Thread: Blue Desktop with spyware detected - appears to be Smitfraud?
View Single Post
Old 08-14-2008, 11:54 PM   #6 (permalink)
-Shirt
Registered User
 
Join Date: Aug 2008
Posts: 6
OS: Win XP


Re: Blue Desktop with spyware detected - appears to be Smitfraud?
Hi Ried,

zapped the relevant folders, main.txt is below and extra.txt is attached (in case it's useful)

Thanks



Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-15 06:48:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-08-15 05:48:22 UTC - RP1375 - Deckard's System Scanner Restore Point
8: 2008-08-14 05:33:23 UTC - RP1374 - System Checkpoint
7: 2008-08-12 22:10:29 UTC - RP1373 - Restore Operation
6: 2008-08-12 22:04:58 UTC - RP1372 - Restore Operation
5: 2008-08-12 21:05:17 UTC - RP1371 - After removal of worm/smitfraud/XPantivirus08/etc!


-- First Restore Point --
1: 2008-08-07 19:35:58 UTC - RP1367 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
System Drive H: has 3.6 GiB (less than 15%) free.


-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:50:28, on 15/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
H:\Program Files\Network Associates\VirusScan\Mcshield.exe
H:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\MSI\Live Update 3\LMonitor.exe
H:\Program Files\D-Tools\daemon.exe
H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\Rundll32.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
H:\Documents and Settings\Tom\Desktop\dss.exe
H:\PROGRA~1\TRENDM~1\HIJACK~1\Tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vqtujiodkrrcwb.net/TfLrbs...g8k_ckKi8.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C5FA80B2-6916-C4C1-1F63-760991C73CA3} - H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe (file missing)
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [LiveMonitor] H:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Each Less Mode Mp3] H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Bonemetaviewplan] H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus D78 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "H:\WINDOWS\TEMP\E_S8B.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mags up] H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe
O4 - Global Startup: 3D!Turbo Experience.lnk = H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - H:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - H:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - H:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - H:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7512 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - H:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "H:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 d346bus - h:\windows\system32\drivers\d346bus.sys
R0 d346prt - h:\windows\system32\drivers\d346prt.sys
R1 NaiAvTdi1 - h:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
R3 EntDrv51 - h:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - h:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S1 InCDPass - h:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - h:\windows\system32\drivers\incdrm.sys (file missing)
S3 CoachUsb (Dual Mode Digital Camera on USB) - h:\windows\system32\drivers\coachusb.sys <Not Verified; Accapella Ltd.; USB Driver for Digital Camera>
S3 Dual Mode (Dual Mode Video Capture) - h:\windows\system32\drivers\coachvc.sys <Not Verified; Accapella Ltd.; Video Capture Minidriver for Digital Camera>
S3 ENTECH - h:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 GMSIPCI - g:\install\gmsipci.sys (file missing)
S3 w800mdfl (Sony Ericsson W800 USB WMC Modem Filter) - h:\windows\system32\drivers\w800mdfl.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem Filter Driver>
S3 w800mdm (Sony Ericsson W800 USB WMC Modem Drivers) - h:\windows\system32\drivers\w800mdm.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem>
S3 w800mgmt (Sony Ericsson W800 USB WMC Device Management Drivers) - h:\windows\system32\drivers\w800mgmt.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Device Management>
S3 w800obex (Sony Ericsson W800 USB WMC OBEX Interface Drivers) - h:\windows\system32\drivers\w800obex.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC OBEX Interface>
S4 InCDFs (InCD File System) - h:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - h:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "h:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&23533C57&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&23533C57&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&4628B9&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&4628B9&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&22C50E9A&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&22C50E9A&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&E1800B&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&E1800B&0&RM
Service:


-- Files created between 2008-07-15 and 2008-08-15 -----------------------------

2008-08-13 18:54:34 0 d-------- H:\Documents and Settings\Tom\.housecall6.6
2008-08-12 22:05:12 11534336 --a------ H:\Documents and Settings\Tom\ntuser.dat
2008-08-12 22:05:11 233472 --a------ H:\Documents and Settings\LocalService\ntuser.dat
2008-08-12 22:01:08 0 d-------- H:\Incoming
2008-08-12 17:09:29 0 d-------- H:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-08-12 17:09:22 0 d-------- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 17:09:21 0 d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 06:28:35 0 d-------- H:\Program Files\Trend Micro
2008-08-10 21:39:07 0 d-------- H:\Program Files\Panda Security
2008-08-08 17:28:02 0 d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 17:26:24 0 d-------- H:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 1720 0 --a------ H:\WINDOWS\system32\drivers\Lor02.sys


-- Find3M Report ---------------------------------------------------------------

2008-08-08 17:26:26 0 d-------- H:\Program Files\Lavasoft
2008-08-08 17:25:41 0 d-------- H:\Program Files\Common Files
2008-07-11 20:13:16 0 d-------- H:\Program Files\Java
2008-07-05 00:01:22 0 d-------- H:\Documents and Settings\Tom\Application Data\Skype
2008-05-17 15:21:40 133120 --a------ H:\WINDOWS\system32\zip32.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5FA80B2-6916-C4C1-1F63-760991C73CA3}]
H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVCLOCK"="nvclock.dll" [14/04/2003 02:59 H:\WINDOWS\system32\nvclock.dll]
"LiveMonitor"="H:\Program Files\MSI\Live Update 3\LMonitor.exe" [27/10/2003 15:16]
"DAEMON Tools-1033"="H:\Program Files\D-Tools\daemon.exe" [12/03/2004 22:43]
"Each Less Mode Mp3"="H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe" []
"McAfeeUpdaterUI"="H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [18/09/2003 02:01]
"ShStatEXE"="H:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [18/08/2004 08:00]
"NvCplDaemon"="H:\WINDOWS\System32\NvCpl.dll" [24/09/2003 12:32]
"nwiz"="nwiz.exe" [24/09/2003 12:32 H:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"Bonemetaviewplan"="H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe" []
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [23/02/2006 16:45]
"P17Helper"="P17.dll" [03/05/2005 20:38 H:\WINDOWS\system32\P17.dll]
"WMC_AutoUpdate"="" []
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"Adobe Photo Downloader"="H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46]
"EPSON Stylus D78 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.exe" [23/02/2006 05:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"mags up"="H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe" []

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
3D!Turbo Experience.lnk - H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe [26/07/2004 13:07:35]
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [03/08/2004 17:45:56]
Adobe Reader Speed Launch.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
InterVideo WinCinema Manager.lnk - H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [27/07/2004 13:33:35]
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - VGAUTI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-15 06:52:56 ------------
Attached Files
File Type: txt extra.txt (22.2 KB, 1 views)
-Shirt is offline