Help with virtumonde and smitfraud please

[Barbhk2007]

Hi there...

I ran S&D and it said I would need to get help here to manually remove Virtumonde Trojan and Smitfraud - C. Core Serv. Trojan. My symptoms are constant popups. I read "read this first" and I believe I have done as asked. Please let me know if I have not done anything correctly. I very much appreciate any help you can give me. Thank you. Barb

Enclosed I have copy and pasted Kaspersky Log and HJT Log:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 10:19:57 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 636758


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 37446
Number of viruses found 3
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:06:12

Infected Object Name Virus Name Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SYSTEM Object is locked skipped

C:\WINNT\system32\config\SOFTWARE Object is locked skipped

C:\WINNT\system32\config\DEFAULT Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\drivers\rdbsss.sys Object is locked skipped

C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{B68D7614-028F-4A09-B30F-5BCD3CBB789B}.bin Object is locked skipped

C:\WINNT\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\cpf.lock Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe WiseSFX: infected - 2 skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache2055.tmp/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache2055.tmp/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache2055.tmp/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache2055.tmp ZIP: infected - 3 skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache35733.tmp/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache35733.tmp/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache35733.tmp/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache35733.tmp ZIP: infected - 3 skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache6581.tmp/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache6581.tmp/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache6581.tmp/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache6581.tmp ZIP: infected - 3 skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBD2E.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\~DFCE47.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-18-2008( 0-36-40 ).LOG Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

Scan process completed.
-------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:02 AM, on 3/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C097A09-2712-42F2-B3A1-BCBCD8270556} - C:\WINNT\system32\opnml.dll (file missing)
O2 - BHO: (no name) - {342DB5CD-0054-486D-B956-D5DAFC3B8150} - C:\Program Files\Accessories\nivydC:\WINNT\system32\z6\kiffs83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7028AF58-72A8-4BB8-8319-7269CF134230} - C:\WINNT\system32\nnnoo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1202406028803
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/iw...amesplayer.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfddbb - khfddbb.dll (file missing)
O20 - Winlogon Notify: nnnoo - C:\WINNT\system32\nnnoo.dll (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe

--
End of file - 8189 bytes

[Shaba]

Hi Barbhk2007

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

[Barbhk2007]

Thank you Shaba for replying. I have run Combo Fix and include the log below. After running the program it returned to my desk top to make the log and when the log window was up I noticed my icons disappeared on the desktop but not my background pic. The log report came up of which I copied and waited for the next step but nothing happened so I did the cntrl alt delete/task mgr/ and looked for the listed processes which were not there. Not knowing what to do next I ctrl/alt/delete and restarted the computer. This time everything came back up properly including the below listed report: Oh, and after combo fix ran, there was a note that came up that said my registry size was to small and to adjust it to the maximum for Windows to run properly. I didn't know what that meant so of course didn't do anything. I'll wait for your next message. Thank you. Barb

ComboFix 08-03-18.1 - Administrator 03/20/2008 9:36:28.2 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\drivers\rdbsss.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RDBSSS
-------\Service_rdbsss


