PDA

View Full Version : Virtumonde/Smitfraud Returns (99?)



lobot
2008-08-28, 05:29
Spybot S&D and Windows Live OneCare discovered some files associated with Virtumonde/Smitfraud, I thought they had cleaned the mess sufficiently but now every few hours OneCare quarantines another trojan. I ran the KasperSpy Online Scanner tonight and it found "C:\WINDOWS\system32\USER32.dll Infected: Trojan.Win32.Patched.bb". As I am uncertain how to handle this result, I figure I better ask the experts. Here is my HJT log... Please post any help at your earliest convenience.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:19 PM, on 8/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: awtrqjka - awtrQjKA.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

pskelley
2008-08-28, 17:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

I can see leftovers from both infections you mention and your feedback indicates hidden malware is likely there. If there is a downloader it can and will download more junk when you are online, so follow those instructions. We need to search first.

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

Thanks

lobot
2008-08-28, 18:30
SmitFraudFix v2.341

Scan done at 11:23:32.03, Thu 08/28/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\me


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\me\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\me\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme Gigabit Ethernet for hp
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F0985E1A-5056-4AE7-9712-BA0F7C8936D4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F0985E1A-5056-4AE7-9712-BA0F7C8936D4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F0985E1A-5056-4AE7-9712-BA0F7C8936D4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2008-08-28, 18:37
Thanks for returning your information, Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infected files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log.

Describe how the computer is running now.

Thanks

lobot
2008-08-28, 19:18
SmitFraudFix v2.341

Scan done at 11:57:01.96, Thu 08/28/2008
Run from C:\Documents and Settings\me\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts
*Edited

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F0985E1A-5056-4AE7-9712-BA0F7C8936D4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F0985E1A-5056-4AE7-9712-BA0F7C8936D4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F0985E1A-5056-4AE7-9712-BA0F7C8936D4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"



»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:31, on 8/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wpabaln.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: awtrqjka - awtrQjKA.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
Shutdown was a little slower than normal and Firefox and the associated svchost seems to be using more cpu/ram than normal but other than that, the computer is acting fine.

pskelley
2008-08-28, 19:28
Thanks for returning your information and the feedback. You may delete Smitfraudfix from your computer, we are finished with at tool.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you may leave this first item if you set it that way)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O20 - Winlogon Notify: awtrqjka - awtrQjKA.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Please add any comments you think will help.

Thanks

What version of Firefox are you running?
http://www.mozilla.com/en-US/firefox/

lobot
2008-08-28, 21:34
Malwarebytes' Anti-Malware 1.25
Database version: 1092
Windows 5.1.2600 Service Pack 3

2:24:02 PM 8/28/2008
mbam-log-08-28-2008 (14-24-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117403
Time elapsed: 1 hour(s), 35 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\56994b4f.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6f6e1988.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:51, on 8/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
Firefox/3.0.1

pskelley
2008-08-28, 21:57
Thanks for returning your information and everything looks good from my end. What version of Spybot S&D are you running and are you keeping it fully immunized?
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html

Let me see the results of a Kaspersky Online Scan (KOS)

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

lobot
2008-08-29, 03:45
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 28, 2008 21:44:06
Records in database: 1158226
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 82548
Threat name: 4
Infected objects: 33
Suspicious objects: 0
Duration of the scan: 01:19:48


File name / Threat name / Threats count
C:\WINDOWS\system32\USER32.dll/C:\WINDOWS\system32\USER32.dll Infected: Trojan.Win32.Patched.bb 28
C:\mIRC62\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Program Files\Compaq\mIRC62\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\RaidenFTPD\raidenftpdsvcinstaller.exe Infected: not-a-virus:Server-FTP.Win32.Raiden 1
C:\Program Files\RaidenFTPD\rftpdservice.exe Infected: not-a-virus:Server-FTP.Win32.Raiden 1

The selected area was scanned.
--
I know you instructed me to change 'extended' to 'standard' database but i didn't see an option for this.

pskelley
2008-08-29, 14:12
Kaspersky Online Scan (KOS)
Threat name: 4
Infected objects: 33 <<< I don't know what these are? I have no idea why the log is now showing those, it always does?

C:\Program Files\Mozilla Firefox\SmitfraudFix\ <<< delete that folder and contents.

Make sure you can view all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Use one or more of these free online scanners to scan the files in red. Delete them if they are bad.

