Results 1 to 8 of 8
  1. #1
    Member
    Join Date
    Nov 2007
    Posts
    5
    Points
    0

    Default Ucleaner and trojan.w32.looksky

    Hi,

    Please help. I've run all the programs on the Get rid of spyware guide: Panda(purchased it), Housecall, Spybot, Ad-Ware SE, Combofix and SuperAntiSpyware. All find somesort of spyware. I delete and remove the infections, but it just keeps coming back.

    I had Norton Internet Security prior and during the whole attack and it has not found anything.

    Thank you in advance,

    Sabine


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:22:09 PM, on 11/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\DOCUME~1\KAYOUA~1\LOCALS~1\Temp\clclean.0001
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\PROGRA~1\COMCAS~1\rhaphlpr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/?cookieattempt=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=2061014
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: MSVPS System - {E75B284A-D5D0-4F5D-9BD3-59637A85F5D0} - C:\WINDOWS\werbetlsp.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O3 - Toolbar: The hdtip - {872F66C1-E394-4545-8843-EDE16648058A} - C:\WINDOWS\hdtip.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: LaunchU3.exe.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/actives.../asproinst.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: gormet - {0971B194-EF9B-4E60-BA19-9B2BE4DF1531} - C:\WINDOWS\gormet.dll
    O21 - SSODL: pmkret - {C755DBF6-D67A-4F00-AB0C-7B016C3C8174} - C:\WINDOWS\pmkret.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 12277 bytes

  2. #2
    Member
    Join Date
    Nov 2007
    Posts
    5
    Points
    0

    Default Worm.Win32.Netsky detected on your machine

    Hi,

    I wanted to clarify the symptoms.

    It started with a popup saying I'm infected with this "trojan.w32.looksky" virus. My desktop turned to a a red background with a biohazard sign. Internet explorer keeps getting directed to "ucleaner.com".

    The latest message box that opening states Worm.Win32.Netsky detected on your machine...Click yes to remove from your machine.

    The spyware tools remove the pop ups and prevent the attempts to change the Internet Explorer home page, but a few hours later the pop ups start again.

    The latest thing is adding network setup icons to my network places folder.

    Thank you in advance,

    Sabine

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Please post the Combofix and SuperAntiSpyware logs ...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Nov 2007
    Posts
    5
    Points
    0

    Default Superantispyware log and Combofix log

    Hi,

    Here are the logs:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/29/2007 at 09:31 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 01:21:55

    Memory items scanned : 783
    Memory threats detected : 0
    Registry items scanned : 6407
    Registry threats detected : 0
    File items scanned : 94859
    File threats detected : 1

    Adware.Tracking Cookie
    C:\Documents and Settings\Sabine\Cookies\sabine@klik.klikadvertising[1].txt

    ************************************

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/28/2007 at 11:02 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 01:26:08

    Memory items scanned : 823
    Memory threats detected : 0
    Registry items scanned : 6407
    Registry threats detected : 0
    File items scanned : 97227
    File threats detected : 1

    Adware.Tracking Cookie
    C:\Documents and Settings\Sabine\Cookies\Sabine@doubleclick[2].txt

    **************************************************

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/28/2007 at 05:31 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 02:39:25

    Memory items scanned : 817
    Memory threats detected : 0
    Registry items scanned : 6407
    Registry threats detected : 0
    File items scanned : 96895
    File threats detected : 15

    Adware.Tracking Cookie
    C:\Documents and Settings\Sabine\Cookies\Sabine@entrepreneur[1].txt
    C:\Documents and Settings\Sabine\Cookies\Sabine@atdmt[2].txt
    C:\Documents and Settings\Sabine\Cookies\Sabine@atlas.entrepreneur[1].txt
    C:\Documents and Settings\Sabine\Cookies\Sabine@burstnet[1].txt
    C:\Documents and Settings\Sabine\Cookies\Sabine@entrepreneur.122.2o7[1].txt
    C:\Documents and Settings\Sabine\Cookies\Sabine@media.adrevolver[1].txt
    C:\Documents and Settings\Sabine\Cookies\Sabine@mediaplex[2].txt

    Trace.Known Threat Sources
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\FUSF35O5\logo[2].jpg
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\KFH3EE7X\BT_download[1].gif
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\UHTA76TW\boxes[1].jpg
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\girl[1].jpg
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\KFH3EE7X\bg[1].gif
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\DBF751CA\8[1].htm
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\gray[1].gif
    C:\Documents and Settings\Sabine\Local Settings\Temporary Internet Files\Content.IE5\UHTA76TW\pointer[1].gif

    ****************************************************


    ComboFix 07-11-19.4 - Sabine 2007-11-28 23:12:15.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1289 [GMT -5:00]
    Running from: C:\Documents and Settings\Sabine\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Sabine\Desktop\Error Cleaner.url
    C:\Documents and Settings\Sabine\Desktop\Privacy Protector.url
    C:\Documents and Settings\Sabine\Desktop\Spyware&Malware Protection.url
    C:\Documents and Settings\Sabine\Favorites\Error Cleaner.url
    C:\Documents and Settings\Sabine\Favorites\Privacy Protector.url
    C:\Documents and Settings\Sabine\Favorites\Spyware&Malware Protection.url
    C:\WINDOWS\dat.txt
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\rs.txt
    C:\WINDOWS\search_res.txt

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
    .

    2007-11-28 14:14 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-11-28 05:38 d-------- C:\Program Files\Trend Micro
    2007-11-27 23:32 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-27 22:42 d-------- C:\Documents and Settings\Sabine\.housecall6.6
    2007-11-27 20:50 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
    2007-11-27 20:49 d-------- C:\WINDOWS\system32\ASPRO
    2007-11-27 20:49 3,377 --a------ C:\WINDOWS\system32\.ico
    2007-11-27 11:12 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
    2007-11-26 22:18 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-11-26 22:17 d-------- C:\Program Files\SUPERAntiSpyware
    2007-11-26 22:17 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-26 22:17 d-------- C:\Documents and Settings\Sabine\Application Data\SUPERAntiSpyware.com
    2007-11-26 21:20 87,528,516 --a------ C:\SYM_REGISTRY_BACKUP.reg
    2007-11-26 16:13 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
    2007-11-26 16:13 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
    2007-11-26 16:13 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
    2007-11-26 09:47 266,240 --a------ C:\WINDOWS\werbetlsp.dll
    2007-11-26 09:47 229,376 --a------ C:\WINDOWS\gormet.dll
    2007-11-26 09:47 204,800 --a------ C:\WINDOWS\pmkret.dll
    2007-11-26 09:47 192,512 --a------ C:\WINDOWS\hdtip.dll
    2007-11-26 09:47 81,920 --a------ C:\WINDOWS\monhop.exe
    2007-11-25 20:33 d-------- C:\Program Files\Norton Internet Security

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-29 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-29 01:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-29 00:46 --------- d-----w C:\Program Files\Comcast Rhapsody
    2007-11-28 19:14 --------- d-----w C:\Program Files\Lavasoft
    2007-11-28 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2007-11-28 03:41 --------- d-----w C:\Program Files\Google
    2007-11-28 03:41 --------- d-----w C:\Program Files\Digital Line Detect
    2007-11-28 03:41 --------- d-----w C:\Program Files\Dell Support
    2007-11-28 03:41 --------- d-----w C:\Program Files\BAE
    2007-11-26 20:01 --------- d-----w C:\Documents and Settings\Sabine\Application Data\Image Zone Express
    2007-11-26 05:03 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-11-26 05:03 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-11-26 05:03 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-11-26 05:03 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-11-26 05:03 --------- d-----w C:\Program Files\Symantec
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-10-24 23:18 --------- d-----w C:\Program Files\HP
    2007-10-19 14:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-19 14:21 --------- d-----w C:\Program Files\ArcSoft
    2007-10-04 00:23 --------- d-----w C:\Program Files\Picasa2
    2007-10-02 19:32 --------- d-----w C:\Documents and Settings\Sabine\Application Data\Mazaika
    2007-10-02 19:31 --------- d-----w C:\Program Files\Mazaika
    2007-10-02 19:29 --------- d-----w C:\Program Files\Photo Jumble
    2007-07-06 13:41 557,056 -c--a-w C:\Documents and Settings\Sabine\GoToAssist_phone__317_en.exe
    .

    ((((((((((((((((((((((((((((( snapshot_2007-11-27_21.37.42.96 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-11-28 19:15:02 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
    + 2007-11-28 19:15:02 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
    + 2007-11-28 19:15:02 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
    + 2007-11-28 19:15:02 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
    + 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
    + 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
    + 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    + 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E75B284A-D5D0-4F5D-9BD3-59637A85F5D0}]
    2007-11-26 06:22 266240 --a------ C:\WINDOWS\werbetlsp.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{872F66C1-E394-4545-8843-EDE16648058A}"= C:\WINDOWS\hdtip.dll [2007-11-26 06:22 192512]

    [HKEY_CLASSES_ROOT\clsid\{872f66c1-e394-4545-8843-ede16648058a}]
    [HKEY_CLASSES_ROOT\hdtip.ToolBar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{20675C1B-8407-4F3B-AFC2-D30C3EF0E5F4}]
    [HKEY_CLASSES_ROOT\hdtip.ToolBar]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 03:40 C:\WINDOWS\MIDIDEF.EXE]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 20:29]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 09:20 C:\WINDOWS\stsystra.exe]
    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 06:15]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 02:12]
    "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51]
    "MBMon"="Rundll32 CTMBHA.DLL" []
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
    "VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 08:20]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-13 07:20]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 23:03]
    "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-13 23:36:39]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-24 08:48:04]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
    LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-10-24 21:00:16]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= file:///C:\WINDOWS\privacy_danger\index.htm
    FriendlyName= Privacy Protection

