|
Help with smitfraudfix log please...
|
|
|
Jurgennop
Member
|
7. October 2006 @ 03:59 |
Link to this message
|
|
This is the log what can i do?
SmitFraudFix v2.105
Scan done at 13:55:32,29, za 07/10/2006
Run from D:\Jurgensmusic\Tools\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\J.NOPPE
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\J.NOPPE\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\J10A0~1.NOP\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="interceptor.dll "
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
pe386 detected, use a Rootkit scanner
lzx32 detected, use a Rootkit scanner
msguard detected, use a Rootkit scanner
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
|
Advertisement
|
|
|
|
|
Jurgennop
Member
|
7. October 2006 @ 04:03 |
Link to this message
|
this is the HjT log,someplease help me out if sth is wrong...sorry,forgot to post that log,will post when home
This message has been edited since posting. Last time this message was edited on 7. October 2006 @ 07:33
|
|
Jurgennop
Member
|
7. October 2006 @ 07:21 |
Link to this message
|
the strange thing is,i ran smitfraud 1.95 and it didn't find anything,then immediately afterwards i downloaded and ran smitfraud 2.105 or sth,anyway,the latest version and my ZoneAlarm firewall came up 3 times saying that it wanted to install a new driver or services,those 3 mentioned in the log,but I denied all 3 of them so they wouldn't install... Can anyone please find out if i'm clean? MY HjT log is clean,so... PLEASE....
This message has been edited since posting. Last time this message was edited on 7. October 2006 @ 07:27
|
Senior Member
|
7. October 2006 @ 13:06 |
Link to this message
|
Where's the HjT log? :)
Run Option 1 with SmitfraudFix again and this time allow the services to be used.
Post a HijackThis log with the new rapport.
|
|
Jurgennop
Member
|
7. October 2006 @ 23:25 |
Link to this message
|
here's the log,sorry
Logfile of HijackThis v1.99.1
Scan saved at 19:50:14 , on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/hlns/cache/homehome.html?10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
And i deleted everything from smitfraudfix straight away,i know that's the program that wanted to delete this spyware,so i'm not allowing it.
|
Senior Member
|
8. October 2006 @ 18:22 |
Link to this message
|
Edit: misread it.
Go here and run Kaspersky Online Scanner.
Accept the terms.
After downloading, click "My Computer".
After scanning, click "Save report as".
Save as a text file and post it here.
This message has been edited since posting. Last time this message was edited on 8. October 2006 @ 19:26
|
|
aabbccdd
Suspended permanently
|
8. October 2006 @ 23:30 |
Link to this message
|
|
is 2.72 the latest verison of SmithfraudFix ??
|
Senior Member
|
8. October 2006 @ 23:45 |
Link to this message
|
|
Don't think it's made it that far yet. 2.106 is latest on S!Ri's site.
|
|
aabbccdd
Suspended permanently
|
9. October 2006 @ 00:10 |
Link to this message
|
|
mine says it v2.72
|
Senior Member
|
9. October 2006 @ 00:15 |
Link to this message
|
|
Where'd you get it?
Edit: found this...http://siri.geekstogo.com/ChangeLog.php
Version 2.75 (July 24, 2006)
Version 2.106 (October 09, 2006)
This message has been edited since posting. Last time this message was edited on 9. October 2006 @ 00:19
|
|
Jurgennop
Member
|
9. October 2006 @ 02:25 |
Link to this message
|
|
i ran a scan with my kaspersky escan and that came out clean as well,so...false??
|
Senior Member
|
9. October 2006 @ 10:39 |
Link to this message
|
|
|
Jurgennop
Member
|
9. October 2006 @ 21:36 |
Link to this message
|
ok,here it is
Logfile of HijackThis v1.99.1
Scan saved at 7:35:08 , on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/hlns/cache/homehome.html?10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
Senior Member
|
9. October 2006 @ 21:49 |
Link to this message
|
|
I'm confused but you're clean none the less. Any problems?
|
|
Jurgennop
Member
|
9. October 2006 @ 23:57 |
Link to this message
|
|
why are you confused?
no problems no,but suddenly afetr installing and playing paraworld,
i had bravesentry fakealert on my pc,and atomiclog,and i have no idea where it came from,and then smitfraud wanted to install msguard,crap program...
|
Senior Member
|
10. October 2006 @ 13:16 |
Link to this message
|
I'm confused because you didn't allow SmitfraudFix to install what it needed.
Originally posted by Jurgennop:
i downloaded and ran smitfraud 2.105 or sth,anyway,the latest version and my ZoneAlarm firewall came up 3 times saying that it wanted to install a new driver or services,those 3 mentioned in the log,but I denied all 3 of them so they wouldn't install
Originally posted by Niobis:
Run Option 1 with SmitfraudFix again and this time allow the services to be used.
Originally posted by Jurgennop:
i know that's the program that wanted to delete this spyware,so i'm not allowing it.
Why not allow it?
About the things found.
Run a full system scan with SpySweeper.
Run Option 1 with SmitfraudFix in normal mode and allow it to be used.
Post the contents of rapport.txt.
|
|
Jurgennop
Member
|
10. October 2006 @ 21:09 |
Link to this message
|
|
i'm not allowing smitfraud,because that what wanted to install msguard...
and spy sweeper came up clean...
|
Senior Member
|
10. October 2006 @ 22:18 |
Link to this message
|
OMG! I've been looking over the problem all this time! I apologize. Did you notice it?
In your first SmitfraudFix log:
pe386 detected, use a Rootkit scanner
lzx32 detected, use a Rootkit scanner
msguard detected, use a Rootkit scanner
Download AVG Antirootkit Beta from here
Download ADS Spy from here.
Download F-Secure's BlackLight from here.
Note: Print or copy these instructions to Notepad.
Disconnect from the internet.
* Install AVG Antirootkit Beta.
* Restart before running AVG Antirootkit Beta.
* Open AVG Anti-Rootkit Beta and click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
* Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC.
* AVG Anti-Rootkit Beta renames the Mailbot.AZ Rootkit Driver so that the driver will not be loaded at the next reboot. But, it doesn't remove the actual Rootkit ADS and its Registry Entries. These can be removed by using ADS Spy.
* Extract ADS Spy to its own folder.
* Open ADS Spy. and select the "Full Scan (all NTFS drives)".
* Click "Scan the "System for Alternate Data Streams." Once the scan is complete, select rootkit driver and click "Remove selected streams"
* Close ADS Spy and ALL open Windows.
* Open Notepad.(not Wordpad)
* Copy and paste the text inside the box below into Notepad, including the blank line at the end.
-----------------------------------------------------------------------
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msguard]
-----------------------------------------------------------------------
Save name as fix.reg and type as "all files" to your desktop.
Close Notepad.
Double click fix.reg and click Yes at prompt.
Open BlackLight.
* Click the Scan button.
* Leave the PC idle while it is scanning.
* When it has completed, click the Close button.
* A text file, fsbl-date/time, will be saved in the Blacklight folder.
Open SmitfraudFix and run Option 1.
Post back with the BlackLight log and the SmitfraidFix log.
|
|
aabbccdd
Suspended permanently
|
10. October 2006 @ 23:27 |
Link to this message
|
|
running Spysweeper , should get rid of a rootkit problem , right Niobis ?
BTW the new Trend Micro 2007 protects you against rootkit
|
|
Jurgennop
Member
|
11. October 2006 @ 00:03 |
Link to this message
|
|
i haven't tried this yet,but
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msguard]
this isn't anywhere in my registry when i use regedit,so i don't even think it's on my pc,right?
|
Senior Member
|
11. October 2006 @ 08:42 |
Link to this message
|
@aabbccdd, no.
@Jurgennop, it's there. Follow the instructions for AVG Antirootkit, if nothing shows up tell me. It it does show, finish all instructions.
This message has been edited since posting. Last time this message was edited on 11. October 2006 @ 08:45
|
|
Jurgennop
Member
|
11. October 2006 @ 09:04 |
Link to this message
|
|
This message has been edited since posting. Last time this message was edited on 11. October 2006 @ 09:06
|
Senior Member
|
11. October 2006 @ 09:18 |
Link to this message
|
Run AVG Antirootkit, it won't hurt to scan and be sure.
|
|
Jurgennop
Member
|
11. October 2006 @ 09:51 |
Link to this message
|
|
will do when i get home,thanks.
|
|
Advertisement
|
|
|
|
Jurgennop
Member
|
11. October 2006 @ 12:15 |
Link to this message
|
so,i just ran the AVG antirootkit and it didn't find anything,thank god!!Good thing i didn't allow smitfraud to install msguard...So i suppose now it's sure that i'm clean,right?
|