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINDOWS\system32\USER32.dll
C:\mIRC62\mirc.exe
C:\Program Files\Compaq\mIRC62\mirc.exeC:\Program Files\RaidenFTPD\raidenftpdsvcinstaller.exe
C:\Program Files\RaidenFTPD\rftpdservice.exe

Run KOS again to see if you can show me the 33 "infected items" I have no idea what they are.

Thanks

lobot
2008-08-29, 22:25
Jotti's malware scan
F-Secure Anti-Virus Found Trojan.Win32.Patched.bb
Kaspersky Anti-Virus Found Trojan.Win32.Patched.bb
Panda Antivirus Found W32/Patched.D
Sophos Antivirus Found Troj/User32Hk-A

I'm unable to manually delete C:\WINDOWS\system32\USER32.dll (which accounts for 28 of the 33 infections). Is this a needed system file or should i try again in safe mode perhaps?

As for the mIRC client and the FTP server, some scanners consider these
'risk ware' I don't think they are actually infected (not.a.virus?) but I will remove them and reinstall.

Spybot S&D is v1.6.0.31 updated 8/27 and immunization is armed.

On a side note I've noticed that the clock in the taskbar has switched to 24 hour mode. not a big deal but maybe a result of the hijack?

Thanks so much for your patience.

pskelley
2008-08-29, 23:07
Thanks for the feedback, that file is no doubt infected, I want to collect some information before we proceed. Be very careful in the areas you are going to, just look, do not delete anything.

1) Do you have a Windows XP Operating System CD?

2) Click MyComputer > click Local Disk (C: ) > look for this folder > C:\I386 Open that folder and scroll to this file > USER32.DLL
Hold your mouse over it and it should say Windows XP USER API Client DLL (that is a spare file if we need it, we do not want to remove it from there but if need be we can make a copy of it).
Close that folder, I took you there so you will know where that file is, let me know that you located it.

3) Click MyComputer > click Local Disk (C: ) > click WINDOWS FOLDER > click SYSTEM32 folder Find the user32.dll file, if you mouse over it, the valid folder should have the same description as the one in the C:\I386. What I am looking for is another folder that would be beside or very near the valid one.
It may look like this:
C:\WINDOWS\system32\USER32.dllC:\WINDOWS\system32\USER32.dll
You can right click and click Properties and investigate.

Let me know what you find, do not rush and be very careful. All I can think is the hackers put another file there or they infected the valid file. The file size for the valid one should be: 564 KB's

Thanks

http://www.ehow.com/how_4483170_time-regular-time-windows-xp.html

lobot
2008-08-30, 03:45
1) I don't have an XP disc here but I'm sure I could borrow one if we need it.

2) I've located the file and inspected the file
C:\WINDOWS\ServicePackFiles\i386\user32.dll

3) I've located and inspected the file
C:\WINDOWS\system32\user32.DLL

Properties are the same on both 565 KB / Windows XP USER API Client DLL
Loooked around and ran a search on C:\, I don't find anything else.
I've taken the liberty of running the i386\user32.dll through Kaspersky and it came up clean.

pskelley
2008-08-30, 14:11
Thanks for investigating for me, this is a bit of a puzzle. Besides the fact KOS is flagging that file:

File name / Threat name / Threats count
C:\WINDOWS\system32\USER32.dll/C:\WINDOWS\system32\USER32.dll
Infected: Trojan.Win32.Patched.bb 28

and the way you posted it confuses me also, if that was copied direct from the KOS log? That is why I had you look for a file with that pathway. Besides the fact this item is being flagged, do you have any other issues with the computer.

Let's have combofix take a look, please follow these directions carefully.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log. Post also any information I requested above.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks...Phil

lobot
2008-08-30, 21:20
...and the way you posted it confuses me
Yes that was copied from the KOS log.


Besides the fact this item is being flagged, do you have any other issues with the computer.
Honestly, no the computer feels fine. Again thanks for your patience, this is a head scratcher. Here are the logs you requested.

ComboFix 08-08-29.02 - me 2008-08-30 13:22:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.556 [GMT -4:00]
Running from: C:\[LOBOT]\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\GhRAcfii.ini
C:\WINDOWS\system32\GhRAcfii.ini2
C:\WINDOWS\system32\mVFfefii.ini
C:\WINDOWS\system32\mVFfefii.ini2
C:\WINDOWS\system32\rcxbrtrw.ini
C:\WINDOWS\system32\vghcghny.ini
C:\WINDOWS\system32\vGNUCfhk.ini
C:\WINDOWS\system32\vGNUCfhk.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-29 20:03 . 2008-08-29 20:03 4,608 --ahs---- C:\Thumbs.db
2008-08-28 12:39 . 2008-08-28 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 12:39 . 2008-08-28 12:39 <DIR> d-------- C:\Documents and Settings\me\Application Data\Malwarebytes
2008-08-28 12:39 . 2008-08-28 12:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-28 12:39 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-28 12:39 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 11:55 . 2008-08-28 11:55 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-28 11:23 . 2008-08-28 11:57 386 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-27 21:47 . 2008-08-27 21:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 21:54 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-08-25 21:53 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-08-25 21:50 . 2008-08-25 21:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-25 21:50 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-08-25 21:47 . 2008-08-30 04:03 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-25 18:47 . 2008-08-25 21:47 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-25 15:13 . 2008-08-25 15:13 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-25 15:13 . 2008-08-25 15:13 63,488 --a------ C:\WINDOWS\system32\gx.ak
2008-08-25 15:13 . 2008-08-25 15:13 32,768 --a------ C:\WINDOWS\system32\pol.art
2008-08-25 15:13 . 2008-08-25 15:13 28,672 --a------ C:\WINDOWS\system32\mn.hlpf
2008-08-25 15:13 . 2008-08-25 15:13 28,672 --a------ C:\WINDOWS\system32\cty.sp
2008-08-25 15:13 . 2008-08-25 15:13 28,672 --a------ C:\WINDOWS\system32\cnkl.sr
2008-08-25 15:13 . 2008-08-25 15:13 2 --a------ C:\1818045115
2008-08-14 13:34 . 2005-04-12 19:09 159,744 --a------ C:\WINDOWS\system32\WmJoyFrc.dll
2008-08-14 13:34 . 2005-04-12 19:21 45,504 --a------ C:\WINDOWS\system32\drivers\WmXlCore.sys
2008-08-14 13:34 . 2005-04-12 19:21 22,240 --a------ C:\WINDOWS\system32\drivers\WmFilter.sys
2008-08-14 13:34 . 2005-04-12 19:21 10,144 --a------ C:\WINDOWS\system32\drivers\WmBEnum.sys
2008-08-14 13:34 . 2005-04-12 19:21 5,600 --a------ C:\WINDOWS\system32\drivers\WmVirHid.sys
2008-08-14 13:33 . 2008-06-24 12:43 74,240 -----c--- C:\WINDOWS\system32\dllcache\mscms.dll
2008-08-14 13:32 . 2008-07-07 16:26 253,952 -----c--- C:\WINDOWS\system32\dllcache\es.dll
2008-08-14 13:31 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 13:30 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-05 18:59 . 2008-05-09 06:53 512,000 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-08-05 18:59 . 2008-05-09 06:53 430,080 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-08-05 18:59 . 2008-05-09 06:53 180,224 -----c--- C:\WINDOWS\system32\dllcache\scrobj.dll
2008-08-05 18:59 . 2008-05-09 06:53 172,032 -----c--- C:\WINDOWS\system32\dllcache\scrrun.dll
2008-08-05 18:59 . 2008-05-08 07:24 155,648 -----c--- C:\WINDOWS\system32\dllcache\wscript.exe
2008-08-05 18:59 . 2008-05-09 04:45 135,168 -----c--- C:\WINDOWS\system32\dllcache\cscript.exe
2008-08-05 18:59 . 2008-05-09 06:53 90,112 -----c--- C:\WINDOWS\system32\dllcache\wshext.dll
2008-08-05 08:29 . 2008-05-07 01:12 1,288,192 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-08-05 08:29 . 2008-06-20 07:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-08-05 08:29 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-05 08:29 . 2008-06-20 13:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-08-05 08:29 . 2008-06-20 07:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-08-05 08:29 . 2008-06-20 13:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-08-05 08:29 . 2008-06-20 07:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-08-05 04:30 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 04:01 . 2008-08-05 04:01 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-05 03:54 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-04 20:57 . 2008-04-13 20:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-07-21 16:14 . 2008-07-21 16:14 12,748 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-18 15:02 . 2008-07-18 15:02 230,664 --a------ C:\WINDOWS\system32\PDBoot.exe
2008-07-13 14:57 . 2008-07-13 14:57 <DIR> d-------- C:\Program Files\AC3Filter
2008-07-01 01:11 . 2007-09-26 16:51 1,069,206 --a------ C:\catseye2.jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 19:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-08-29 06:02 --------- d-----w C:\Program Files\Trillian
2008-08-28 20:37 --------- d-----w C:\Documents and Settings\me\Application Data\Canon
2008-08-25 19:07 --------- d-----w C:\Program Files\Winamp
2008-08-22 17:51 --------- d-----w C:\Program Files\Spybot
2008-08-15 06:39 --------- d-----w C:\Program Files\RaidenFTPD
2008-08-14 17:34 --------- d-----w C:\Program Files\Common Files\Logitech
2008-08-14 17:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 17:33 --------- d-----w C:\Program Files\Logitech
2008-07-19 06:02 --------- d-----w C:\Program Files\Xvid
2008-07-12 07:16 --------- d-----w C:\Program Files\BitTornado
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\onecaremp]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"NMIndexingService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\FlashFXP\\flashfxp.exe"= C:\\Program Files\\FlashFXP\\FlashFXP.exe
--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:52, on 8/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

lobot
2008-08-30, 21:26
Damn, just realized that Combofix was ran from a sub folder of my desktop!
I'm sure it's frustrating when people ask for your help and then don't follow directions, should I go ahead and run it again from the desktop?

pskelley
2008-08-30, 22:48
I'm sure it's frustrating when people ask for your help and then don't follow directions,
The frustrating thing is realizing it only takes one mistake and the computer can be rendered worthless. I am glad we ran combofix because it did find some Vundo leftovers in Other Deletions
but the most important thing is it repaired the file we were having trouble with:
Infected C:\WINDOWS\system32\user32.dll hex repaired

What I would like you to do is run combofix again where it is and post that log.

Thanks

lobot
2008-08-30, 23:18
ComboFix 08-08-29.02 - me 2008-08-30 16:05:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.605 [GMT -4:00]Running from: C:\[LOBOT]\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-29 20:03 . 2008-08-29 20:03 4,608 --ahs---- C:\Thumbs.db
2008-08-28 12:39 . 2008-08-28 12:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 12:39 . 2008-08-28 12:39 <DIR> d-------- C:\Documents and Settings\me\Application Data\Malwarebytes
2008-08-28 12:39 . 2008-08-28 12:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-28 12:39 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-28 12:39 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 11:55 . 2008-08-28 11:55 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-28 11:23 . 2008-08-28 11:57 386 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-27 21:47 . 2008-08-27 21:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 21:54 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-08-25 21:53 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-08-25 21:50 . 2008-08-25 21:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-25 21:50 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-08-25 21:47 . 2008-08-30 04:03 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-25 18:47 . 2008-08-25 21:47 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-25 15:13 . 2008-08-25 15:13 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-25 15:13 . 2008-08-25 15:13 63,488 --a------ C:\WINDOWS\system32\gx.ak
2008-08-25 15:13 . 2008-08-25 15:13 32,768 --a------ C:\WINDOWS\system32\pol.art
2008-08-25 15:13 . 2008-08-25 15:13 28,672 --a------ C:\WINDOWS\system32\mn.hlpf
2008-08-25 15:13 . 2008-08-25 15:13 28,672 --a------ C:\WINDOWS\system32\cty.sp
2008-08-25 15:13 . 2008-08-25 15:13 28,672 --a------ C:\WINDOWS\system32\cnkl.sr
2008-08-25 15:13 . 2008-08-25 15:13 2 --a------ C:\1818045115
2008-08-14 13:34 . 2005-04-12 19:09 159,744 --a------ C:\WINDOWS\system32\WmJoyFrc.dll
2008-08-14 13:34 . 2005-04-12 19:21 45,504 --a------ C:\WINDOWS\system32\drivers\WmXlCore.sys
2008-08-14 13:34 . 2005-04-12 19:21 22,240 --a------ C:\WINDOWS\system32\drivers\WmFilter.sys
2008-08-14 13:34 . 2005-04-12 19:21 10,144 --a------ C:\WINDOWS\system32\drivers\WmBEnum.sys
2008-08-14 13:34 . 2005-04-12 19:21 5,600 --a------ C:\WINDOWS\system32\drivers\WmVirHid.sys
2008-08-14 13:33 . 2008-06-24 12:43 74,240 -----c--- C:\WINDOWS\system32\dllcache\mscms.dll
2008-08-14 13:32 . 2008-07-07 16:26 253,952 -----c--- C:\WINDOWS\system32\dllcache\es.dll
2008-08-14 13:31 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 13:30 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-05 18:59 . 2008-05-09 06:53 512,000 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-08-05 18:59 . 2008-05-09 06:53 430,080 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-08-05 18:59 . 2008-05-09 06:53 180,224 -----c--- C:\WINDOWS\system32\dllcache\scrobj.dll
2008-08-05 18:59 . 2008-05-09 06:53 172,032 -----c--- C:\WINDOWS\system32\dllcache\scrrun.dll
2008-08-05 18:59 . 2008-05-08 07:24 155,648 -----c--- C:\WINDOWS\system32\dllcache\wscript.exe
2008-08-05 18:59 . 2008-05-09 04:45 135,168 -----c--- C:\WINDOWS\system32\dllcache\cscript.exe
