•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 456,575 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,628 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community
Views: 1664 | Replies: 11 | Solved
 |
•
•
Join Date: Oct 2007
Posts: 7
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
Smitfraud background I have recently acquired the smitfraud virus I seem to have cleaned it with the use of smitfraudfix in safe mode and the use of several anti virus programs. Even after cleaning it out my background selection browse and position are grayed out (desktop[Display Prop]) but i can still access customize desktop and color.
when i start up my computer I get a message saying Loadlibary("C:\Documents and Settings\All Users\Application Data\zcdyhmdc.dll") failed - The Specified module could not be found.
I searched on Google for zcdyhmdc but found nothing this only started appearing after I cleaned out the virus
when i start up my computer I get a message saying Loadlibary("C:\Documents and Settings\All Users\Application Data\zcdyhmdc.dll") failed - The Specified module could not be found.
I searched on Google for zcdyhmdc but found nothing this only started appearing after I cleaned out the virus
Last edited by Praz-el : Oct 27th, 2007 at 10:31 am. Reason: Update
•
•
Join Date: Oct 2007
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
btw when I go to Desktop -Customize desktop then to the web tab I have nothing in web pages
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,019
Reputation:
Rep Power: 23
Solved Threads: 456
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Oct 2007
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Re: Smitfraud background SmitFraudFix v2.242
Scan done at 8:49:57.82, Sun 10/28/2007
Run from C:\Documents and Settings\Praz-el\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Praz-el\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Scan done at 8:49:57.82, Sun 10/28/2007
Run from C:\Documents and Settings\Praz-el\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Praz-el\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,019
Reputation:
Rep Power: 23
Solved Threads: 456
Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.
C:\Program Files\Internet Explorer\winload.exe
==========
Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
C:\Program Files\Internet Explorer\winload.exe
==========
Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Oct 2007
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Antivirus Version Last Update Result
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 TR/Delphi.Downloader.Gen
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 Trojan.Downloader.Delf.OBD
CAT-QuickHeal 9.00 2007.10.26 TrojanDownloader.Agent.elj
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 Trojan-Downloader.Delf.OBD
Kaspersky 7.0.0.125 2007.10.28 Heur.Trojan.Generic
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 Suspicious file
Prevx1 V2 2007.10.28 TROJAN.DOWNLOADER.GEN
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 Trojan.Delphi.Downloader.Gen
Additional information
File size: 94720 bytes
MD5: c5233a4187a9752152f1bb2360b2a37d
SHA1: 47ee3816e6c678132ca6374a516faf9dcc59dd9a
Scan taken on 28 Oct 2007 21:24:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Delphi.Downloader.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Delf.OBD
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Win32.Trojan.Downloader (http://...) (probable variant)
I have now deleted it
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 TR/Delphi.Downloader.Gen
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 Trojan.Downloader.Delf.OBD
CAT-QuickHeal 9.00 2007.10.26 TrojanDownloader.Agent.elj
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 Trojan-Downloader.Delf.OBD
Kaspersky 7.0.0.125 2007.10.28 Heur.Trojan.Generic
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 Suspicious file
Prevx1 V2 2007.10.28 TROJAN.DOWNLOADER.GEN
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 Trojan.Delphi.Downloader.Gen
Additional information
File size: 94720 bytes
MD5: c5233a4187a9752152f1bb2360b2a37d
SHA1: 47ee3816e6c678132ca6374a516faf9dcc59dd9a
Scan taken on 28 Oct 2007 21:24:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Delphi.Downloader.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Delf.OBD
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Win32.Trojan.Downloader (http://...) (probable variant)
I have now deleted it
Last edited by Praz-el : Oct 28th, 2007 at 6:33 pm. Reason: Adding
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,019
Reputation:
Rep Power: 23
Solved Threads: 456
•
•
•
•
Originally Posted by crunchie 
Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
And this??
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Oct 2007
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:33 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Praz-el\Desktop\Highjack\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Flash Module - {C8A3B994-E27A-42f5-A053-C63799E621FB} - simcard1.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysSFGE.exe] C:\WINDOWS\system32\SysSFGE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\frmwrk.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...50/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 4849 bytes
Scan saved at 2:19:33 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Praz-el\Desktop\Highjack\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Flash Module - {C8A3B994-E27A-42f5-A053-C63799E621FB} - simcard1.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysSFGE.exe] C:\WINDOWS\system32\SysSFGE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\frmwrk.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...50/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 4849 bytes
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,019
Reputation:
Rep Power: 23
Solved Threads: 456
Thank you 
.
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
.Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract
All, - Open the extracted folder and double click RunThis.bat to
start the script. - Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot. - Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool
will be running and removing files. - When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons. - Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Oct 2007
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
SDFix: Version 1.113
Run by Praz-el on Thu 11/01/2007 at 02:16 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Praz-el\Desktop\SDFix
Safe Mode:
Checking Services:
Name:
Driver
ImagePath:
\??\C:\WINDOWS\system32\frmwrk.sys
Driver - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\11.TMP - Deleted
C:\12.TMP - Deleted
C:\14.TMP - Deleted
C:\16.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\WINDOWS\SYSTEM32\CENTER.EXE - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\0_exception.nls - Deleted
C:\WINDOWS\system32\alert_icon.gif - Deleted
C:\WINDOWS\system32\b.gif - Deleted
C:\WINDOWS\system32\backtomsn.gif - Deleted
C:\WINDOWS\system32\backtomsn.jpg - Deleted
C:\WINDOWS\system32\classifields.gif - Deleted
C:\WINDOWS\system32\close_icon.gif - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\down_arrow.gif - Deleted
C:\WINDOWS\system32\frmwrk.sys - Deleted
C:\WINDOWS\system32\google.htm - Deleted
C:\WINDOWS\system32\header_bg.gif - Deleted
C:\WINDOWS\system32\hf_en-US.js - Deleted
C:\WINDOWS\system32\home.htm - Deleted
C:\WINDOWS\system32\icon_warning.gif - Deleted
C:\WINDOWS\system32\images.gif - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\jewel.png - Deleted
C:\WINDOWS\system32\l_sb.css - Deleted
C:\WINDOWS\system32\l_sb_c.js - Deleted
C:\WINDOWS\system32\ma_search_1.gif - Deleted
C:\WINDOWS\system32\maps.gif - Deleted
C:\WINDOWS\system32\more.gif - Deleted
C:\WINDOWS\system32\msn.htm - Deleted
C:\WINDOWS\system32\news.gif - Deleted
C:\WINDOWS\system32\passport.gif - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\remove_spyware_button.gif - Deleted
C:\WINDOWS\system32\search.css - Deleted
C:\WINDOWS\system32\sec.htm - Deleted
C:\WINDOWS\system32\secuity_center_logo.gif - Deleted
C:\WINDOWS\system32\simcard1.dll - Deleted
C:\WINDOWS\system32\SrchBtn.gif - Deleted
C:\WINDOWS\system32\toolbar_bg.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_left.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_right.gif - Deleted
C:\WINDOWS\system32\warn.htm - Deleted
C:\WINDOWS\system32\web.gif - Deleted
C:\WINDOWS\system32\yahoo.htm - Deleted
C:\WINDOWS\system32\ysch_srp_gsp2_20070621.js - Deleted
C:\WINDOWS\system32\yschx_20070405.css - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 14:23:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe"="C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe
isabled:LostPlanetDX9"
"C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe"="C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe:Enabled:Overlord"
"C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe:Enabled:æTorrent"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:Enabled
team Client"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe"="C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe:Enabled:dwTVC"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:Enabled:LimeWire"
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:Enabled:Blizzard Downloader"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe:Enabled:hl2"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:Enabled
xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\48393902ld.exe"="C:\\WINDOWS\\system32\\48393902ld.exe:Enabled:Enabled"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe:Enabled:Crysis_32_sp_demo"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:Enabledxpsp2res.dll,-22019"
Remaining Files:
---------------
File Backups: - C:\DOCUME~1\Praz-el\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes:
Thu 25 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\win_4s.exe"
Sun 28 Oct 2007 4,579 ...HR --- "C:\Documents and Settings\Praz-el\Application Data\SecuROM\UserData\securom_v7_01.bak"
Finished!
