|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
04-17-2007, 09:16 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 54
OS: xp
|
Smitfraud-C
Hello, my problem here is I double-cliked on this keygen.exe and some kind of malware or spyware infected my computer. My computer keeps poping up ads, and is very slow, and freezes at times. I have followed the 5 step method but am unable to complete step 3 as it keeps giving me error messages. So far Ad-Aware and SpyBot got rid of all they could find and I was able to get rid of a file called rpcc.dll. Then i thought i had got rid of it but a new smitfraud-c popped into SpyBot. In this stage I decided to go with Hijackthis but i need help reading the logs.
Many thanks in advance, Chewy Here's my log: loLogfile of HijackThis v1.99.1 Scan saved at 10:17:10 PM, on 4/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\explorer.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119w.bay119.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138764468335 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab? O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter: text/html - (no CLSID) - (no file) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe thanx again chewy |
|
     |
|
04-20-2007, 07:35 PM
|
#2 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: Smitfraud-C
Hi chewy
Download Deckard's System Scanner (DSS) to your Desktop.Note: You must be logged onto an account with administrator privileges.
|
|
|
|
|
04-22-2007, 09:32 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 54
OS: xp
|
Re: Smitfraud-C
I downloaded and ran DSS and this is what i got after about 4% completion
Autolt Error Line O(File "C:\Documents and setting\owner\desktop\dss.exe"): Local $res = $objSR.CreateRestorePoint($ProgName & "Restore Point", 12 , 100) Local $res = $objSR.CreateRestorePoint($ProgName & "Restore Point", 12 , 100)^error Error: The requested action with this object failed This is what i meant about not being able to complete the 5 step method, for some reason i cannot run the dss scan. thanx |
|
|
|
|
04-22-2007, 02:47 PM
|
#4 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: Smitfraud-C
Do a file search for framedyn.dll and tell me where is is located, should be more that one present ?
Please run Deckard's System Scanner again, this time using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\dss.exe" /configcheck all the box's except [ ] system restore and [ ] hosts file Click Scan! When finished, it shall produce a log for you. Post that log in your next reply and attach extra.txt |
|
|
|
|
04-22-2007, 11:11 PM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 54
OS: xp
|
Re: Smitfraud-C
I looked up the file and there was only 1 located in the following, c:\windows\system32\wbem.
Also when i ran dss i also recieved the following error message: An unexpected error has occurred at procedure: modMain_CheckOther1Item() Error #75 - Path/File access error Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 7.0.5730.11 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan. Here is the result of my dss scan Deckard's System Scanner v20070411.38 Run by Owner on 2007-04-23 at 00:02:02 Computer is in Normal Mode. -------------------------------------------------------------------------------- Performed disk cleanup. -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:03:10 AM, on 4/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Owner\desktop\dss.exe C:\DOCUME~1\Owner\Desktop\Owner.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\rystqwnv.dll O2 - BHO: (no name) - {1D531771-1AD5-4F27-87A2-6980501F9703} - C:\WINDOWS\system32\wvuvusp.dll O2 - BHO: (no name) - {6152ADF1-1DB6-450B-B22E-6576EAA61E1F} - C:\WINDOWS\system32\sstts.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119w.bay119.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138764468335 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab? O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: wvuvusp - C:\WINDOWS\SYSTEM32\wvuvusp.