2008-08-05 18:59 . 2008-05-09 06:53 90,112 -----c--- C:\WINDOWS\system32\dllcache\wshext.dll
2008-08-05 08:29 . 2008-05-07 01:12 1,288,192 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-08-05 08:29 . 2008-06-20 07:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-08-05 08:29 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-05 08:29 . 2008-06-20 13:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-08-05 08:29 . 2008-06-20 07:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-08-05 08:29 . 2008-06-20 13:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-08-05 08:29 . 2008-06-20 07:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-08-05 04:30 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 04:01 . 2008-08-05 04:01 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-05 03:54 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-04 20:57 . 2008-04-13 20:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-07-21 16:14 . 2008-07-21 16:14 12,748 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-18 15:02 . 2008-07-18 15:02 230,664 --a------ C:\WINDOWS\system32\PDBoot.exe
2008-07-13 14:57 . 2008-07-13 14:57 <DIR> d-------- C:\Program Files\AC3Filter
2008-07-01 01:11 . 2007-09-26 16:51 1,069,206 --a------ C:\catseye2.jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 19:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-08-29 06:02 --------- d-----w C:\Program Files\Trillian
2008-08-28 20:37 --------- d-----w C:\Documents and Settings\me\Application Data\Canon
2008-08-25 19:13 578,560 ----a-w C:\WINDOWS\system32\user32.DLL
2008-08-25 19:07 --------- d-----w C:\Program Files\Winamp
2008-08-22 17:51 --------- d-----w C:\Program Files\Spybot
2008-08-15 06:39 --------- d-----w C:\Program Files\RaidenFTPD
2008-08-14 17:34 --------- d-----w C:\Program Files\Common Files\Logitech
2008-08-14 17:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 17:33 --------- d-----w C:\Program Files\Logitech
2008-07-19 06:02 --------- d-----w C:\Program Files\Xvid
2008-07-12 07:16 --------- d-----w C:\Program Files\BitTornado
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:01 827,904 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 08:45 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\onecaremp]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"NMIndexingService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\FlashFXP\\flashfxp.exe"= C:\\Program Files\\FlashFXP\\FlashFXP.exe
"C:\\Program Files\\RaidenFTPD\\raidenftpd.exe"=

R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2008-06-10 17:16]
R2 ochealthmon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-06-25 06:47]
R2 PD91Agent;PD91Agent;C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-07-18 15:02]
S1 56994b4f;56994b4f;C:\WINDOWS\system32\drivers\56994b4f.sys []
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 03:42]
S3 PD91Engine;PD91Engine;C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-07-18 15:02]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\1z1jv5ck.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 16:08:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
Completion time: 2008-08-30 16:10:39
ComboFix-quarantined-files.txt 2008-08-30 20:10:26
ComboFix2.txt 2008-08-30 17:35:04

Pre-Run: 47,105,851,392 bytes free
Post-Run: 47,095,226,368 bytes free

154 --- E O F --- 2008-08-14 17:37:27

pskelley
2008-08-30, 23:30
That looks good, before we remove combofix, would you check to make sure KOS is no longer flagging that item.

Thanks

lobot
2008-08-31, 00:10
KOS says it's clean. Any further steps I should take?

pskelley
2008-08-31, 00:24
Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

To be sure, let's clean System Restore files:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

lobot
2008-08-31, 01:22
Thanks so much for all your help, your time is very much appreciated.
I will be making a donation.