Run by Praz-el on Thu 11/01/2007 at 02:16 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Praz-el\Desktop\SDFix
Safe Mode:
Checking Services:
Name:
Driver
ImagePath:
\??\C:\WINDOWS\system32\frmwrk.sys
Driver - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\11.TMP - Deleted
C:\12.TMP - Deleted
C:\14.TMP - Deleted
C:\16.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\WINDOWS\SYSTEM32\CENTER.EXE - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\0_exception.nls - Deleted
C:\WINDOWS\system32\alert_icon.gif - Deleted
C:\WINDOWS\system32\b.gif - Deleted
C:\WINDOWS\system32\backtomsn.gif - Deleted
C:\WINDOWS\system32\backtomsn.jpg - Deleted
C:\WINDOWS\system32\classifields.gif - Deleted
C:\WINDOWS\system32\close_icon.gif - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\down_arrow.gif - Deleted
C:\WINDOWS\system32\frmwrk.sys - Deleted
C:\WINDOWS\system32\google.htm - Deleted
C:\WINDOWS\system32\header_bg.gif - Deleted
C:\WINDOWS\system32\hf_en-US.js - Deleted
C:\WINDOWS\system32\home.htm - Deleted
C:\WINDOWS\system32\icon_warning.gif - Deleted
C:\WINDOWS\system32\images.gif - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\jewel.png - Deleted
C:\WINDOWS\system32\l_sb.css - Deleted
C:\WINDOWS\system32\l_sb_c.js - Deleted
C:\WINDOWS\system32\ma_search_1.gif - Deleted
C:\WINDOWS\system32\maps.gif - Deleted
C:\WINDOWS\system32\more.gif - Deleted
C:\WINDOWS\system32\msn.htm - Deleted
C:\WINDOWS\system32\news.gif - Deleted
C:\WINDOWS\system32\passport.gif - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\remove_spyware_button.gif - Deleted
C:\WINDOWS\system32\search.css - Deleted
C:\WINDOWS\system32\sec.htm - Deleted
C:\WINDOWS\system32\secuity_center_logo.gif - Deleted
C:\WINDOWS\system32\simcard1.dll - Deleted
C:\WINDOWS\system32\SrchBtn.gif - Deleted
C:\WINDOWS\system32\toolbar_bg.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_left.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_right.gif - Deleted
C:\WINDOWS\system32\warn.htm - Deleted
C:\WINDOWS\system32\web.gif - Deleted
C:\WINDOWS\system32\yahoo.htm - Deleted
C:\WINDOWS\system32\ysch_srp_gsp2_20070621.js - Deleted
C:\WINDOWS\system32\yschx_20070405.css - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 14:23:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe"="C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe
isabled:LostPlanetDX9""C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe"="C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe
:Enabled:Overlord""C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe
:Enabled:æTorrent""C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe
:Enabledteam Client""C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe
:Enabled:hl2""C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe
:Enabled:hl2""C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe
:Enabled:hl2""C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe"="C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe
:Enabled:dwTVC""C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe
:Enabled:LimeWire""D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe
:Enabled:Blizzard Downloader""C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe
:Enabled:World in Conflict""C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe
:Enabled:World in Conflict - Online Only""C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe
:Enabled:World in Conflict - Dedicated Server""C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe
:Enabled:hl2""C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe
:Enabled:hl2""%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe
:Enabledxpsp2res.dll,-22019""C:\\WINDOWS\\system32\\48393902ld.exe"="C:\\WINDOWS\\system32\\48393902ld.exe
:Enabled:Enabled""C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe
:Enabled:Crysis_32_sp_demo"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabledxpsp2res.dll,-22019""%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe
:Enabledxpsp2res.dll,-22019"Remaining Files:
---------------
File Backups: - C:\DOCUME~1\Praz-el\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes:
Thu 25 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\win_4s.exe"
Sun 28 Oct 2007 4,579 ...HR --- "C:\Documents and Settings\Praz-el\Application Data\SecuROM\UserData\securom_v7_01.bak"
Finished!
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
- desktop background hacked(hackthis,log) (Viruses, Spyware and other Nasties)
- i have this on my XP desktop:TROJAN-SPY.HTML.SMITFRAUD.c (Viruses, Spyware and other Nasties)
- Fatal Error message (blue background) and a Red Circle with an exclamation mark (Viruses, Spyware and other Nasties)
- about : blank - claims to be smitfraud (Viruses, Spyware and other Nasties)
- Virus/spyware: trojan-spy.html.smitfraud.c (Viruses, Spyware and other Nasties)
- Desktop background hijacked-NEW Problem (Web Browsers)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Pls help me smithfraud plss.....!!!
- Next Thread: IE7 Forbidden 403 Errors + More!