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- All drivers whitelisted. -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Scheduled Tasks ------------------------------------------------------------- 2007-04-20 22:40:50 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job<NORTON~1.JOB> -- Files created between 2007-03-23 and 2007-04-23 ----------------------------- 2007-04-22 15:41:52 123972 --a------ C:\WINDOWS\system32\mychnvtw.dll 2007-04-22 13:26:10 123972 --a------ C:\WINDOWS\system32\rvdmuoiw.dll 2007-04-22 10:12:57 123972 --a------ C:\WINDOWS\system32\impohexx.dll 2007-04-22 10:12:43 857333 ---hs---- C:\WINDOWS\system32\sttss.bak2<STTSS~2.BAK> 2007-04-22 07:29:36 123972 --a------ C:\WINDOWS\system32\gttmftat.dll 2007-04-21 21:45:58 854916 ---hs---- C:\WINDOWS\system32\sttss.bak1<STTSS~1.BAK> 2007-04-21 21:45:58 123972 --a------ C:\WINDOWS\system32\mtevfram.dll 2007-04-21 21:42:45 281172 ---hs---- C:\WINDOWS\system32\sstts.dll 2007-04-21 02:31:02 123972 --a------ C:\WINDOWS\system32\multeuji.dll 2007-04-21 02:27:51 123972 --a------ C:\WINDOWS\system32\ussyqarp.dll 2007-04-20 22:47:49 123972 --a------ C:\WINDOWS\system32\qminatth.dll 2007-04-20 16:14:50 123972 --a------ C:\WINDOWS\system32\lefeiock.dll 2007-04-19 16:11:46 123972 --a------ C:\WINDOWS\system32\vobymhuw.dll 2007-04-18 16:08:46 123972 --a------ C:\WINDOWS\system32\msfxejbc.dll 2007-04-18 16:08:42 49204 --a------ C:\WINDOWS\system32\rystqwnv.dll 2007-04-17 16:05:39 123972 --a------ C:\WINDOWS\system32\iurejtnh.dll 2007-04-17 01:05:17 76412 --a------ C:\WINDOWS\system32\bunornmj.dll 2007-04-17 01:04:38 123972 --a------ C:\WINDOWS\system32\aspdqkpr.dll 2007-04-16 23:22:25 76412 --a------ C:\WINDOWS\system32\fqllllrg.dll 2007-04-16 22:46:09 123972 --a------ C:\WINDOWS\system32\mhypubwb.dll 2007-04-16 22:04:56 0 d-------- C:\_backupD 2007-04-16 21:59:25 16384 --a------ C:\WINDOWS\system32\restart.exe 2007-04-16 21:59:25 0 d-------- C:\WINDOWS\system32\regdacl 2007-04-16 21:59:25 90112 --a------ C:\WINDOWS\system32\regdacl.exe 2007-04-16 21:59:25 4096 --a------ C:\WINDOWS\system32\reboot.exe 2007-04-16 21:55:26 79360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-04-16 21:55:26 40960 --a------ C:\WINDOWS\system32\swsc.exe 2007-04-16 21:55:26 42496 --a------ C:\WINDOWS\system32\swreg.exe 2007-04-16 21:55:26 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-04-16 21:55:26 53248 --a------ C:\WINDOWS\system32\Process.exe 2007-04-16 21:55:26 51200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-04-16 21:48:37 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-15 16:14:38 31232 --a------ C:\WINDOWS\system32\14373282ld.exe<143732~1.EXE> 2007-04-15 15:54:33 31232 --a------ C:\WINDOWS\system32\54325462ld.exe<543254~1.EXE> 2007-04-15 15:34:29 31232 --a------ C:\WINDOWS\system32\3428312ld.exe<342831~1.EXE> 2007-04-15 15:14:24 31232 --a------ C:\WINDOWS\system32\14236872ld.exe<142368~1.EXE> 2007-04-15 14:54:20 31232 --a------ C:\WINDOWS\system32\54192812ld.exe<541928~1.EXE> 2007-04-15 14:34:15 31232 --a------ C:\WINDOWS\system32\34148282ld.exe<341482~1.EXE> 2007-04-15 14:14:11 31232 --a------ C:\WINDOWS\system32\14105622ld.exe<141056~1.EXE> 2007-04-15 13:54:07 31232 --a------ C:\WINDOWS\system32\5463592ld.exe<546359~1.EXE> 2007-04-15 13:34:02 31232 --a------ C:\WINDOWS\system32\342932ld.exe 2007-04-15 13:13:58 31232 --a------ C:\WINDOWS\system32\13578592ld.exe<135785~1.EXE> 2007-04-15 12:53:54 31232 --a------ C:\WINDOWS\system32\53538432ld.exe<535384~1.EXE> 2007-04-15 12:33:50 31232 --a------ C:\WINDOWS\system32\33468432ld.exe<334684~1.EXE> 2007-04-15 12:13:40 31232 --a------ C:\WINDOWS\system32\13399062ld.exe<133990~1.EXE> 2007-04-15 11:53:36 31232 --a------ C:\WINDOWS\system32\53357032ld.exe<533570~1.EXE> 2007-04-15 11:33:32 31232 --a------ C:\WINDOWS\system32\33314062ld.exe<333140~1.EXE> 2007-04-15 11:13:28 31232 --a------ C:\WINDOWS\system32\13274062ld.exe<132740~1.EXE> 2007-04-15 10:53:24 31232 --a------ C:\WINDOWS\system32\53232182ld.exe<532321~1.EXE> 2007-04-15 10:33:19 31232 --a------ C:\WINDOWS\system32\33188282ld.exe<331882~1.EXE> 2007-04-15 10:13:15 31232 --a------ C:\WINDOWS\system32\13147962ld.exe<131479~1.EXE> 2007-04-15 09:53:11 31232 --a------ C:\WINDOWS\system32\53107812ld.exe<531078~1.EXE> 2007-04-15 09:33:07 31232 --a------ C:\WINDOWS\system32\3369062ld.exe<336906~1.EXE> 2007-04-15 09:13:03 31232 --a------ C:\WINDOWS\system32\1328902ld.exe<132890~1.EXE> 2007-04-15 08:52:59 31232 --a------ C:\WINDOWS\system32\52587652ld.exe<525876~1.EXE> 2007-04-15 08:32:55 31232 --a------ C:\WINDOWS\system32\32548592ld.exe<325485~1.EXE> 2007-04-15 08:12:51 31232 --a------ C:\WINDOWS\system32\12505462ld.exe<125054~1.EXE> 2007-04-15 00:56:36 0 d-------- C:\Program Files\Lavasoft 2007-04-15 00:55:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-04-14 23:11:17 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-04-14 23:07:46 0 d-------- C:\Documents and Settings\Owner\.housecall6.6<HOUSEC~1.6> 2007-04-14 09:29:38 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1> 2007-04-14 09:29:28 626688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-13 19:47:01 0 d-------- C:\DVDFabDecrypter_Temp<DVDFAB~1> 2007-04-13 10:09:51 123972 --a------ C:\WINDOWS\system32\vmxorjgl.dll 2007-04-12 10:09:46 123972 --a------ C:\WINDOWS\system32\tsekyyge.dll 2007-04-12 10:04:17 26694 --a------ C:\WINDOWS\system32\wvuvusp.dll 2007-04-12 09:54:19 76288 --a------ C:\WINDOWS\system32\uniime.dll 2007-04-12 09:54:12 811064 --a------ C:\WINDOWS\system32\imjp81k.dll 2007-04-12 09:54:09 8192 --a------ C:\WINDOWS\system32\kbdkor.dll 2007-04-12 09:54:09 8704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2007-04-12 09:54:09 6144 --a------ C:\WINDOWS\system32\kbd106.dll 2007-04-12 09:54:09 5632 --a------ C:\WINDOWS\system32\kbd103.dll 2007-04-12 09:54:08 6144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-04-12 09:54:05 6144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-04-12 03:00:59 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0> 2007-04-11 00:03:53 0 d-------- C:\Program Files\Nero 2007-04-11 00:03:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero -- Find3M Report --------------------------------------------------------------- 2007-04-22 22:19:49 0 d-------- C:\Program Files\eMule 2007-04-22 21:26:29 0 d-------- C:\Program Files\Lx_cats 2007-04-21 03:05:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe 2007-04-21 03:04:35 0 d-------- C:\Program Files\Common Files\Adobe 2007-04-16 23:03:04 0 d-------- C:\Program Files\WinAce 2007-04-15 00:57:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft 2007-04-14 10:02:25 0 d-------- C:\Program Files\Symantec 2007-04-13 19:47:48 0 d-------- C:\Program Files\DVDFab Decrypter 3<DVDFAB~2> 2007-04-13 19:40:50 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso 2007-04-12 10:42:03 0 d-------- C:\Program Files\Winamp 2007-04-11 11:58:10 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead 2007-04-11 00  27 0 d-------- C:\Program Files\Common Files\Ahead2007-04-10 23:35:38 34 --a----c- C:\Documents and Settings\Owner\Application Data\pcouffin.log 2007-04-10 23:35:32 47360 --a----c- C:\Documents and Settings\Owner\Application Data\pcouffin.sys 2007-04-10 23:35:32 1144 --a----c- C:\Documents and Settings\Owner\Application Data\pcouffin.inf 2007-04-10 23:35:32 1074 --a----c- C:\Documents and Settings\Owner\Application Data\pcouffin.cat 2007-04-10 23:35:32 87608 --a----c- C:\Documents and Settings\Owner\Application Data\ezpinst.exe 2007-04-10 23:35:28 0 d-------- C:\Program Files\vso 2007-04-10 14:31:38 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-03-17 08:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-14 19:27:58 972336 --a------ C:\WINDOWS\UNRecode.exe 2007-03-14 19:19:56 95864 --a------ C:\WINDOWS\system32\NeroCo.dll 2007-03-14 19:19:26 972336 --a------ C:\WINDOWS\UNNeroBackItUp.exe<UNNERO~2.EXE> 2007-03-12 13:51:08 972336 --a------ C:\WINDOWS\UNNeroMediaHome.exe<UNNERO~4.EXE> 2007-03-08 10:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 10:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 10:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 08:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-01 12:15:52 0 d-------- C:\Program Files\AC3Filter<AC3FIL~1> 2007-02-28 20:53:50 972336 --a------ C:\WINDOWS\UNNeroVision.exe<UNNERO~1.EXE> 2007-02-28 15:41:02 972336 --a------ C:\WINDOWS\UNNeroShowTime.exe<UNNERO~3.EXE> 2007-02-17 01:16:43 9 --a----c- C:\WINDOWS\winxfigt.sys 2007-02-05 15:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\not active] "MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\"" "SweetIM"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe" "Ashampoo PopUpBlocker"="C:\\PROGRA~1\\Ashampoo\\ASHAMP~1\\PopUpKiller.exe" "Ashampoo WinOptimizer Platinum 3 TaskPlaner"="\"C:\\PROGRA~1\\Ashampoo\\ASHAMP~1\\TASKPL~1.EXE\" -TRAY" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "LXBTCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBTtime.dll,_RunDLLEntry@16" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\not active] "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN" "Lexmark 5200 series"="\"C:\\Program Files\\Lexmark 5200 series\\lxbtbmgr.exe\"" "snpstd"="C:\\WINDOWS\\vsnpstd.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s" "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "NWEReboot"="" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k" "LXBTCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBTtime.dll,_RunDLLEntry@16" "PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\wuelxtjj.dll\",setvm" "tcpipmon"="tcpipmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{1D531771-1AD5-4F27-87A2-6980501F9703}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstts HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvusp [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 p2psvc REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4aaf261-33ca-11d9-acb9-806d6172696f}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 -- End of Deckard's System Scanner: finished at 2007-04-23 at 00:05:30 --------- |
|
|
|
|
04-23-2007, 12:37 AM
|
#6 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: Smitfraud-C
Thanks
Post a combofix log 1. Download this file - combofix.exe http://www.techsupportforum.com/sect...s/ComboFix.exe alternate link http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall If the log is large You might need to post half in one reply half in another. ============== Post a HijackThis 1.99.1 log First Make a new folder, example C:\AntiSpyWare and download/Save HijackThis, to that new folder. This is necessary to ensure you have backups should anything go wrong http://www.merijn.org/files/HijackThis.exe Double click HijackThis.exe, Hit None of the above, just start the program. Hit Scan When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents. Most of what it lists will be harmless or even required, so do NOT fix anything yet. |
|
|
|
|
04-23-2007, 04:05 PM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 54
OS: xp
|
Re: Smitfraud-C
Here is the combo fix log
"Owner" - 07-04-23 16:49:26 Service Pack 2 ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\" (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\aspdqkpr.dll C:\WINDOWS\system32\gttmftat.dll C:\WINDOWS\system32\hhqlwset.dll C:\WINDOWS\system32\impohexx.dll C:\WINDOWS\system32\iurejtnh.dll C:\WINDOWS\system32\lefeiock.dll C:\WINDOWS\system32\mhypubwb.dll C:\WINDOWS\system32\msfxejbc.dll C:\WINDOWS\system32\mtevfram.dll C:\WINDOWS\system32\multeuji.dll C:\WINDOWS\system32\mychnvtw.dll C:\WINDOWS\system32\qminatth.dll C:\WINDOWS\system32\rvdmuoiw.dll C:\WINDOWS\system32\tsekyyge.dll C:\WINDOWS\system32\ussyqarp.dll C:\WINDOWS\system32\vmxorjgl.dll C:\WINDOWS\system32\vobymhuw.dll C:\WINDOWS\system32\ypqespsg.dll C:\WINDOWS\system32\bunornmj.dll C:\WINDOWS\system32\fqllllrg.dll C:\WINDOWS\system32\rystqwnv.dll C:\WINDOWS\system32\sttss.bak1 C:\WINDOWS\system32\sttss.bak2 C:\WINDOWS\system32\sttss.ini C:\WINDOWS\system32\sttss.ini2 C:\WINDOWS\system32\sttss.tmp C:\WINDOWS\system32\sstts.dll C:\WINDOWS\system32\wvuvusp.