Smitfraud-c.msvps

**guccijana** · #11 29th Jan 2008, 10:45

it found three more things..
A0008815.reg- path-system volume information-restore...
A0024567.reg- path-system volulme intormation-restore...
A0024586.exe- path-system volume information-restore..

**evilfantasy** · #12 29th Jan 2008, 10:46

System Restore Points.

We will flush those soon.

**guccijana** · #13 29th Jan 2008, 10:52

thats strange I didnt set any restore point--and last time remember we had the same problem they were always coming back when avast was scanning it..

found two more things-

GTDownDE_87.ocx (c/windows/system32
process.exe- (c/windows/system32

**evilfantasy** · #14 29th Jan 2008, 11:02

It should be about done now.

We will run another scan to be thorough.

**guccijana** · #15 29th Jan 2008, 11:05

it asked me "no operation performed with some objects on the list. exit program? yes? no?

**evilfantasy** · #16 29th Jan 2008, 11:11

Yes, then restart and post the log.

**guccijana** · #17 29th Jan 2008, 11:19

here is the log

cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Deleted.;
RegUBP2b-Tatjana Blazevic.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0008815.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP38;Trojan.StartPage.1505;Deleted.;
A0024567.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP85;Trojan.StartPage.1505;Deleted.;
A0024586.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP85;Adware.Cfd;;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;;
Process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;;

**evilfantasy** · #18 29th Jan 2008, 11:23

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter
When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

**guccijana** · #19 29th Jan 2008, 11:45

here it the comodo

ComboFix 08-01-29.3 - Tatjana Blazevic 2008-01-29 13:38:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.620 [GMT -5:00]
Running from: C:\Documents and Settings\Tatjana Blazevic\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 11:38 . 2008-01-29 11:38 <DIR> d-------- C:\Documents and Settings\Tatjana Blazevic\DoctorWeb
2008-01-29 01:39 . 2008-01-29 13:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-31 00:04 . 2008-01-29 13:24 <DIR> d-------- C:\Documents and Settings\Tatjana Blazevic\Application Data\SiteAdvisor
2007-12-31 00:04 . 2007-12-31 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-30 23:45 . 2007-12-30 23:45 <DIR> d-------- C:\Documents and Settings\Tatjana Blazevic\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-29 05:20 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-19 17:31 --------- d-----w C:\Documents and Settings\Tatjana Blazevic\Application Data\Intuit
2008-01-19 17:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 17:26 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-19 17:10 --------- d-----w C:\Program Files\TurboTax
2008-01-07 05:29 --------- d-----w C:\Program Files\iTunes
2008-01-07 05:28 --------- d-----w C:\Program Files\iPod
2008-01-07 05:27 --------- d-----w C:\Program Files\QuickTime
2007-12-24 21:14 --------- d-----w C:\Documents and Settings\Tatjana Blazevic\Application Data\Canon
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-11-30 00:31 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-09-28 20:43 300 ----a-w C:\Documents and Settings\Tatjana Blazevic\SetPaths.bat
2007-09-28 20:43 3,560 ----a-w C:\Documents and Settings\Tatjana Blazevic\GetPaths.vbs
2007-06-12 00:01 25,600 ----a-w C:\Documents and Settings\Tatjana Blazevic\usbsermptxp.sys
2007-06-12 00:01 22,768 ----a-w C:\Documents and Settings\Tatjana Blazevic\usbsermpt.sys
2006-07-26 00:27 2,942,976 ----a-w C:\Program Files\WacomTablet_496-7a.exe
2006-07-07 02:22 228,928 ------w C:\Program Files\k9-webprotection.exe
2006-07-06 04:49 7,048 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2006-07-06 04:24 1,879,115 ------w C:\Program Files\webfilter.exe
2006-06-20 07:53 5,588,680 ------w C:\Program Files\FirefoxGoogleToolbarSetup.exe
2006-06-02 14:11 2,464,760 ------w C:\Program Files\Install_step1.rm
2006-05-27 17:49 8,771,968 ------w C:\Program Files\WebRooth-sspsetup1_1869552083.exe
2006-05-26 17:58 8,771,968 ------w C:\Program Files\SpySweeper-sspsetup1_34286.exe
2006-02-04 01:03 3,992,565 ------w C:\Program Files\Matroska.exe
2006-02-04 01:00 3,992,565 ------w C:\Program Files\Matroska_Pack_Full_v1.1.2.exe
2005-09-14 01:47 304,728 ------w C:\Program Files\netscape2.exe
2005-09-02 22:21 643,424 ------w C:\Program Files\Malicousdetectersoftware.exe
2005-09-02 20:03 431,168 ------w C:\Program Files\ysftcntr_current.exe
2005-07-27 15:10 1,163,643 ------w C:\Program Files\wrar342.exe
2005-07-18 03:20 3,384,315 ------w C:\Program Files\ffdshow-20050312[www.free-codecs.com].zip
2005-07-13 05:46 565,428 ----a-w C:\Program Files\CounterSpy 1.0.29.exe
2005-06-16 15:18 7,770,432 ------w C:\Program Files\DivXPlay.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-15 15:24 3092480]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"P17Helper"="P17.dll" [2004-06-10 11:51 60928 C:\WINDOWS\SYSTEM32\P17.dll]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 18:19 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.ex e" [2003-12-09 14:02 57344]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdl r.exe" [2003-08-08 17:02 122880]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"ClubBox"="" []
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_FATIAJA.exe" [2005-04-26 03:00 98304]
"avast!"="C:\PROGRA~1\AVAST4~1\Avast4\ashDisp. exe" [2007-12-04 08:00 79224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2004-10-28 19:43:18 209016]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2007-09-04 22:10:02 114688]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 CIFPLogAggregator;CIFPLogAggregator;C:\Program Files\CIFPFiltering\CIFPLogAggregator.exe [2006-06-22 08:35]
R2 CyclopeInternetFilter;CyclopeInternetFilter;C:\Pro gram Files\CIFPFiltering\FilterService.exe [2006-05-31 07:56]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-07-17 13:07]
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 15:30]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [2005-11-01 21:23]
S3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilte r.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{534b146a-a3bb-11d9-828e-00038a000015}]
\Shell\AutoRun\command - L:\JDSecure\Windows\JDSecure31.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 04:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-26 08:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DCW9RX51-Tatjana Blazevic).job"
- c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
"2008-01-29 18:41:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DCW9RX51-Tatjana Blazevic).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 13:41:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-29 13:41:37
.
2008-01-23 04:03:16 --- E O F ---

**evilfantasy** · #20 29th Jan 2008, 11:57

I edited the log to show inline.

See the WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

We need to fix that.We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Choose Windows XP SP2 (SP2)

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Thanks to Bleeping Computer for the guide.

Next post add the
CF_RC.txt <<Just copy and paste it.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Smitfraud-C He does not want to die!!!	PlatSpin	Virus, Spyware & Security	13	19th Aug 2008 10:24
Smitfraud Virus	PK28	Virus, Spyware & Security	12	5th Feb 2008 16:17
Smitfraudfix.exe - Smitfraud-C.Toolbar888	Hybr!d	Virus, Spyware & Security	1	29th Oct 2007 11:02
Zlob, smitfraud, pop ups, red wallpaper changes	guccijana	Virus, Spyware & Security	20	30th Sep 2007 20:26