Tiny.W32.abk - S&D detects but is unable to remove
Good day all,
A friend of mine has managed to catch on his laptop a virus which whenever he is connected to his wireless network sends out masses of mailings (not through Outlook but directly down a port, 25 I think). These are detected by Norton as outgoing mail, but not stopped. When he turns his wireless network off, Norton responds (eventually) with a message to say that the mail (of any obscene variety) has not been sent. The recipients are not know to my friend and are not in his address book.
The virus seems to be hooked into his network as I can connect his laptop to my wireless network which has a different default gateway ip address, without problems.
A full scan of Norton in safe mode shows nothing.
Ad-aware blues screens.
Spybot identifies the trojan as win32.tiny.ak and says it has removed it, but on reboot, it returns.
Combofix did not kill it and there is nothing of note in the HJT log.
It appears that this virus began in January when S&D issued a kill for it, but it has mutated and the current version is not killed.
I have searched all over the net for a fix and there are a lot of people with this problem, but I cannot fidn a fix other than to reinstall windows!
Any and all help gratefully received
Marc
ComboFix 08-03-03.16 - Tim 2008-03-03 22:08:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.466 [GMT 0:00]
Running from: C:\Documents and Settings\Tim\Desktop\Copy of ComboFix.exe
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
2008-03-03 22:03 . 2008-03-03 22:07 <DIR> d-------- C:\ComboFix
2008-03-03 21:58 . 2004-08-04 05:00 388,608 --a------ C:\CF21830.exe
2008-03-02 14:28 . 2008-03-02 14:28 2 --a------ C:\WINDOWS\msoffice.ini
2008-03-01 08:37 . 2008-03-01 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-01 00:23 . 2008-03-01 00:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-01 00:23 . 2008-03-01 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-27 11:56 . 2008-02-27 11:56 <DIR> d-------- C:\sregmrg
2008-02-09 15:39 . 2008-02-09 15:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-09 15:37 . 2008-02-09 15:47 <DIR> d-------- C:\Documents and Settings\Tim\.housecall6.6
2008-02-08 21:14 . 2007-01-05 16:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-08 21:14 . 2007-01-05 16:36 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-08 21:14 . 2007-01-05 16:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-02-08 21:14 . 2007-12-31 16:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-08 21:14 . 2008-03-02 14:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-05 10:49 . 2008-02-05 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-02-05 10:48 . 2008-02-05 10:48 434,252 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-02-05 10:48 . 2008-02-05 10:48 216,576 --a------ C:\WINDOWS\system32\monln.dll
2008-02-05 10:45 . 2008-02-05 10:49 <DIR> d-------- C:\Program Files\Comodo
2008-02-05 10:45 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-02-05 10:45 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-02-05 10:45 . 2004-08-04 05:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-03-02 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-02 14:28 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-02 14:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-02 14:25 --------- d-----w C:\Documents and Settings\Traf user\Application Data\AOL
2008-03-02 14:25 --------- d-----w C:\Documents and Settings\Caroline\Application Data\AOL
2008-03-02 14:25 --------- d-----w C:\Documents and Settings\Boys\Application Data\AOL
2008-03-02 14:23 --------- d-----w C:\Program Files\Sophos
2008-02-06 20:45 --------- d-----w C:\Program Files\Google
2008-02-05 15:44 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-02-05 10:48 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-05 10:48 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-05 10:48 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2008-02-01 11:23 --------- d-----w C:\Documents and Settings\Traf user\Application Data\Symantec
2008-01-21 20:52 54,764 ----a-w C:\WINDOWS\system32\drivers\astq.tga
2008-01-21 20:07 --------- d-----w C:\Program Files\Cucusoft
2008-01-21 20:07 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-01-16 19:51 --------- d-----w C:\Documents and Settings\Caroline\Application Data\Apple Computer
2008-01-15 19:54 --------- d-----w C:\Documents and Settings\Caroline\Application Data\Symantec
2008-01-15 19:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-15 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-15 09:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 05:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 18:58 --------- d-----w C:\Documents and Settings\Boys\Application Data\Apple Computer
2008-01-12 18:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-12 12:18 --------- d-----w C:\Documents and Settings\Boys\Application Data\Symantec
2008-01-12 12:14 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-11 21:56 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-11 21:56 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-11 21:56 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-11 21:56 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-11 21:56 --------- d-----w C:\Program Files\Symantec
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-10 22:06 --------- d-----w C:\Documents and Settings\Tim\Application Data\Symantec
2008-01-10 22:03 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-07 20:48 --------- d-----w C:\Documents and Settings\Boys\Application Data\CyberLink
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-10-25 09:09 168 --sh--r C:\WINDOWS\system32\44D8FB902D.sys
2007-10-25 09:10 5,486 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-06 21:54 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 11:06 282624 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 11:47 761947]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-23 16:14 1032192]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 04:48 1392640]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-05 16:29 26112]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05 1117184]
"WireLessMouse"="C:\Program Files\12018SC Multimedia Mouse Driver\StartAutorun.exe" [2005-11-30 12:48 94208]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 12:49 86100]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 04:53 714608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-05 16:22:44 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\ftp.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 00:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 00:27]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 20:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Tim.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 22:09:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2008-03-03 22:10:28
2008-03-02 20:57:11 --- E O F ---
NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans
