View Full Version : Both Virtumonde and Smitfraud
Hello,
My computer seems to be infected with Virtumonde and Smitfraud (and could be few others as well). I checked on the forum and saw other procedures for removing them, but i didn't want to start with the combofix without asking in the forum first. I did install the AVG freeware and also have capttued the HijackThis log. I am including it in the post. In another post, I noticed that a log for the Uninstall Manger from the HijackThis was also requested, so I am adding it here as well. Your help is greatly appreicated.
**************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:51 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {41838D59-9092-4E97-92A3-CBB11EC7A9A0} - (no file)
O2 - BHO: {8371a256-a05a-abca-fbb4-533906b17d3c} - {c3d71b60-9335-4bbf-acba-a50a652a1738} - C:\WINDOWS\system32\ujkumr.dll (file missing)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SuperAdBlocker] F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ujkumr.dll,avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 6570 bytes
******************************************************
******************************************************
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Advanced Sound Recorder v6.0
Age of Empires III
AGEIA PhysX v7.07.09
Alibre Design
Alibre Design Help
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HydraVision
ATI Parental Control & Encoder
ATT-AACE
AVG Free 8.0
AVIVO Codecs
Black Thorn
Call of Duty(R) 2
CAMtastic 2000 Designers Edition
Commandos 3 - Destination Berlin
Cool Edit 2000
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EasyRecorder 5.5
eDrawings 2007
Enhancement Browser Tools Agadoo
FLV Player 2.0, build 23
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.2.0607
GIMP 2.4.6
Google SketchUp 6
Google SketchUp 6
Groove
Hamachi 1.0.2.1
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Medal of Honor Airborne Demo
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MSDN 2005 Express Edition - ENU
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
Mozilla Thunderbird (2.0.0.9)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
P-CAD 2001
PDFCreator
PDFCreator Toolbar
Pro/ENGINEER Release Wildfire Datecode 2002280
PTC Conference Server Release Wildfire Datecode 2002280
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 6.0
Security Task Manager 1.7f
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SimCity 4 Deluxe
SolidWorks 2003
Spybot - Search & Destroy
Spyware Doctor 6.0
Super Ad Blocker
T-Utility Fan Control
T-Utility Hardware Monitor
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VCW VicMan's Photo Editor 8.1
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Photo Album 0.9 Beta
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.3 final uninstall
Yahoo! Internet Mail
Yahoo! Messenger
******************************************************
pskelley
2008-11-24, 23:21
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 8.1.2 <<< out of date and being exploited, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php
Viewpoint Manager (Remove Only)
Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
Codec <<< I see you are downloaded these and many infections especially Smitfraud can occur, see this information:
http://forums.spybot.info/showthread.php?t=7344
We need to collect some information first:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post only the C:\rapport.txt
Thanks
Thank you for looking into it. I had downloaded the AVG and since then it seems like the smitfraud may have been removed (spybot no longer shows it). But, I ran the smitfraudfix as you asked for, and here's the rapport.txt file content. I think I still have the Virtumonde because spybot still shows it.
****************************************************
SmitFraudFix v2.378
Scan done at 18:12:57.59, Tue 11/25/2008
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\notepad.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\LOCALS~1\Temp
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!
o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="ujkumr.dll,avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7636219B-D60D-4FA7-B8CC-308DB6E33444}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7636219B-D60D-4FA7-B8CC-308DB6E33444}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7636219B-D60D-4FA7-B8CC-308DB6E33444}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-11-26, 00:30
Thanks for returning your information and right your are. Smitfraudfix is showing nothing. You may remove (delete) it from your computer.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
I think AVG removed it after I did a scan. After a I a reboot after finishing the scan in AVG, I noticed I was no longer getting IE popped open automatically.
Here is the result from the ComboFix:
-----------------------------------
ComboFix 08-11-26.01 - Admin 2008-11-25 19:28:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1580 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\tn3
c:\windows\system32\fnqhzo.dll
c:\windows\system32\GgjjPqss.ini
c:\windows\system32\GgjjPqss.ini2
c:\windows\system32\jorbtmuo.dll
c:\windows\system32\rjveshut.dll
c:\windows\system32\x4
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
2008-11-25 18:11 . 2008-11-25 18:12 1,340 --a------ c:\windows\system32\tmp.reg
2008-11-25 18:10 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 18:10 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 18:10 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 18:10 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 18:10 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 18:10 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 18:10 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 18:10 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 09:20 . 2008-11-23 09:30 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-23 09:07 . 2008-11-25 17:45 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\program files\AVG
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-23 09:07 . 2008-11-23 09:07 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-23 09:07 . 2008-11-23 09:07 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-23 09:07 . 2008-11-23 09:07 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\windows\system32\URTTemp
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\documents and settings\Admin\Application Data\SuperAdBlocker.com
2008-11-22 11:35 . 2008-11-22 11:35 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- c:\windows\ERUNT
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- C:\SDFix
2008-11-22 11:29 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 11:15 . 2008-11-22 14:36 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 11:15 . 2008-11-22 11:15 <DIR> d-------- c:\documents and settings\Admin\Application Data\PC Tools
2008-11-22 11:15 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 11:15 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 11:15 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 11:15 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 10:17 . 2008-11-22 12:18 503 --a------ c:\windows\wininit.ini
2008-11-22 09:36 . 2008-11-22 11:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\windows\system32\mp
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\ID2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\gp2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\dim
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\temp\FT62
2008-11-22 09:22 . 2008-11-25 19:28 <DIR> d-------- C:\Temp
2008-11-22 09:22 . 2008-11-22 09:22 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-22 09:22 . 2008-11-22 09:22 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 22:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-23 13:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 17:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:51 18,320 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:17 --------- d-----w c:\documents and settings\Admin\Application Data\gtk-2.0
2008-10-19 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-16 12:03 --------- d-----w c:\program files\Common Files\Motive
2008-10-16 12:03 --------- d-----w c:\program files\ATT
2008-10-16 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-03-16 18:04 2 --shatr c:\windows\winstart.bat
2008-08-02 12:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-23 1234712]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ujkumr.dll,avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
"f:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\nms\\nmsd.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\obj\\proevconf.exe"=
"f:\\Program Files\\Games\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-23 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-02-24 13696]
R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2007-02-24 8192]
R1 SABDIFSV;SABDIFSV;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 5632]
R1 SABKUTIL;SABKUTIL;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 32256]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-23 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-23 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-23 76040]
S1 atinmdxxx;atinmdxxx;c:\windows\system32\drivers\atinmdxxx.sys []
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys []
S4 GrooveInstallerService;Groove Installer Service;f:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2007-04-28 75328]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-02 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2007-11-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{41838D59-9092-4E97-92A3-CBB11EC7A9A0} - (no file)
BHO-{c3d71b60-9335-4bbf-acba-a50a652a1738} - c:\windows\system32\ujkumr.dll
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\snarwbm4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - f:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - f:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - f:\program files\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nprjplug.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nprpjplug.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin7.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 19:30:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-25 19:34:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 00:33:56
Pre-Run: 30,182,756,352 bytes free
Post-Run: 30,797,615,104 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
202 --- E O F --- 2008-11-13 04:18:51
pskelley
2008-11-26, 01:57
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
Post the requested Hijackthis log before I can continue.
:santa:
Sorry, I didn't notice it in your post. Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:21, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ujkumr.dll,avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5770 bytes
pskelley
2008-11-26, 12:26
Thanks for posting the HJT log, read and follow alll directions carefully and in the numbered order.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"
Folder::
C:\SDFix
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Trymedia
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - AppInit_DLLs: ujkumr.dll,avgrsstx.dll <<< may be gone
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) DownloadMalwarebytes' Anti-Malwareto yourDesktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running now?
Thanks
Hello PSKelly,
Here's the log from the ComboFix with the CFScript and the HJT after that. In my next post, I will put the log fromt he MBAM and HJT. One thing I should mention is that first time when I ran the Combofix with the CFScript, I realized that I didn't disable the AVG Resident shield. So, I let ComboFix finish, then disabled the AVG and ran steps again. The log here is from running ComboFix with the AVG running. I also copied the log from running the Combofix the second time. I can post that if you need it.
------------------------------------------
------------------ ComboFix ---------------------------------
ComboFix 08-11-26.01 - Admin 2008-11-27 8:42:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1587 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Trymedia
c:\documents and settings\All Users\Application Data\Trymedia\data\{00745072-B373-E166-3C31-5A47D2D88193}
c:\documents and settings\All Users\Application Data\Trymedia\data\{2DA1A51F-C9FF-6FDE-93FC-55A8D033F011}
c:\documents and settings\All Users\Application Data\Trymedia\data\{33920AC5-578E-727D-1A02-FDB862EB735E}
c:\documents and settings\All Users\Application Data\Trymedia\data\{5D32AFE0-F011-2C9D-A0AB-189A86585FB9}
c:\documents and settings\All Users\Application Data\Trymedia\data\{855FFF31-577D-DD08-DAFD-76B63F606B41}
c:\documents and settings\All Users\Application Data\Trymedia\data\{95F4DE04-AAB1-2F7E-F78D-951B04CA15F6}
c:\documents and settings\All Users\Application Data\Trymedia\data\{B8120112-55FE-5939-C536-E09097A61828}
c:\documents and settings\All Users\Application Data\Trymedia\data\{DAC41050-1A03-6A0C-B118-2078EAA0F017}
c:\documents and settings\All Users\Application Data\Viewpoint
C:\SDFix
c:\sdfix\SDFix\Add_DBFix_RunOnce_key.inf
c:\sdfix\SDFix\apps\assosfix.reg
c:\sdfix\SDFix\apps\Cghtme.exe
c:\sdfix\SDFix\apps\cliptext.exe
c:\sdfix\SDFix\apps\DBFix.inf
c:\sdfix\SDFix\apps\download.exe
c:\sdfix\SDFix\apps\dummy.sys
c:\sdfix\SDFix\apps\Enable_Command_Prompt.inf
c:\sdfix\SDFix\apps\Enable_Command_Prompt.reg
c:\sdfix\SDFix\apps\ERDNT.E_E
c:\sdfix\SDFix\apps\ERDNTDOS.LOC
c:\sdfix\SDFix\apps\ERDNTWIN.LOC
c:\sdfix\SDFix\apps\ERUNT.EXE
c:\sdfix\SDFix\apps\ERUNT.LOC
c:\sdfix\SDFix\apps\fix.reg
c:\sdfix\SDFix\apps\FixBeep.reg
c:\sdfix\SDFix\apps\FixBH.reg
c:\sdfix\SDFix\apps\FixComponents.reg
c:\sdfix\SDFix\apps\FIXCU.reg
c:\sdfix\SDFix\apps\FIXLM.reg
c:\sdfix\SDFix\apps\FixPath.exe
c:\sdfix\SDFix\apps\FixRedir.reg
c:\sdfix\SDFix\apps\FixSchedule.reg
c:\sdfix\SDFix\apps\FixWebCheck.reg
c:\sdfix\SDFix\apps\fixXP.reg
c:\sdfix\SDFix\apps\FixXPsp2.reg
c:\sdfix\SDFix\apps\grep.exe
c:\sdfix\SDFix\apps\HaxdFix.reg
c:\sdfix\SDFix\apps\HPFix.reg
c:\sdfix\SDFix\apps\HPFix2.reg
c:\sdfix\SDFix\apps\HPFix3.reg
c:\sdfix\SDFix\apps\HPFix4.reg
c:\sdfix\SDFix\apps\HPFix5.reg
c:\sdfix\SDFix\apps\HPFix6.reg
c:\sdfix\SDFix\apps\HPFix7.reg
c:\sdfix\SDFix\apps\HPFix8.reg
c:\sdfix\SDFix\apps\HPFix9.reg
c:\sdfix\SDFix\apps\Installed.txt
c:\sdfix\SDFix\apps\isadmin.exe
c:\sdfix\SDFix\apps\leg2.txt
c:\sdfix\SDFix\apps\legacy.txt
c:\sdfix\SDFix\apps\legacybk.txt
c:\sdfix\SDFix\apps\locate.com
c:\sdfix\SDFix\apps\LS.exe
c:\sdfix\SDFix\apps\MD5File.exe
c:\sdfix\SDFix\apps\moveex.exe
c:\sdfix\SDFix\apps\MyGcpvFix.reg
c:\sdfix\SDFix\apps\MyGkFix2.reg
c:\sdfix\SDFix\apps\Process.exe
c:\sdfix\SDFix\apps\procs.exe
c:\sdfix\SDFix\apps\psservice.exe
c:\sdfix\SDFix\apps\Rem.txt
c:\sdfix\SDFix\apps\Rem2.txt
c:\sdfix\SDFix\apps\Replace\regedit.exe
c:\sdfix\SDFix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\SDFix\apps\Replace\w2k\beep.sys
c:\sdfix\SDFix\apps\Replace\w2k\command.com
c:\sdfix\SDFix\apps\Replace\w2k\command.PIF
c:\sdfix\SDFix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\SDFix\apps\Replace\w2k\null.sys
c:\sdfix\SDFix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\SDFix\apps\Replace\xp\beep.sys
c:\sdfix\SDFix\apps\Replace\xp\command.com
c:\sdfix\SDFix\apps\Replace\xp\command.PIF
c:\sdfix\SDFix\apps\Replace\xp\CONFIG.NT
c:\sdfix\SDFix\apps\Replace\xp\null.sys
c:\sdfix\SDFix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\SDFix\apps\RestartIt!.exe
c:\sdfix\SDFix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\SDFix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\SDFix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\SDFix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\SDFix\apps\Restore_SecurityCenter.reg
c:\sdfix\SDFix\apps\Restore_SharedAccess.reg
c:\sdfix\SDFix\apps\sc.exe
c:\sdfix\SDFix\apps\sed.exe
c:\sdfix\SDFix\apps\SF.exe
c:\sdfix\SDFix\apps\shutdown.exe
c:\sdfix\SDFix\apps\srv2.txt
c:\sdfix\SDFix\apps\srv2bk.txt
c:\sdfix\SDFix\apps\svc.txt
c:\sdfix\SDFix\apps\svcbk.txt
c:\sdfix\SDFix\apps\Swreg.exe
c:\sdfix\SDFix\apps\swsc.exe
c:\sdfix\SDFix\apps\UnRAR.exe
c:\sdfix\SDFix\apps\unzip.exe
c:\sdfix\SDFix\apps\vfind.exe
c:\sdfix\SDFix\apps\WINMSG.EXE
c:\sdfix\SDFix\apps\winsec.reg
c:\sdfix\SDFix\apps\zip.exe
c:\sdfix\SDFix\backups\backupreg.zip
c:\sdfix\SDFix\backups\catchme.log
c:\sdfix\SDFix\backups\catchme.zip
c:\sdfix\SDFix\backups\HOSTS
c:\sdfix\SDFix\catchme.exe
c:\sdfix\SDFix\DBFix.bat
c:\sdfix\SDFix\dummy.sys
c:\sdfix\SDFix\Report.txt
c:\sdfix\SDFix\RunThis.bat
c:\sdfix\SDFix\SDFIX_ReadMe_Online.url
c:\sdfix\SDFix\W2K_VirusAlert_Repair.inf
c:\sdfix\SDFix\XP_VirusAlert_Repair.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.
2008-11-25 18:11 . 2008-11-25 18:12 1,340 --a------ c:\windows\system32\tmp.reg
2008-11-25 18:10 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 18:10 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 18:10 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 18:10 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 18:10 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 18:10 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 18:10 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 18:10 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 09:20 . 2008-11-23 09:30 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-23 09:07 . 2008-11-26 22:38 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\program files\AVG
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-23 09:07 . 2008-11-23 09:07 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-23 09:07 . 2008-11-23 09:07 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-23 09:07 . 2008-11-23 09:07 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\windows\system32\URTTemp
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\documents and settings\Admin\Application Data\SuperAdBlocker.com
2008-11-22 11:35 . 2008-11-22 11:35 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- c:\windows\ERUNT
2008-11-22 11:29 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 11:15 . 2008-11-22 14:36 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 11:15 . 2008-11-22 11:15 <DIR> d-------- c:\documents and settings\Admin\Application Data\PC Tools
2008-11-22 11:15 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 11:15 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 11:15 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 11:15 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 10:17 . 2008-11-22 12:18 503 --a------ c:\windows\wininit.ini
2008-11-22 09:36 . 2008-11-22 11:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\windows\system32\mp
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\ID2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\gp2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\dim
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\temp\FT62
2008-11-22 09:22 . 2008-11-25 19:28 <DIR> d-------- C:\Temp
2008-11-22 09:22 . 2008-11-22 09:22 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-22 09:22 . 2008-11-22 09:22 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 22:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 13:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 17:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:51 18,320 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:17 --------- d-----w c:\documents and settings\Admin\Application Data\gtk-2.0
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:03 --------- d-----w c:\program files\Common Files\Motive
2008-10-16 12:03 --------- d-----w c:\program files\ATT
2008-10-16 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-16 18:04 2 --shatr c:\windows\winstart.bat
2008-08-02 12:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-23 1234712]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
"f:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\nms\\nmsd.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\obj\\proevconf.exe"=
"f:\\Program Files\\Games\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-23 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-02-24 13696]
R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2007-02-24 8192]
R1 SABDIFSV;SABDIFSV;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 5632]
R1 SABKUTIL;SABKUTIL;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 32256]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-23 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-23 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-23 76040]
S1 atinmdxxx;atinmdxxx;c:\windows\system32\drivers\atinmdxxx.sys []
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys []
S4 GrooveInstallerService;Groove Installer Service;f:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2007-04-28 75328]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-02 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2007-11-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 08:44:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\avgrsstx.dll
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-11-27 8:45:08
ComboFix-quarantined-files.txt 2008-11-27 13:44:59
ComboFix2.txt 2008-11-26 00:34:18
Pre-Run: 30,782,152,704 bytes free
Post-Run: 30,781,292,544 bytes free
271 --- E O F --- 2008-11-13 04:18:51
--------------------- HJT --------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:55:29, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5784 bytes
Here's the log from MBAM and HJT.... looks like MBAM found the virtumonde and a Rootkit.
---------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1428
Windows 5.1.2600 Service Pack 3
11/27/2008 9:41:26 AM
mbam-log-2008-11-27 (09-41-26).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 176627
Time elapsed: 35 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\mp (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\fnqhzo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jorbtmuo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rjveshut.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031370.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031373.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031375.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031395.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031396.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031413.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031416.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031417.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031428.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031430.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031432.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP392\A0031564.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP392\A0031569.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP394\A0031676.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP397\A0031954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP397\A0031956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP397\A0031957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mp\kstamv3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
----------------- HJT ---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:42, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgtray.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5603 bytes
pskelley
2008-11-27, 16:01
How is the computer running now?
The reason why I bold that information is to make sure I get it:santa:
I see no problems from here and most of what MBAM located is either quarantined in combofix or infected System Restore files. Before I move to target those areas and wrap up, I would appreciate some feedback from you about performance, any malware issues?
Thanks
Computer seems to be running fine, no sign of any malware. Although boot up time seems be little longer after logging in windows. probabl because of the Ati virus and ad blocker software installed. Which leads me to another question I had: What set of anti-virus and anti-malware software do you recommend? I already have spybot, I installed AVG earlier and now i have MABM. Are these three sufficient? I also have Super Ad Blocker but I am not sure how good/effective it is.
Thanks for your help.
pskelley
2008-11-27, 22:55
Thanks for the feedback, do you see this in the instructions?
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
Here is some information that might help the computer also.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
I'll post information from experts, after you read it if you still have questions, post them and I will do my best to give you answers.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
Update AVG 8 and scan the system, to be sure it is running right and scanning clean.
Here is some helpful information: FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...Phil:santa:
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
I ran the MBAM and AVG and it looks like there's few more trojans left. I am attaching the log from MBAM and HJT. The dlls of interest are neyuvena.dll, tiyunike.dll and hivunote.dll. At least, these are the ones I can recognize as trouble makers. Yeterday, MBAM removed the niyuvena.dll. The log for MBAM is from today, when i ran it again.
I uninstalled the ComboFix per your instructions.
-------------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1428
Windows 5.1.2600 Service Pack 3
11/29/2008 12:22:40 PM
mbam-log-2008-11-29 (12-22-40).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 171789
Time elapsed: 37 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04b3ae9e-8b31-4c64-9c6b-0d46d283a777} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{04b3ae9e-8b31-4c64-9c6b-0d46d283a777} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lifipuzisu (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\hivunote.dll (Trojan.BHO.H) -> Delete on reboot.
-----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:17, on 11/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: (no name) - {04b3ae9e-8b31-4c64-9c6b-0d46d283a777} - C:\WINDOWS\system32\hivunote.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [lifipuzisu] Rundll32.exe "C:\WINDOWS\system32\neyuvena.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [lifipuzisu] Rundll32.exe "C:\WINDOWS\system32\neyuvena.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lifipuzisu] Rundll32.exe "C:\WINDOWS\system32\neyuvena.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kewevuro.dll c:\windows\system32\zagubura.dll c:\windows\system32\tiyunike.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 6358 bytes
pskelley
2008-11-29, 19:31
Appears we did not get it all the first time, the junk has the ability then to morph and recreate itself, let's try again.
We want the newest version of combofix. Remove any old copies of combofix before you proceed.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Read and follow these directions
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
MBAM and HJT Log:
--------------------------------
ComboFix 08-11-29.01 - Admin 2008-11-29 14:10:30.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1444 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\hivunote.dll
c:\windows\system32\kewevuro.dll
c:\windows\system32\odezanul.ini
c:\windows\system32\wejiwulo.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.
2008-11-28 19:37 . 2008-11-28 19:37 <DIR> d-------- c:\windows\F8BA8B13856D4DFBA28F7EC868142453.TMP
2008-11-27 09:03 . 2008-11-27 09:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 09:03 . 2008-11-27 09:03 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-11-27 09:03 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 09:03 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 18:11 . 2008-11-25 18:12 1,340 --a------ c:\windows\system32\tmp.reg
2008-11-25 18:10 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 18:10 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 18:10 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 18:10 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 18:10 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 18:10 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 18:10 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 18:10 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 09:20 . 2008-11-29 12:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-23 09:07 . 2008-11-29 08:37 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\program files\AVG
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-23 09:07 . 2008-11-23 09:07 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-23 09:07 . 2008-11-23 09:07 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-23 09:07 . 2008-11-23 09:07 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\windows\system32\URTTemp
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\documents and settings\Admin\Application Data\SuperAdBlocker.com
2008-11-22 11:35 . 2008-11-22 11:35 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- c:\windows\ERUNT
2008-11-22 11:29 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 11:15 . 2008-11-22 14:36 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 11:15 . 2008-11-22 11:15 <DIR> d-------- c:\documents and settings\Admin\Application Data\PC Tools
2008-11-22 11:15 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 11:15 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 11:15 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 11:15 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 10:17 . 2008-11-22 12:18 503 --a------ c:\windows\wininit.ini
2008-11-22 09:36 . 2008-11-22 11:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\ID2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\gp2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\dim
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\temp\FT62
2008-11-22 09:22 . 2008-11-25 19:28 <DIR> d-------- C:\Temp
2008-11-22 09:22 . 2008-11-22 09:22 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-22 09:22 . 2008-11-22 09:22 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 22:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 13:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 01:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-22 17:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:51 18,320 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:17 --------- d-----w c:\documents and settings\Admin\Application Data\gtk-2.0
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:03 --------- d-----w c:\program files\Common Files\Motive
2008-10-16 12:03 --------- d-----w c:\program files\ATT
2008-10-16 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-16 18:04 2 --shatr c:\windows\winstart.bat
2008-08-02 12:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
"f:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\nms\\nmsd.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\obj\\proevconf.exe"=
"f:\\Program Files\\Games\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-23 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-02-24 13696]
R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2007-02-24 8192]
R1 SABDIFSV;SABDIFSV;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 5632]
R1 SABKUTIL;SABKUTIL;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 32256]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-23 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-23 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-23 76040]
S1 atinmdxxx;atinmdxxx;c:\windows\system32\drivers\atinmdxxx.sys []
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys []
S4 GrooveInstallerService;Groove Installer Service;f:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2007-04-28 75328]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-02 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2007-11-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\snarwbm4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - f:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - f:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - f:\program files\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nprjplug.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nprpjplug.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin7.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 14:14:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
.
**************************************************************************
.
Completion time: 2008-11-29 14:19:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 19:19:18
ComboFix2.txt 2008-11-27 13:52:29
Pre-Run: 30,937,972,736 bytes free
Post-Run: 30,937,686,016 bytes free
204 --- E O F --- 2008-11-13 04:18:51
-----------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:22:24, on 11/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5549 bytes
pskelley
2008-11-29, 20:48
You are using a USB drive, it may well be infected. Follow these directions to reformat it:
http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive
Let's remove that mountpoint in case it is infected:
Open notepad and copy/paste the text in the codebox below into it:
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
combofix may start again, I do not need to see the combofix log at this time.
Follow these instructions:
*Right click the icon for AVG in System Tray and choose Open AVG User Interface.
*Click on Update now, allow AVG to download and install any new updates.
* Click on Computer Scanner then choose "Scan whole computer", this takes a round one hour on the computer I am using now.
* Near the bottom above the words "The scan is complete" choose "Export overview to file"
* Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.
* Close results and close the Interface.
* Copy and paste the contents of that file unless it is clean.
Thanks
Followed the steps and it looks good so far. Computer is running fine, no trace of any more malware. Once again, thank you very much for all your help, I would not have been able to clean it up by myself. I am glad I found out about the forum.
pskelley
2008-12-02, 10:10
Thanks for taking the time to provide feedback. combofix does not update so remove it again from the computer and safe surfing:santa: