Recommended Posts

I've cleaned my registry, scanned and cleaned virusus, rand Ad-Aware SE, FraudSmit, Hijackthis and Combofix (I'll post the log files below).

 

I still have an unremovable Protection toolbar in IE and get hijacked to asecurityupdate.exe whenever I start the browser. I also get intermittent pop ups trying to sell me a solution. Can you help? Also, would real time spyware protection keep this from happening again? Thanks.

 

SmitFraudFix v2.178

 

Scan done at 14:36:57.18, 09-May-07

Run from C:\Documents and Settings\Lee\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{84AB5484-D9B3-40A3-ACEB-F8A328D00579}: DhcpNameServer=192.168.0.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

Logfile of HijackThis v1.99.1

Scan saved at 14:29:47, on 09-May-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Video ActiveX Access\imsmain.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Video ActiveX Access\imsmn.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\system32\GS30s.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Documents and Settings\Lee\Desktop\HijackThis_v1.99.1.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7A8F5B7A-A74F-495E-8A33-DF6226D2BAD8} - C:\Program Files\Video ActiveX Access\iesplg.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Video ActiveX Access\iesbpl.dll

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: GS30s - Unknown owner - C:\WINDOWS\SYSTEM32\GS30s.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

 

"lsellers" - 2007-05-09 16:26:28 Service Pack 2

ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Lee\Desktop\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))

 

 

2007-05-09 14:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-05-09 14:50 <DIR> d-------- C:\WINDOWS\LastGood

2007-05-09 14:44 <DIR> d-------- C:\Program Files\Yahoo!

2007-05-09 14:44 <DIR> d-------- C:\Program Files\CCleaner

2007-05-09 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-05-09 13:56 <DIR> d-------- C:\Program Files\ACW

2007-05-09 13:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-05-09 09:08 1,902 --a------ C:\WINDOWS\system32\tmp.reg

2007-05-09 08:14 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-05-09 08:14 <DIR> d-------- C:\Program Files\Video ActiveX Access

2007-05-09 08:14 <DIR> d-------- C:\Program Files\SpyLocked 3.7

2007-04-21 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage

2007-04-18 15:07 86,296 --a------ C:\WINDOWS\UNQFL70.EXE

2007-04-18 15:07 146,976 --a------ C:\WINDOWS\system\mfcoleui.dll

2007-04-18 15:06 <DIR> d-------- C:\Program Files\Parsons Technology

2007-04-12 09:41 45,056 -ra------ C:\WINDOWS\system32\hppapts0.dll

2007-04-12 09:41 36,864 -ra------ C:\WINDOWS\system32\hppasnm0.dll

2007-04-12 09:41 36,864 -ra------ C:\WINDOWS\system32\hppapml0.dll

2007-04-12 09:41 36,864 -ra------ C:\WINDOWS\system32\hppadt40.dll

2007-04-12 09:41 32,768 -ra------ C:\WINDOWS\system32\hppamon0.dll

2007-04-12 09:41 311 -ra------ C:\WINDOWS\system32\HPB2550V.DAT

2007-04-12 09:41 192,512 -ra------ C:\WINDOWS\system32\HPB2550V.DLL

2007-04-12 09:41 <DIR> d-------- C:\Program Files\HP

2007-04-12 09:40 16,800 -ra------ C:\WINDOWS\system32\drivers\Hppaufd0.sys

2007-04-12 09:39 <DIR> d-------- C:\Program Files\Common Files\SWF Studio

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-05-09 22:11:25 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-05-09 06:12:24 -------- d-----w C:\DOCUME~1\Lee\APPLIC~1\Libronix DLS

2007-05-09 05:48:12 7,168 --s-a-w C:\WINDOWS\system32\kgkdbsk.dll

2007-04-01 05:16:59 -------- d-----w C:\Program Files\Crown Financial Ministries

2007-03-24 04:31:31 -------- d-----w C:\Program Files\Plagiarism-Finder 1.2.2 TRIAL

2007-03-24 04:25:52 157,821 ----a-w C:\WINDOWS\Plagiarism-Finder Uninstaller.exe

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 03:14:57 -------- d-----w C:\Program Files\Hewlett Packard

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-05 20:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

"{7A8F5B7A-A74F-495E-8A33-DF6226D2BAD8}"="C:\Program Files\Video ActiveX Access\iesplg.dll"

"{AE7CD045-E861-484f-8273-0445EE161910}"="C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"HControl"="C:\\WINDOWS\\ATK0100\\HControl.exe"

"AGRSMMSG"="AGRSMMSG.exe"

"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages msv1_0\

Security Packages kerberosmsv1_0schannelwdigest\

Notification Packages scecli\

 

 

 

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter HTTPFilter\

LocalService AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService DnsCache\

DcomLaunch DcomLaunchTermService\

rpcss RpcSs\

imgsvc StiSvc\

termsvcs TermService\

WudfServiceGroup WUDFSvc\

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

 

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3483905f-0c5b-11db-b134-0012f05ff81d}]

Shell\AutoRun\command F:\GizmoSecure\Windows\GizmoSecure30.exe

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{73c94f0e-52f9-11db-b17a-0012f05ff81d}]

Shell\AutoRun\command setupSNK.exe

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f52a9647-8bac-11db-b1c3-0012f05ff81d}]

Shell\AutoRun\command E:\GizmoSecure\Windows\GizmoSecure30.exe

 

********************************************************************

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-09 16:28:15

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-09 16:28:18

C:\ComboFix-quarantined-files.txt ... 2007-05-09 16:28

 

Folder PATH listing
Volume serial number is 0C5D-20CF
C:\QOOBOX
\---Quarantine
\---Registry_backups

Share this post


Link to post
Share on other sites
Sign in to follow this