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "gormet"= {0971B194-EF9B-4E60-BA19-9B2BE4DF1531} - C:\WINDOWS\gormet.dll [2007-11-26 06:22 229376]
    "pmkret"= {C755DBF6-D67A-4F00-AB0C-7B016C3C8174} - C:\WINDOWS\pmkret.dll [2007-11-26 06:22 204800]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    ckpNotify.dll 2005-06-19 12:01 24669 C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    R1 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
    R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys
    R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys
    R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
    S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS
    S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-27 01:48:40 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sabine.job"
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-28 23:13:19
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-28 23:13:40
    C:\ComboFix2.txt ... 2007-11-27 21:38
    C:\ComboFix3.txt ... 2007-11-26 23:21
    .
    --- E O F ---

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Please post the logs from your previous 2 runs of Combofix :-

    C:\ComboFix2.txt ... 2007-11-27 21:38
    C:\ComboFix3.txt ... 2007-11-26 23:21

    Then please do this :-

    Download: SmitfraudFix.zip from :-

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

    1. Download to your desktop
    2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
    3. Double-click smitfraudfix.cmd
    4. Select 1 and hit Enter to create a report of the infected files
    5. find the C:\rapport.txt file and post the contents in your next post here...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Nov 2007
    Posts
    5
    Points
    0

    Default

    Hi Steam,

    I don't have the log from 11/27, but here is the one from 11/26

    Thanks,

    Sabine
    *****************************************************

    ComboFix 07-11-19.4 - Sabine 2007-11-26 23:19:15.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1456 [GMT -5:00]
    Running from: C:\Downloads\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Sabine\Favorites\Error Cleaner.url
    C:\Documents and Settings\Sabine\Favorites\Privacy Protector.url
    C:\Documents and Settings\Sabine\Favorites\Spyware&Malware Protection.url
    C:\WINDOWS\dat.txt
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\rs.txt
    C:\WINDOWS\search_res.txt

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
    .

    2007-11-26 22:18 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-11-26 22:17 d-------- C:\Program Files\SUPERAntiSpyware
    2007-11-26 22:17 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-26 22:17 d-------- C:\Documents and Settings\Sabine\Application Data\SUPERAntiSpyware.com
    2007-11-26 16:13 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
    2007-11-26 16:13 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
    2007-11-26 16:13 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
    2007-11-26 09:46 d-------- C:\Program Files\RichVideoCodec
    2007-11-25 20:33 d-------- C:\Program Files\Norton Internet Security

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-27 04:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-27 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2007-11-27 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-27 02:20 87,528,516 ----a-w C:\SYM_REGISTRY_BACKUP.reg
    2007-11-26 20:01 --------- d-----w C:\Documents and Settings\Sabine\Application Data\Image Zone Express
    2007-11-26 11:22 81,920 ----a-w C:\WINDOWS\monhop.exe
    2007-11-26 11:22 266,240 ----a-w C:\WINDOWS\werbetlsp.dll
    2007-11-26 11:22 229,376 ----a-w C:\WINDOWS\gormet.dll
    2007-11-26 11:22 204,800 ----a-w C:\WINDOWS\pmkret.dll
    2007-11-26 11:22 192,512 ----a-w C:\WINDOWS\hdtip.dll
    2007-11-26 05:03 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-11-26 05:03 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-11-26 05:03 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-11-26 05:03 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-11-26 05:03 --------- d-----w C:\Program Files\Symantec
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-10-24 23:18 --------- d-----w C:\Program Files\HP
    2007-10-19 14:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-19 14:21 --------- d-----w C:\Program Files\ArcSoft
    2007-10-04 00:23 --------- d-----w C:\Program Files\Picasa2
    2007-10-02 19:32 --------- d-----w C:\Documents and Settings\Sabine\Application Data\Mazaika
    2007-10-02 19:31 --------- d-----w C:\Program Files\Mazaika
    2007-10-02 19:29 --------- d-----w C:\Program Files\Photo Jumble
    2007-07-06 13:41 557,056 -c--a-w C:\Documents and Settings\Sabine\GoToAssist_phone__317_en.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E75B284A-D5D0-4F5D-9BD3-59637A85F5D0}]
    2007-11-26 06:22 266240 --a------ C:\WINDOWS\werbetlsp.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{872F66C1-E394-4545-8843-EDE16648058A}"= C:\WINDOWS\hdtip.dll [2007-11-26 06:22 192512]