((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-19 03:28 . 08-03-19 03:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 02:57 . 08-03-18 02:57 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-03-18 02:57 . 08-03-18 02:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-03-17 22:33 . 08-03-17 22:33 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-28 06:59 . 07-09-24 23:31 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-02-28 06:57 . 08-02-28 06:57 <DIR> d-------- C:\Program Files\Java
2008-02-28 06:56 . 08-02-28 06:56 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-27 17:23 . 08-02-27 17:23 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 08:35 167,545 ------w C:\WINNT\system32\drivers\core.cache.dsk
2008-03-01 04:23 40,088 ----a-w C:\Program Files\larger2.jpg
2008-03-01 04:22 40,088 ----a-w C:\Program Files\New Audreylarger2.jpg
2008-02-12 22:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Comodo
2008-02-12 22:44 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2008-02-12 22:39 --------- d-----w C:\Program Files\Comodo
2008-02-12 22:04 6,193,264 ----a-w C:\Program Files\fwinstall.exe
2008-02-12 00:56 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2008-02-11 16:18 437,392 ----a-w C:\Program Files\msgr8us.exe
2008-02-11 15:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-11 14:09 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-11 14:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-11 14:09 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-11 14:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 09:36 --------- d-----w C:\Program Files\Enigma Software Group
2008-02-07 19:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AntiSpyware
2008-02-05 16:09 86,016 ------w C:\WINNT\system32\drivers\rdbsss.sys
2006-07-08 10:09 6,224,944 ----a-w C:\Program Files\pkreader.exe
2006-07-08 06:15 361,544,078 ----a-w C:\Program Files\GTA2INSTALLER.ZIP
2006-07-01 20:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-27 18:47 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2006-06-15 07:50 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2005-12-29 01:39 271 ---h--w C:\Program Files\desktop.ini
2005-12-29 01:39 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 20:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C097A09-2712-42F2-B3A1-BCBCD8270556}]
C:\WINNT\system32\opnml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{342DB5CD-0054-486D-B956-D5DAFC3B8150}]
C:\Program Files\Accessories\nivydC:\WINNT\system32\z6\kiffs83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7028AF58-72A8-4BB8-8319-7269CF134230}]
C:\WINNT\system32\nnnoo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiSpyware"="C:\Program Files\AntiSpyware\AntiSpyware.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-03-04 15:33 1481968]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-01-25 21:50 180269]
"YBrowser"="C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe" [06-07-21 16:19 129536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-10-23 01:59 286720]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [08-02-12 14:39 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddbb]
khfddbb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoo]
C:\WINNT\system32\nnnoo.dll

R1 rdbsss;rdbsss;C:\WINNT\system32\drivers\rdbsss.sys [08-02-05 08:09 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 12:22 ]

*Newly Created Service* - RDBSSS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 09:43:02
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
.
**************************************************************************
.
Completion time: 2008-03-20 9:48:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 17:48:24
ComboFix2.txt 2008-03-20 17:18:44
.
2008-03-12 08:39:12 --- E O F ---

[Shaba]

Hi

Please post also a fresh HijackThis log

[Barbhk2007]

Shaba, as you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:54 PM, on 3/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C097A09-2712-42F2-B3A1-BCBCD8270556} - C:\WINNT\system32\opnml.dll (file missing)
O2 - BHO: (no name) - {342DB5CD-0054-486D-B956-D5DAFC3B8150} - C:\Program Files\Accessories\nivydC:\WINNT\system32\z6\kiffs83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7028AF58-72A8-4BB8-8319-7269CF134230} - C:\WINNT\system32\nnnoo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1202406028803
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/iw...amesplayer.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfddbb - khfddbb.dll (file missing)
O20 - Winlogon Notify: nnnoo - C:\WINNT\system32\nnnoo.dll (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe

--
End of file - 8335 bytes

[Shaba]

Hi

We'll try again:

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\rdbsss.sys

Driver::
rdbsss

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C097A09-2712-42F2-B3A1-BCBCD8270556}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{342DB5CD-0054-486D-B956-D5DAFC3B8150}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7028AF58-72A8-4BB8-8319-7269CF134230}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddbb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoo]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[Barbhk2007]

Shaba, Enclosed are both logs you requested. Is my firewall suppose to be off while running these programs? At the end of ComboFix my firewall said's Combo is trying to alter some service thing, is it ok and I have to click yes before the report comes up. Is that ok? Also after running combo this time I have gone to sign on IE and it says can't find server but Yahoo messenger (which I don't use) comes up and I have to click allow a few times. I'm not sure if I'm connecting that way or if this all has anything to do with "anything." From the scans, it appears those infected files are not being deleted by Combo...is that the problem we're at right now? Sorry I'm not real knowledgable about all this. Barb...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:01 AM, on 3/21/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1202406028803
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/iw...amesplayer.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe

--
End of file - 7931 bytes
---------------------------------------------------------

ComboFix 08-03-18.1 - Administrator 2008-03-21 10:21:13.4 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\rdbsss.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\drivers\rdbsss.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RDBSSS
-------\Service_rdbsss


((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-19 03:28 . 08-03-19 03:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 02:57 . 08-03-18 02:57 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-03-18 02:57 . 08-03-18 02:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-03-17 22:33 . 08-03-17 22:33 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-28 06:59 . 07-09-24 23:31 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-02-28 06:57 . 08-02-28 06:57 <DIR> d-------- C:\Program Files\Java
2008-02-28 06:56 . 08-02-28 06:56 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-27 17:23 . 08-02-27 17:23 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 08:35 167,545 ------w C:\WINNT\system32\drivers\core.cache.dsk
2008-03-01 04:23 40,088 ----a-w C:\Program Files\larger2.jpg
2008-03-01 04:22 40,088 ----a-w C:\Program Files\New Audreylarger2.jpg
2008-02-12 22:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Comodo
2008-02-12 22:44 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2008-02-12 22:39 --------- d-----w C:\Program Files\Comodo
2008-02-12 22:04 6,193,264 ----a-w C:\Program Files\fwinstall.exe
2008-02-12 00:56 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2008-02-11 16:18 437,392 ----a-w C:\Program Files\msgr8us.exe
2008-02-11 15:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-11 14:09 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-11 14:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-11 14:09 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-11 14:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 09:36 --------- d-----w C:\Program Files\Enigma Software Group
2008-02-07 19:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AntiSpyware
2008-02-05 16:09 86,016 ------w C:\WINNT\system32\drivers\rdbsss.sys
2006-07-08 10:09 6,224,944 ----a-w C:\Program Files\pkreader.exe
2006-07-08 06:15 361,544,078 ----a-w C:\Program Files\GTA2INSTALLER.ZIP
2006-07-01 20:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-27 18:47 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2006-06-15 07:50 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2005-12-29 01:39 271 ---h--w C:\Program Files\desktop.ini
2005-12-29 01:39 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 20:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiSpyware"="C:\Program Files\AntiSpyware\AntiSpyware.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-03-04 15:33 1481968]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-01-25 21:50 180269]
"YBrowser"="C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe" [06-07-21 16:19 129536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-10-23 01:59 286720]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [08-02-12 14:39 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 rdbsss;rdbsss;C:\WINNT\system32\drivers\rdbsss.sys [08-02-05 08:09 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 12:22 ]

*Newly Created Service* - RDBSSS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 10:26:54
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
.
**************************************************************************
.
Completion time: 2008-03-21 10:29:21 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-03-21 18:29:14
ComboFix4.txt 2008-03-20 17:18:44
ComboFix3.txt 2008-03-20 17:48:36
ComboFix2.txt 2008-03-21 17:57:46
.
2008-03-12 08:39:12 --- E O F ---

[Shaba]

Hi and sorry for delay

"Is my firewall suppose to be off while running these programs?"

No.

"Also after running combo this time I have gone to sign on IE and it says can't find server but Yahoo messenger (which I don't use) comes up and I have to click allow a few times. I'm not sure if I'm connecting that way or if this all has anything to do with "anything.""

Try to reboot before that.

" From the scans, it appears those infected files are not being deleted by Combo...is that the problem we're at right now?"

Yes.

Download Avenger by Swandog and unzip it to your Desktop.

Note: This programme must be run from an account with Administrator priviledges.

• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Code:

Files to delete:
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\rdbsss.sys

Drivers to delete:
rdbsss

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Post the log back here please along with a fresh HijackThis log. (it can also be found at C:\avenger.txt)

[Barbhk2007]

hi Shaba....

When I press the execute button on avenger it gives me an error note saying Invalid script. A valid script begins with a command directive. Aborting execution. I even repasted the code to make sure I did it right and it gave the same message. Thanks for your help, I'll wait for your reply.

Barb...

[Shaba]

Hi

My bad, I edited it.

Copy entire contents of code box and it should go fine.