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\NDNuninstall7_48.exe C:\DOCUME~1\Owner\Desktop\internet.lnk ((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 )))))))))))))))))))))))))))))))))) 2007-04-17 21:16 <DIR> d-------- C:\Deckard 2007-04-16 22:04 <DIR> d-------- C:\_backupD 2007-04-16 21:59 90,112 --a------ C:\WINDOWS\system32\regdacl.exe 2007-04-16 21:59 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2007-04-16 21:59 16,384 --a------ C:\WINDOWS\system32\restart.exe 2007-04-16 21:59 <DIR> d-------- C:\WINDOWS\system32\regdacl 2007-04-16 21:55 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-04-16 21:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-04-16 21:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-04-16 21:48 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-15 16:14 31,232 --a------ C:\WINDOWS\system32\14373282ld.exe 2007-04-15 15:54 31,232 --a------ C:\WINDOWS\system32\54325462ld.exe 2007-04-15 15:34 31,232 --a------ C:\WINDOWS\system32\3428312ld.exe 2007-04-15 15:14 31,232 --a------ C:\WINDOWS\system32\14236872ld.exe 2007-04-15 14:54 31,232 --a------ C:\WINDOWS\system32\54192812ld.exe 2007-04-15 14:34 31,232 --a------ C:\WINDOWS\system32\34148282ld.exe 2007-04-15 14:14 31,232 --a------ C:\WINDOWS\system32\14105622ld.exe 2007-04-15 13:54 31,232 --a------ C:\WINDOWS\system32\5463592ld.exe 2007-04-15 13:34 31,232 --a------ C:\WINDOWS\system32\342932ld.exe 2007-04-15 13:13 31,232 --a------ C:\WINDOWS\system32\13578592ld.exe 2007-04-15 12:53 31,232 --a------ C:\WINDOWS\system32\53538432ld.exe 2007-04-15 12:33 31,232 --a------ C:\WINDOWS\system32\33468432ld.exe 2007-04-15 12:13 31,232 --a------ C:\WINDOWS\system32\13399062ld.exe 2007-04-15 11:53 31,232 --a------ C:\WINDOWS\system32\53357032ld.exe 2007-04-15 11:33 31,232 --a------ C:\WINDOWS\system32\33314062ld.exe 2007-04-15 11:13 31,232 --a------ C:\WINDOWS\system32\13274062ld.exe 2007-04-15 10:53 31,232 --a------ C:\WINDOWS\system32\53232182ld.exe 2007-04-15 10:33 31,232 --a------ C:\WINDOWS\system32\33188282ld.exe 2007-04-15 10:13 31,232 --a------ C:\WINDOWS\system32\13147962ld.exe 2007-04-15 09:53 31,232 --a------ C:\WINDOWS\system32\53107812ld.exe 2007-04-15 09:33 31,232 --a------ C:\WINDOWS\system32\3369062ld.exe 2007-04-15 09:13 31,232 --a------ C:\WINDOWS\system32\1328902ld.exe 2007-04-15 08:52 31,232 --a------ C:\WINDOWS\system32\52587652ld.exe 2007-04-15 08:32 31,232 --a------ C:\WINDOWS\system32\32548592ld.exe 2007-04-15 08:12 31,232 --a------ C:\WINDOWS\system32\12505462ld.exe 2007-04-15 00:56 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-15 00:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-14 23:11 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-04-14 23:07 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6 2007-04-14 09:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-14 09:29 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-04-13 19:47 <DIR> d-------- C:\DVDFabDecrypter_Temp 2007-04-12 09:54 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll 2007-04-12 09:54 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2007-04-12 09:54 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2007-04-12 09:54 76,288 --a------ C:\WINDOWS\system32\uniime.dll 2007-04-12 09:54 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2007-04-12 09:54 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-04-12 09:54 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-04-12 09:54 5,632 --a------ C:\WINDOWS\system32\kbd103.dll 2007-04-12 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-04-11 00:03 <DIR> d-------- C:\Program Files\Nero 2007-04-11 00:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-23 16:48 -------- d-------- C:\Program Files\lx_cats 2007-04-22 22:19 -------- d-------- C:\Program Files\emule 2007-04-16 23:03 -------- d-------- C:\Program Files\winace 2007-04-14 10:02 -------- d-------- C:\Program Files\symantec 2007-04-13 19:47 -------- d-------- C:\Program Files\dvdfab decrypter 3 2007-04-13 19:40 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\vso 2007-04-12 10:42 -------- d-------- C:\Program Files\winamp 2007-04-10 23:35 87608 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\ezpinst.exe 2007-04-10 23:35 47360 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\pcouffin.sys 2007-04-10 23:35 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-04-10 23:35 34 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\pcouffin.log 2007-04-10 23:35 1144 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\pcouffin.inf 2007-04-10 23:35 1074 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\pcouffin.cat 2007-04-10 23:35 -------- d-------- C:\Program Files\vso 2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-14 19:27 972336 --a------ C:\WINDOWS\unrecode.exe 2007-03-14 19:20 133168 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys 2007-03-14 19:20 11568 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-03-14 19:19 972336 --a------ C:\WINDOWS\unnerobackitup.exe 2007-03-14 19:19 95864 --a------ C:\WINDOWS\system32\neroco.dll 2007-03-12 13:51 972336 --a------ C:\WINDOWS\unneromediahome.exe 2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-28 20:53 972336 --a------ C:\WINDOWS\unnerovision.exe 2007-02-28 15:41 972336 --a------ C:\WINDOWS\unneroshowtime.exe 2007-02-17 01:16 9 --a--c--- C:\WINDOWS\winxfigt.sys 2007-02-05 15:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\rystqwnv.dll [x] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "LXBTCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBTtime.dll,_RunDLLEntry@16" "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN" "Lexmark 5200 series"="\"C:\\Program Files\\Lexmark 5200 series\\lxbtbmgr.exe\"" "snpstd"="C:\\WINDOWS\\vsnpstd.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s" "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "NWEReboot"="" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k" "LXBTCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBTtime.dll,_RunDLLEntry@16" "PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\wuelxtjj.dll\",setvm" "tcpipmon"="tcpipmon.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\not active] "MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\"" "SweetIM"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe" "Ashampoo PopUpBlocker"="C:\\PROGRA~1\\Ashampoo\\ASHAMP~1\\PopUpKiller.exe" "Ashampoo WinOptimizer Platinum 3 TaskPlaner"="\"C:\\PROGRA~1\\Ashampoo\\ASHAMP~1\\TASKPL~1.EXE\" -TRAY" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 p2psvc REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4aaf261-33ca-11d9-acb9-806d6172696f}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-23 17:00:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-23 17:00:41 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-04-23 17:00 |
|
|
|
|
04-23-2007, 04:10 PM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 54
OS: xp
|
Re: Smitfraud-C
Here is the hijack this log:
Logfile of HijackThis v1.99.1 Scan saved at 5:10:50 PM, on 4/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Owner\Desktop\Hijack this antyspyware\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\rystqwnv.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119w.bay119.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138764468335 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab? O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe thanx |
|
|
|
|
04-23-2007, 06:19 PM
|
#9 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: Smitfraud-C
Start Hijackthis and place a check next to these items If there. O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\rystqwnv.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) ==================================== Hit fix checked and close Hijackthis. Scan this file here C:\WINDOWS\winxfigt.sys |