    [HKEY_CLASSES_ROOT\clsid\{872f66c1-e394-4545-8843-ede16648058a}]
    [HKEY_CLASSES_ROOT\hdtip.ToolBar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{20675C1B-8407-4F3B-AFC2-D30C3EF0E5F4}]
    [HKEY_CLASSES_ROOT\hdtip.ToolBar]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 03:40 C:\WINDOWS\MIDIDEF.EXE]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 20:29]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 09:20 C:\WINDOWS\stsystra.exe]
    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 06:15]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 02:12]
    "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51]
    "MBMon"="Rundll32 CTMBHA.DLL" []
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
    "VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 08:20]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-13 07:20]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 23:03]
    "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-13 23:36:39]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-24 08:48:04]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
    LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-10-24 21:00:16]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= file:///C:\WINDOWS\privacy_danger\index.htm
    FriendlyName= Privacy Protection

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "gormet"= {0971B194-EF9B-4E60-BA19-9B2BE4DF1531} - C:\WINDOWS\gormet.dll [2007-11-26 06:22 229376]
    "pmkret"= {C755DBF6-D67A-4F00-AB0C-7B016C3C8174} - C:\WINDOWS\pmkret.dll [2007-11-26 06:22 204800]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    ckpNotify.dll 2005-06-19 12:01 24669 C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    R1 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
    R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys
    R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys
    R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
    S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS
    S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys

    *Newly Created Service* - CATCHME
    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-27 01:48:40 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sabine.job"
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-26 23:20:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-26 23:21:18
    .
    --- E O F ---

  7. #7
    Member
    Join Date
    Nov 2007
    Posts
    5
    Points
    0

    Default smitfraudfix

    Hi,

    Here is the log from SmitFraudfix.

    Thanks again,

    Sabine

    ****************************************

    SmitFraudFix v2.256

    Scan done at 23:21:49.76, Fri 11/30/2007
    Run from C:\Documents and Settings\Sabine\Desktop\Help2Go Tools\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\DOCUME~1\Sabine~1\LOCALS~1\Temp\clclean.0001
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Comcast Rhapsody\rhaphlpr.exe
    C:\WINDOWS\system32\cmd.exe

    hosts


    C:\


    C:\WINDOWS

    C:\WINDOWS\monhop.exe FOUND !

    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\WINDOWS\system32\LogFiles


    C:\Documents and Settings\Sabine


    C:\Documents and Settings\Sabine\Application Data


    Start Menu


    C:\DOCUME~1\Sabine~1\FAVORI~1

    C:\DOCUME~1\SAbine~1\FAVORI~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\Sabine~1\FAVORI~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\Sabine~1\FAVORI~1\Spyware?Malware Protection.url FOUND !

    Desktop

    C:\DOCUME~1\Sabine~1\Desktop\Spyware?Malware Protection.url FOUND !

    C:\Program Files


    Corrupted keys


    Desktop Components



    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: Intel(R) 82566DC Gigabit Network Connection - SecuRemote Miniport
    DNS Server Search Order: 68.87.68.162
    DNS Server Search Order: 68.87.74.162

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{878B5A00-0097-42AD-8A1D-F92A54D295DE}: DhcpNameServer=68.87.68.162 68.87.74.162
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{878B5A00-0097-42AD-8A1D-F92A54D295DE}: DhcpNameServer=68.87.68.162 68.87.74.162
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{878B5A00-0097-42AD-8A1D-F92A54D295DE}: DhcpNameServer=68.87.68.162 68.87.74.162
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162


    Scanning for wininet.dll infection


    End

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    1. Reboot into >>>safe mode
    2. Double-click smitfraudfix.cmd
    3. Select 2 and hit Enter to delete infected files
    4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
    5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
    6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here...

    process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    THEN ... once back in normal mode ...

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:
    File::
    C:\WINDOWS\werbetlsp.dll 
    C:\WINDOWS\gormet.dll 
    C:\WINDOWS\pmkret.dll 
    C:\WINDOWS\hdtip.dll 
    C:\WINDOWS\monhop.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E75B284A-D5D0-4F5D-9BD3-59637A85F5D0}] 
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] 
    "{872F66C1-E394-4545-8843-EDE16648058A}"=-
    
    [-HKEY_CLASSES_ROOT\clsid\{872f66c1-e394-4545-8843-ede16648058a}] 
    [-HKEY_CLASSES_ROOT\hdtip.ToolBar.1] 
    [-HKEY_CLASSES_ROOT\TypeLib\{20675C1B-8407-4F3B-AFC2-D30C3EF0E5F4}] 
    [-HKEY_CLASSES_ROOT\hdtip.ToolBar] 
    
    [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] 
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 
    "gormet"=-
    "pmkret"=-
    Save this as "CFScript.txt"

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -