944,128 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Smitfraud background
Ad:
You are currently viewing page 1 of this multi-page discussion thread
Permalink
Oct 27th, 2007
0

Smitfraud background

Expand Post »
I have recently acquired the smitfraud virus I seem to have cleaned it with the use of smitfraudfix in safe mode and the use of several anti virus programs. Even after cleaning it out my background selection browse and position are grayed out (desktop[Display Prop]) but i can still access customize desktop and color.

when i start up my computer I get a message saying Loadlibary("C:\Documents and Settings\All Users\Application Data\zcdyhmdc.dll") failed - The Specified module could not be found.

I searched on Google for zcdyhmdc but found nothing this only started appearing after I cleaned out the virus
Last edited by Praz-el; Oct 27th, 2007 at 10:31 am. Reason: Update
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Praz-el is offline Offline
7 posts
since Oct 2007
Permalink
Oct 27th, 2007
0

Re: Smitfraud background

btw when I go to Desktop -Customize desktop then to the web tab I have nothing in web pages
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Praz-el is offline Offline
7 posts
since Oct 2007
Permalink
Oct 27th, 2007
0

Re: Smitfraud background

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is online now Online
12,165 posts
since Feb 2004
Permalink
Oct 28th, 2007
0

Re: Smitfraud background

SmitFraudFix v2.242

Scan done at 8:49:57.82, Sun 10/28/2007
Run from C:\Documents and Settings\Praz-el\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Praz-el\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Praz-el is offline Offline
7 posts
since Oct 2007
Permalink
Oct 28th, 2007
0

Re: Smitfraud background

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\Program Files\Internet Explorer\winload.exe

==========

Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is online now Online
12,165 posts
since Feb 2004
Permalink
Oct 28th, 2007
0

Re: Smitfraud background

Antivirus Version Last Update Result
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 TR/Delphi.Downloader.Gen
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 Trojan.Downloader.Delf.OBD
CAT-QuickHeal 9.00 2007.10.26 TrojanDownloader.Agent.elj
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 Trojan-Downloader.Delf.OBD
Kaspersky 7.0.0.125 2007.10.28 Heur.Trojan.Generic
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 Suspicious file
Prevx1 V2 2007.10.28 TROJAN.DOWNLOADER.GEN
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 Trojan.Delphi.Downloader.Gen
Additional information
File size: 94720 bytes
MD5: c5233a4187a9752152f1bb2360b2a37d
SHA1: 47ee3816e6c678132ca6374a516faf9dcc59dd9a

Scan taken on 28 Oct 2007 21:24:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Delphi.Downloader.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Delf.OBD
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Win32.Trojan.Downloader (http://...) (probable variant)

I have now deleted it
Last edited by Praz-el; Oct 28th, 2007 at 6:33 pm. Reason: Adding
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Praz-el is offline Offline
7 posts
since Oct 2007
Permalink
Oct 29th, 2007
0

Re: Smitfraud background

Click to Expand / Collapse  Quote originally posted by crunchie ...
Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
And this??
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is online now Online
12,165 posts
since Feb 2004
Permalink
Oct 31st, 2007
0

Re: Smitfraud background

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:33 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Praz-el\Desktop\Highjack\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Flash Module - {C8A3B994-E27A-42f5-A053-C63799E621FB} - simcard1.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysSFGE.exe] C:\WINDOWS\system32\SysSFGE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\frmwrk.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...50/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4849 bytes
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Praz-el is offline Offline
7 posts
since Oct 2007
Permalink
Oct 31st, 2007
0

Re: Smitfraud background

Thank you .

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is online now Online
12,165 posts
since Feb 2004
Permalink
Nov 1st, 2007
0

Re: Smitfraud background

SDFix: Version 1.113

Run by Praz-el on Thu 11/01/2007 at 02:16 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Praz-el\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Driver

ImagePath:
\??\C:\WINDOWS\system32\frmwrk.sys

Driver - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\11.TMP - Deleted
C:\12.TMP - Deleted
C:\14.TMP - Deleted
C:\16.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\WINDOWS\SYSTEM32\CENTER.EXE - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\0_exception.nls - Deleted
C:\WINDOWS\system32\alert_icon.gif - Deleted
C:\WINDOWS\system32\b.gif - Deleted
C:\WINDOWS\system32\backtomsn.gif - Deleted
C:\WINDOWS\system32\backtomsn.jpg - Deleted
C:\WINDOWS\system32\classifields.gif - Deleted
C:\WINDOWS\system32\close_icon.gif - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\down_arrow.gif - Deleted
C:\WINDOWS\system32\frmwrk.sys - Deleted
C:\WINDOWS\system32\google.htm - Deleted
C:\WINDOWS\system32\header_bg.gif - Deleted
C:\WINDOWS\system32\hf_en-US.js - Deleted
C:\WINDOWS\system32\home.htm - Deleted
C:\WINDOWS\system32\icon_warning.gif - Deleted
C:\WINDOWS\system32\images.gif - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\jewel.png - Deleted
C:\WINDOWS\system32\l_sb.css - Deleted
C:\WINDOWS\system32\l_sb_c.js - Deleted
C:\WINDOWS\system32\ma_search_1.gif - Deleted
C:\WINDOWS\system32\maps.gif - Deleted
C:\WINDOWS\system32\more.gif - Deleted
C:\WINDOWS\system32\msn.htm - Deleted
C:\WINDOWS\system32\news.gif - Deleted
C:\WINDOWS\system32\passport.gif - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\remove_spyware_button.gif - Deleted
C:\WINDOWS\system32\search.css - Deleted
C:\WINDOWS\system32\sec.htm - Deleted
C:\WINDOWS\system32\secuity_center_logo.gif - Deleted
C:\WINDOWS\system32\simcard1.dll - Deleted
C:\WINDOWS\system32\SrchBtn.gif - Deleted
C:\WINDOWS\system32\toolbar_bg.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_left.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_right.gif - Deleted
C:\WINDOWS\system32\warn.htm - Deleted
C:\WINDOWS\system32\web.gif - Deleted
C:\WINDOWS\system32\yahoo.htm - Deleted
C:\WINDOWS\system32\ysch_srp_gsp2_20070621.js - Deleted
C:\WINDOWS\system32\yschx_20070405.css - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 14:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe"="C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exeisabled:LostPlanetDX9"
"C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe"="C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe:Enabled:Overlord"
"C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe:Enabled:æTorrent"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:Enabledteam Client"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe"="C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe:Enabled:dwTVC"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:Enabled:LimeWire"
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:Enabled:Blizzard Downloader"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe:Enabled:hl2"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:Enabledxpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\48393902ld.exe"="C:\\WINDOWS\\system32\\48393902ld.exe:Enabled:Enabled"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe:Enabled:Crysis_32_sp_demo"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:Enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\Praz-el\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 25 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\win_4s.exe"
Sun 28 Oct 2007 4,579 ...HR --- "C:\Documents and Settings\Praz-el\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Praz-el is offline Offline
7 posts
since Oct 2007

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Pls help me smithfraud plss.....!!!
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: IE7 Forbidden 403 Errors + More!





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC