Smithfraud-C.Core Service infection

Bmoore1129 · 2007/07/09

Spybot S&D gives me this and cannot fix it.

I have downloaded and extracted SmithfraudFix to my desktop but Dbl Clicking Smithfraudfix.cmd does not open the bluebackground with the options. It only opens a command prompt.

My problem is I keep getting these popups in IE even though I am using Firefox. They open a new window with Internet Explorer in the Titlebar.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:33 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {351E4ADE-F44F-FEEB-121A-8B8DB855D7EE} - C:\WINDOWS\System32\dibdlcd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EA00B5A9-E939-4A0B-AF91-5F8193D4AD27} - C:\WINDOWS\System32\pmkjh.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183827767375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183827756343
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5038 bytes

Geri · 2007/07/09

Hi Bmoore1129

Run this first.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Make sure you have the latest smitfraudFix. and try to run it.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Also, Please use this HJT. Trend is still in Beta and we don't like using it yet.

Click here to download "HJTsetup.exe ".

Save HJTsetup.exe to your desktop.

Double-click on the HJTsetup.exe icon on your desktop.
(By default it will install to C:\Program Files\Hijackthis)

Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.

Put a check by Create a desktop icon and then click Next again.

Continue to follow the rest of the prompts from there.

At the final dialogue box click Finish and it will launch HijackThis.

Click on the Do a system scan and save a log file button.
(It will scan and the log should open in Notepad.)

Click on "Edit" > "Select All" to higlight the entire Notepad contents.

Then click on "Edit" > "Copy ".

Come back here to this thread and Paste the log in your next reply.
(Right-click in the message body field and select "Paste ".)

CAUTION: DO NOT have HijackThis "fix" anything without carefully following expert guidance. Otherwise, you might render your computer unstable or even unbootable. Most of what HijackThis finds will be harmless or even required.

Please post all the logs.

Geri

Bmoore1129 · 2007/07/10

I ran Vundo before and this time it found no files.

Here is my Smithfraud file:

SmitFraudFix v2.202

Scan done at 9:11:31.43, Tue 07/10/2007
Run from C:\Documents and Settings\Bob bowers\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bob bowers

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bob bowers\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BOBBOW~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{003BC234-C79C-4334-AFD8-43F291F761D0}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{003BC234-C79C-4334-AFD8-43F291F761D0}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\..\{003BC234-C79C-4334-AFD8-43F291F761D0}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:52 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\a?sembly\??rvices.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {351E4ADE-F44F-FEEB-121A-8B8DB855D7EE} - C:\WINDOWS\System32\dibdlcd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EA00B5A9-E939-4A0B-AF91-5F8193D4AD27} - C:\WINDOWS\System32\pmkjh.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://www.windowsbbs.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183827767375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183827756343
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Geri · 2007/07/10

Hi Bill
I don't see anything in smitfraud log. But this showed up.
C:\Program Files\a?sembly\??rvices.exe

Please download and run ComboFix.

Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the ComboFix log.
Geri

Bmoore1129 · 2007/07/11

Geri, The combo fix looks like it fixed it. Also fixed the Scandisk problem I was having. The Scandisk worked for the first time.....

Combo Fix Log:

"Bob bowers" - 2007-07-11 8:52:17 - ComboFix 07-07-10.1 - Service Pack 2

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\salesmonitor
C:\DOCUME~1\BOBBOW~1\MYDOCU~1.\fnts~1
C:\DOCUME~1\BOBBOW~1\MYDOCU~1.\fnts~1\chkdsk.exe
C:\Documents and Settings\BOBBOW~1.\err.log
C:\Program Files\asembl~1
C:\Program Files\asembl~1\??rvices.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\system32\dibdlcd.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\wapiicomsv32.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))

2007-07-11 08:50 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 10:52 <DIR> d-------- C:\DOCUME~1\BOBBOW~1\APPLIC~1\Comodo
2007-07-10 10:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Comodo
2007-07-10 10:50 <DIR> d-------- C:\Program Files\Comodo
2007-07-10 09:24 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-10 09:08 1,834 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-09 12:43 <DIR> d-------- C:\VundoFix Backups
2007-07-09 12:34 <DIR> d-------- C:\DOCUME~1\BOBBOW~1\APPLIC~1\SiteAdvisor
2007-07-09 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SiteAdvisor
2007-07-09 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\McAfee
2007-07-09 11:00 66,068 --a------ C:\WINDOWS\system32\tjaudmdx.exe
2007-07-08 14:30 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-08 14:28 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-08 14:11 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-08 14:05 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-08 14:02 61,440 --a------ C:\WINDOWS\system32\iAlmCoIn_v4363.dll
2007-07-08 14:02 524,288 --a------ C:\WINDOWS\system32\igldev32.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuTRK.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuTHA.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuSVE.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuRUS.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuPTG.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuPTB.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuPLK.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuNOR.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuNLD.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuKOR.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuJPN.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuITA.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuHUN.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuHEB.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuFRC.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuFRA.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuFIN.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuESP.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuENG.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuELL.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuDEU.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuDAN.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuCSY.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuCHT.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuCHS.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuARB.dll
2007-07-08 14:02 40,960 --a------ C:\WINDOWS\system32\ialmuARA.dll
2007-07-08 14:02 2,310,144 --a------ C:\WINDOWS\system32\iglicd32.dll
2007-07-08 14:02 159,744 --a------ C:\WINDOWS\system32\igfxsrvc.exe
2007-07-08 14:02 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-07-08 14:02 114,688 --a------ C:\WINDOWS\system32\ialmudlg.exe
2007-07-08 14:02 <DIR> d-------- C:\dell
2007-07-08 13:36 <DIR> d-------- C:\DOCUME~1\BOBBOW~1\APPLIC~1\Google
2007-07-08 13:31 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-07-08 13:29 <DIR> d-------- C:\Program Files\Google
2007-07-08 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google
2007-07-08 13:18 6,018 --a------ C:\WINDOWS\system32\cleartmp.cmd
2007-07-08 13:15 <DIR> d-------- C:\Program Files\RFA Platinum
2007-07-08 13:12 658 --a------ C:\WINDOWS\unins000.dat
2007-07-08 11:15 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-07-08 11:14 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-07-08 09:30 <DIR> d-------- C:\Program Files\Aida32
2007-07-07 16:32 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-07 16:10 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-07-07 16:10 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-07-07 16:10 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-07-07 16:10 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2007-07-07 16:10 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-07-07 16:10 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2007-07-07 16:10 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-07-07 16:10 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-07-07 16:10 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-07-07 16:10 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2007-07-07 16:10 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-07-07 16:10 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-07-07 16:10 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-07-07 16:10 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-07-07 16:10 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-07-07 16:10 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-07 16:10 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-07-07 16:10 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-07-07 16:10 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-07-07 16:10 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-07-07 16:10 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-07-07 16:10 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-07-07 16:10 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-07-07 16:10 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-07-07 16:10 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-07-07 16:10 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-07-07 16:10 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2007-07-07 16:10 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2007-07-07 16:10 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2007-07-07 16:10 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2007-07-07 16:10 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2007-07-07 16:10 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-07-07 16:10 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-07-07 16:10 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-07-07 16:10 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-07-07 16:10 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2007-07-07 16:10 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-07-07 16:10 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-07-07 16:10 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2007-07-07 16:10 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-10 19:22:33 -------- d-----w C:\Program Files\Messenger
2007-07-08 19:10:38 -------- d-----w C:\Program Files\Ahead
2007-07-08 18:12:51 72,748 ----a-w C:\WINDOWS\unins000.exe
2007-07-07 21:08:38 -------- d-----w C:\Program Files\Movie Maker
2007-07-07 21:08:29 -------- d-----w C:\Program Files\Windows NT
2007-07-07 17:57:31 -------- d-----w C:\Program Files\Lavasoft
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2004-09-29 12:02 292947 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-07-08 13:36 2403392 -ra------ c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA00B5A9-E939-4A0B-AF91-5F8193D4AD27}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"Dell AIO Printer A940 "= "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 18:00]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-07 12:37]
"COMODO Firewall Pro "= "C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-10 11:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mount.exe "= "C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks "=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bob bowers^Start Menu^Programs^Startup^maxmem.lnk]
path=C:\Documents and Settings\Bob bowers\Start Menu\Programs\Accessories\System Tools\AnalogX\MaxMem\MaxMem.lnk
backup=C:\WINDOWS\pss\maxmem.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sutu]
"C:\DOCUME~1\BOBBOW~1\MYDOCU~1\FNTS~1\chkdsk.exe" -vt yazb

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 09:27:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 9:29:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 09:29

--- E O F ---
Here is the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:32 AM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EA00B5A9-E939-4A0B-AF91-5F8193D4AD27} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://www.windowsbbs.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183827767375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183827756343
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Bmoore1129 · 2007/07/11

Geri,

I ran a Spybot S&D and the is no more smithfraud. I'm clean as a whistle I think.

Thank you very much for your help.

I consider this one closed

Geri · 2007/07/11

Hi Bill

Glad that seemed to work.

There are a couple things though.

I can find no info on this.
C:\WINDOWS\system32\tjaudmdx.exe

If you don't know what it is, we need to scan it. Then there is a item to remove with HJT.

Lets scan that file first.

Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan "box on the top of the page:

C:\WINDOWS\system32\tjaudmdx.exe

Click on the submit button

Please post the results in your next reply.

Thanks
Geri

Bmoore1129 · 2007/07/12

Well I don't find the tjaudmdx.exe on my computer anywhere this morning.

Here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:43 AM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EA00B5A9-E939-4A0B-AF91-5F8193D4AD27} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://www.windowsbbs.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183827767375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183827756343
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Geri · 2007/07/12

Hi Bill
Did you try to run it through Jotti's

Did you "Show hiden files/Folders" when you looked?

It was in your Combofix log.
2007-07-09 11:00 66,068 --a------ C:\WINDOWS\system32\tjaudmdx.exe

I'd like to make sure it's nothing bad that's lurking.

Here is the HJT fix.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {EA00B5A9-E939-4A0B-AF91-5F8193D4AD27} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot scan again with HJT and make sure it's gone. No need to post another HJT log it that entry is gone.

Let me know what you want to do about that file.

Geri

Bmoore1129 · 2007/07/13

Hi Geri

The file was gone after I deleted the system restore files that were left over after I turned off system restore. I don't use SR because I keep an up to date Acronis Image of the C: drive instead. Anyway when I tried to run the Jotti's, the file was no longer there to scan. Hidden files are unhidden.

I got rid of the BHO you mentioned with HJT and everything is hunky dory now.

I believe this episode is ended thanks to you. Thank you so much for volunteering your time to help all of us.

Geri · 2007/07/13

Hi Bill

OK That's good.

Glad to help out.

Geri

Log in or Sign up

Smithfraud-C.Core Service infection

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Share This Page

Log in or Sign up

Smithfraud-C.Core Service infection

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Bmoore1129 Geek Member Thread Starter

Geri Inactive Alumni

Share This Page

Useful Searches