program Files\WildTangent\Apps\GameChannel .exe
----a-w         4,670,704 2008-01-05 02:06:37  C:\Program Files\Yahoo!\Messenger\YahooMessenger    .exe
----a-w         4,670,704 2008-02-23 22:02:50  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w            72,704 2007-12-23 04:41:57  C:\RECYCLER\S-1-5-21-2182819218-1896733027-2530646533-1009\Dc1\iexplore .exe
</pre>



-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 12:31 49152 C:\WINDOWS\system32\SiSPower.dll]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 02:59 218240]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 19:22 58488]
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2004-08-17 18:36 132248]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-30 22:29 33936]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-21 12:02 180269]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2007-12-23 03:46:32 156784]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-06-21 12:16:24 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe [2005-06-21 12:14:29 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8375cf48-e4ef-11dc-ab65-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 23:08:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-27 04:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
"2008-04-28 21:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-24 07:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-06-21 16:44:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 19:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 19:39:57
ComboFix-quarantined-files.txt 2008-04-28 23:39:53

Pre-Run: 30,244,675,584 bytes free
Post-Run: 30,886,043,648 bytes free

169 --- E O F --- 2008-04-10 07:05:00




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9160 bytes
jsmith052277
Regular Member
 
Posts: 21
Joined: April 19th, 2008, 1:57 pm
Top

Re: need help removing smitfraud and others

Unread postby Bio-Hazard » April 30th, 2008, 2:02 pm

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
Folder::
C:\Program Files\Imikimi
C:\Program Files\The Weather Channel FW


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Top

Re: need help removing smitfraud and others

Unread postby jsmith052277 » April 30th, 2008, 7:06 pm

ComboFix 08-04-27.3 - Compaq_Owner 2008-04-30 18:33:12.3 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Imikimi
C:\Program Files\Imikimi\Imikimi Plugin 0.5.1\FreeImage.dll
C:\Program Files\Imikimi\Imikimi Plugin 0.5.1\imikimi_activex_plugin.ocx
C:\Program Files\Imikimi\Imikimi Plugin 0.5.1\imikimi_plugin_licence.txt
C:\Program Files\Imikimi\Imikimi Plugin 0.5.1\kimi_app.dll
C:\Program Files\Imikimi\Imikimi Plugin 0.5.1\npkimi.dll
C:\Program Files\Imikimi\Imikimi Plugin 0.5.1\npkimi_installer.exe
C:\Program Files\The Weather Channel FW
C:\Program Files\The Weather Channel FW\Desktop Weather\eula.html
C:\Program Files\The Weather Channel FW\Desktop Weather\INSTALL.LOG
C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\uninstall.bat
C:\Program Files\The Weather Channel FW\Desktop Weather\UNWISE.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\UNWISE.INI
C:\Program Files\The Weather Channel FW\Framework\INSTALL.LOG
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSetup.exe
C:\Program Files\The Weather Channel FW\Framework\uninstall.bat
C:\Program Files\The Weather Channel FW\Framework\UNWISE.EXE
C:\Program Files\The Weather Channel FW\Framework\UNWISE.INI
C:\Program Files\The Weather Channel FW\Framework\wxfw.cpl
.
---- Previous Run -------
.
C:\Documents and Settings\abby and alex\Desktop\Live Safety Center.lnk
C:\Documents and Settings\abby and alex\err.log
C:\Documents and Settings\abby and alex\Favorites\Online Security Guide.lnk
C:\Documents and Settings\abby and alex\ResErrors.log
C:\Documents and Settings\Alex.MAMASBEAST\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Alex\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Alex\err.log
C:\Documents and Settings\Alex\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Alex\ResErrors.log
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Little Ray\err.log
C:\Documents and Settings\Little Ray\ResErrors.log
C:\Documents and Settings\Tracy\err.log
C:\Documents and Settings\Tracy\ResErrors.log

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-22 07:40 . 2008-04-22 07:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 07:40 . 2008-04-22 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-21 20:55 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-21 20:53 . 2008-04-21 20:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 19:44 . 2008-04-21 19:45 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.SunDownloadManager
2008-04-20 23:06 . 2008-04-20 23:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 23:06 . 2008-04-20 23:06 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-04-20 23:06 . 2008-04-20 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 13:53 . 2008-04-19 13:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 19:30 . 2006-10-10 12:29 95,232 -ra------ C:\WINDOWS\system32\HPcam_03.dll
2008-03-31 19:30 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-31 19:30 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 23:33 . 2008-03-26 23:33 <DIR> d-------- C:\Program Files\Napster
2008-03-26 23:33 . 2008-03-26 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Napster
2008-03-16 11:17 . 2008-03-16 11:17 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-12 20:31 . 2008-03-12 20:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-12 20:31 . 2008-03-12 20:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-12 20:28 . 2008-03-27 17:49 <DIR> d-------- C:\Program Files\iTunes
2008-03-12 03:03 . 2008-03-12 03:03 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-11 15:46 . 2008-03-11 15:46 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.jogl_ext
2008-03-05 23:54 . 2008-03-05 23:56 <DIR> d-------- C:\Program Files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 00:55 --------- d-----w C:\Program Files\Java
2008-04-17 07:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-28 12:25 --------- d-----w C:\Program Files\Easy Internet signup
2008-03-27 21:59 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2008-03-27 03:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 23:48 --------- d-----w C:\Program Files\MySpace
2008-02-28 04:01 --------- d-----w C:\Program Files\Bonjour
2008-02-28 04:00 --------- d-----w C:\Program Files\QuickTime
2008-02-28 03:57 --------- d-----w C:\Program Files\Apple Software Update
2008-02-28 02:42 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Sonic
2008-02-28 02:42 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Leadertech
2007-05-27 05:27 388 ----a-w C:\Documents and Settings\Tracy\Application Data\wklnhst.dat
.
Code: Select all
<pre>
----a-w            27,136 2007-12-23 04:41:27  C:\hp\bin\cloaker .exe
----a-w           622,080 2008-01-14 02:19:48  C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
----a-w           525,312 2008-02-23 22:02:36  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            58,488 2008-01-14 02:19:38  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            68,856 2007-12-29 05:09:05  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           171,448 2008-01-05 02:06:14  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w           245,760 2008-01-03 03:06:18  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp                .exe
----a-w           245,760 2008-01-05 02:05:34  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp               .exe
----a-w           590,848 2008-01-05 02:04:42  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp              .exe
----a-w           590,848 2008-01-01 18:49:01  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp             .exe
----a-w           590,848 2007-12-29 05:06:09  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp            .exe
----a-w           590,848 2007-12-28 06:40:06  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp           .exe
----a-w           590,848 2007-12-28 06:02:07  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp          .exe
----a-w           590,848 2007-12-28 05:16:39  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp         .exe
----a-w           590,848 2007-12-27 22:40:51  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp        .exe
----a-w           590,848 2007-12-27 07:51:02  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp       .exe
----a-w           590,848 2007-12-27 03:10:47  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp      .exe
----a-w           590,848 2007-12-26 13:26:39  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp     .exe
----a-w           590,848 2007-12-26 01:08:49  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp    .exe
----a-w           590,848 2007-12-25 21:12:47  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp   .exe
----a-w           590,848 2007-12-25 14:30:43  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp  .exe
----a-w           590,848 2007-12-25 05:30:35  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w            49,152 2008-01-05 02:05:52  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w         1,694,208 2008-02-11 15:43:33  C:\Program Files\Messenger\msmsgs .exe
----a-w           286,720 2007-12-27 22:41:40  C:\Program Files\QuickTime\QTTask      .exe
----a-w           657,920 2007-12-27 22:41:17  C:\Program Files\QuickTime\QTTask     .exe
----a-w           657,920 2007-12-27 07:51:26  C:\Program Files\QuickTime\QTTask    .exe
----a-w           657,920 2007-12-27 03:11:06  C:\Program Files\QuickTime\QTTask   .exe
----a-w           657,920 2007-12-26 13:26:46  C:\Program Files\QuickTime\QTTask  .exe
----a-w           286,720 2008-01-05 02:15:46  C:\Program Files\QuickTime\QTTask .exe
----a-w                 0 2008-04-17 01:45:50  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           100,056 2008-01-05 02:05:53  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w           267,216 2007-12-27 22:41:43  C:\Program Files\WildTangent\Apps\GameChannel .exe
----a-w         4,670,704 2008-01-05 02:06:37  C:\Program Files\Yahoo!\Messenger\YahooMessenger    .exe
----a-w         4,670,704 2008-02-23 22:02:50  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
</pre>



-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 12:31 49152 C:\WINDOWS\system32\SiSPower.dll]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 02:59 218240]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-27 19:22 58488]
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2004-08-17 18:36 132248]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-30 22:29 33936]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-21 12:02 180269]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2007-12-23 03:46:32 156784]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-06-21 12:16:24 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe [2005-06-21 12:14:29 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 23:08:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 04:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
"2008-04-30 02:09:31 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-24 07:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-06-21 16:44:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:38:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 18:43:37
ComboFix-quarantined-files.txt 2008-04-30 22:43:33
ComboFix2.txt 2008-04-28 23:39:58

Pre-Run: 31,083,794,432 bytes free
Post-Run: 31,071,399,936 bytes free

195



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:54 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9203 bytes




It is still a little slow, but it is doing much better!!
jsmith052277
Regular Member
 
Posts: 21
Joined: April 19th, 2008, 1:57 pm
Top

Re: need help removing smitfraud and others

Unread postby Bio-Hazard » May 2nd, 2008, 1:47 pm

Hello!

What do you mean by slow:

  • Do you mean your internet connection is slow?
  • Do you mean is your startup slow?



Optional Fix

This is a optional fix, please read the information carefully. If you are happy to uninstall Wild Tangent, please follow the instructions below.
I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it is not technically considered spyware, it does have built in components to update itself and gather information about the computer system including:
  • Operating System Version
  • CPU Type and Speed
  • Memory Amount Video Card type and Driver Version
  • Sound Card type and Driver Version
  • DirectX Version Location that the Web Driver was installed from
  • It is also a MAJOR resource hog.
For more information,see WildTangent Removal Instructions and HelpandInside Wild Tangent-Delivering High-End 3-D Content To A Web SiteNear You.

Unless you are an extremely avid games player, I recommend you uninstall Wild Tangent:

To uninstall Wild Tangent:
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Wild Tangent, click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Top

Re: need help removing smitfraud and others

Unread postby jsmith052277 » May 2nd, 2008, 9:02 pm

The start up is still a little slow. But once I uninstalled the Wild Tangent games it started a little faster. Do I need to uninstall anything else?

I am so appreciative of all your help.

Thank you, Thank you, Thank you!!!
jsmith052277
Regular Member
 
Posts: 21
Joined: April 19th, 2008, 1:57 pm
Top

Re: need help removing smitfraud and others

Unread postby Bio-Hazard » May 3rd, 2008, 10:29 am

Removing these entries will help make your startup even faster.

Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.




Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • ATF-Cleaner (you can just delete the exe file from your desktop)(I would recommed to keep this program)
  • Hostexpert (you can just delete the exe file)
  • OiUninstaller (you can just delete the exe file)
  • Malwarebytes' Anti-Malware (I would recommed to keep this program)

This is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Malwarebytes' Anti-Malware

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Please advise if this step is missed for any reason as it performs some important actions.

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Clear Infected System Restore Points
      • Turn System Restore off
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Check Turn off System Restore.
      • Click Apply, and then click OK.
        Restart your computer
      • Turn System Restore on
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Uncheck *Turn off System Restore*.
      • Click Apply, and then click OK.
      Note: only do this once,and not on a regular basis

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    • Install and use a firewall with outbound protection
      The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
      Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Top

Re: need help removing smitfraud and others

Unread postby Gary R » May 6th, 2008, 2:14 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 129 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index