I deleted the entry in hijackthis but was unable to locate the folder.Could it have been deleted? heres the new hijackthis log and the combofix log from yesterday. Oh heres the location of the smitfraud-c Smitfraud-C.: Program directory (Directory, fixed)
C:\WINDOWS\system32\drv32dta\
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan
I also have a question. I have the blackice firewall but the last time i tried to install it my computer kept resetting itself when the scan started for the application control function. Should I try to reinstall my firewall now?
Logfile of HijackThis v1.99.1
Scan saved at 7:04:43 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.adelphia.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.gateway.com/g/startpage.html ... TP&M=T3422
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.adelphia.net/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.adelphia.net/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft.com/fwlink/?LinkId=21940
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Cpue] "C:\DOCUME~1\Owner\MYDOCU~1\MCROSO~1.NET\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US
ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 3364824181
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
Owner - 06-12-31 15:11:06.37 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\icon_mediamotor.exe
C:\Program Files\Common Files\{24A31403-0BFA-1033-0321-060505270001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Owner\Application Data\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET\bak
((((((((((((((((((((((((((((((( Files Created from 2006-11-31 to 2006-12-31 ))))))))))))))))))))))))))))))))))
2006-12-31 14:54 <DIR> d-------- C:\WINDOWS\system32\drv32dta
2006-12-30 21:48 <DIR> d-------- C:\VundoFix Backups
2006-12-29 22:27 81,684 --a------ C:\WINDOWS\system32\mkusjdcn.dll
2006-12-29 22:24 28,160 --a------ C:\WINDOWS\dsrss.exe
2006-12-29 22:24 18,432 --a------ C:\WINDOWS\ieserver.exe
2006-12-29 22:23 81,684 --a------ C:\WINDOWS\system32\ecsdtyvt.dll
2006-12-29 21:48 <DIR> d-------- C:\Program Files\a-squared Free
2006-12-29 21:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-29 21:04 <DIR> d-------- C:\HJT
2006-12-29 20:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-29 17:17 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-29 17:15 36,644 --a------ C:\WINDOWS\system32\drivers\RapFile.sys
2006-12-29 17:15 24,344 --a------ C:\WINDOWS\system32\drivers\RapNet.sys
2006-12-29 17:15 10 --a------ C:\WINDOWS\system32\drivers\tmbi.sys
2006-12-28 14:13 81,684 --a------ C:\WINDOWS\system32\yjpqumka.dll
2006-12-27 19:19 <DIR> d-------- C:\Program Files\Symantec Technical Support
2006-12-27 17:10 44,060 --a------ C:\WINDOWS\system32\uegdaokn.dll
2006-12-20 18:39 81,684 --a------ C:\WINDOWS\system32\wcxxpdaw.dll
2006-12-19 17:02 81,684 --a------ C:\WINDOWS\system32\ffopmdhj.dll
2006-12-14 18:09 118,804 --a------ C:\WINDOWS\system32\qvfaocal.dll
2006-12-11 07:39 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-10 18:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2006-12-10 18:56 <DIR> d-------- C:\Program Files\GRETECH
2006-12-10 18:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GRETECH
2006-12-10 13:45 <DIR> d-------- C:\Program Files\Webroot
2006-12-10 13:45 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2006-12-10 13:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2006-12-10 13:44 57,344 --a------ C:\WINDOWS\Unwash6.exe
2006-12-10 13:44 486,400 --a------ C:\WINDOWS\system32\wwSecure.exe
2006-12-06 15:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2006-12-06 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2006-12-06 15:24 <DIR> d-------- C:\Program Files\AIM6
2006-12-01 00:58 <DIR> d-------- C:\Program Files\XoftSpySE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-31 15:11 -------- d-------- C:\Program Files\Common Files
2006-12-31 12:28 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-12-31 00:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-12-29 17:56 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-12-24 17:23 -------- d-------- C:\Program Files\Winamp
2006-12-24 11:20 -------- d-------- C:\Program Files\DVDCoverPrint
2006-12-23 12:21 -------- d-------- C:\Documents and Settings\Owner\Application Data\Vso
2006-12-11 07:30 -------- d-------- C:\Program Files\Common Files\AOL
2006-12-10 14:03 -------- d-------- C:\Program Files\IrfanView
2006-12-05 20:02 -------- d-------- C:\Program Files\AIM
2006-12-05 20:02 -------- d-------- C:\Documents and Settings\Owner\Application Data\Aim
2006-11-25 12:19 69 --a-s---- C:\WINDOWS\test.bat
2006-11-19 22:38 -------- d-------- C:\Program Files\Symantec
2006-11-19 22:37 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-11 16:17 -------- d-------- C:\Program Files\EPSON Print CD
2006-11-09 16:37 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-11-09 16:15 -------- d-------- C:\Program Files\Easy CD & DVD Cover Creator
2006-11-08 20:17 -------- d-------- C:\Program Files\PowerISO
2006-11-06 01:28 30988 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-09-09 12:36 34 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2006-09-09 12:35 81920 --a------ C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-09-09 12:35 7176 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2006-09-09 12:35 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-09-09 12:35 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Cpue"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\MCROSO~1.NET\\taskmgr.exe\" -vt yazr"
"Cnr"="C:\\WINDOWS\\system32\\ICROSO~1.NET\\MCONFI~1.EXE"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"CTSyncU.exe"="\"C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe\""
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US
ee://aol/imApp"
"Window Washer"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"jxqe53fc"="RUNDLL32.EXE w2e344fd.dll,n 001e53fb000000032e344fd"
"EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIA.EXE /P30 \"EPSON Stylus Photo R220 Series\" /O6 \"USB002\" /M \"Stylus Photo R220\""
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\qvfaocal.dll\",setvm"
"WinSysModule"="dsrss.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpySE.job
Completion time: 06-12-31 15:12:20.10
C:\ComboFix.txt ... 06-12-31 15:12