Smitfraud-c.gp comes back after reboot [Archive]

View Full Version : Smitfraud-c.gp comes back after reboot

capt1mc

2008-12-16, 01:17

I have had Smitfraud-c.gp on my computer for some time and have tried numerous ways to get rid of it on my own and it just comes back after restart. If I block it with Avast it must be still running because the computer starts to lag and gets slower with time. Then it seems better, but slows again.

Here's what happened: I downloaded Acronis True Image from a web site and Smitfraud-c.gp, Zlob and a couple other viruses came with it. I managed to clean the rest off except Smitfraud-c.gp.

I have a file named windows\system\explorer.exe which is obviously a fake explorer. I used "find" in registry for windows\system\explorer.exe and deleted the registry items it found and once again tried to delete the file itself, did not work. I booted the computer and tried to delete it with "del c:\windows\system\explorer.exe" and this did not work either. I have searched the web for hours trying to find some resolution to this and nothing seems to work. Reading through different posts trying to fix this by myself I read about Smitrem and dl'd that and ran it, but it did not fix the prob.

Here's where I'm at: Today I ran some programs I usually use to clean up harddrives. Here's the results of the scans and a HJT log:

--------------- Avast:

File name: C:\WINDOWS\SVCHOST.EXE
Malware Name: Wi????????????????e
Malware Type: Rootkit:hidden process
VPS version: 081210-0, 12/10/2008

File name: C:\WINDOWS\svchost.exe
Malware Name: Win32:Rootkit-gen [Rtk]
Malware Type: Rootkit
VPS version: 081210-0, 12/10/2008

--------------- Panda Active Scan:

ANALYSIS: 2008-12-15 11:22:41
PROTECTIONS: 2
MALWARE: 9
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1296 [VPS 081215-0] 4.8.1296 Yes Yes
iolo AntiVirus 1.5 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00122168 Application/Restart HackTools No 0 Yes No C:\WINDOWS\system32\Tools\Restart.exe
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\chris\Cookies\chris@server.iad.liveperson[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\chris\Cookies\chris@did-it[1].txt
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\fixwareout\FindT\nircmd.exe
00520936 Application/ViewPoint HackTools No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20080926-130701-650.dll
02916589 Application/PassRock HackTools No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP79\A0017739.exe
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\catchme.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025852.exe[C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025852.exe][SDFix\apps\Cghtme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\apps\Cghtme.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025852.exe[C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025852.exe][SDFix\catchme.exe]
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025608.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025646.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP83\A0025596.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP81\A0023427.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\backups\backups.zip[backups/svchost.exe]
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP90\A0026430.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP90\A0027468.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP90\A0027472.exe
04282197 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4AA1BD37-FFAB-4770-A4A3-2C6BF615AE71}\RP81\A0023440.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location )5
;===================================================================================================================================================================================
No C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\ViewBar.dll )5
No C:\Program Files\Warcraft III\cdkey.exe )5
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description

--------------- Housecall:

Found nothing

---------------MBAM:

Malwarebytes' Anti-Malware 1.31
Database version: 1467
Windows 5.1.2600 Service Pack 3

12/15/2008 1:55:03 PM
mbam-log-2008-12-15 (13-55-03).txt

Scan type: Quick Scan
Objects scanned: 75564
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system\explorer.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

--------------- Spybot:

Smitfraud-C.gp: [SBI $8E7F06B8] Executable (File, fixed)
C:\WINDOWS\svchost.exe

(That is all it found, I can post the whole log if you want.)

--------------- HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:14 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system\explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://Www.Wintergreensys.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6610 bytes

katana

2008-12-21, 14:22

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
Back up all important data on the machine.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
==============================WARNING==============================

If you still require help please do the following

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

capt1mc

2008-12-22, 02:45

ComboFix 08-12-21.03 - chris 2008-12-21 18:39:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.849 [GMT -6:00]
Running from: c:\documents and settings\chris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\svchost.exe
c:\windows\system\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 17:57 . 2008-12-21 17:57 <DIR> d-------- c:\program files\TypeFaster
2008-12-21 15:10 . 2008-12-21 15:28 <DIR> d-------- C:\SDFix
2008-12-19 03:09 . 2008-12-19 03:09 250 --a------ c:\windows\gmer.ini
2008-12-17 22:24 . 2008-12-17 22:24 <DIR> d-------- c:\program files\Unlocker
2008-12-17 18:06 . 2008-12-17 18:06 <DIR> d-------- C:\fsaua.data
2008-12-15 20:10 . 2008-12-15 22:54 <DIR> d-------- c:\documents and settings\chris\DoctorWeb
2008-12-15 19:27 . 2008-12-15 19:28 <DIR> d-------- C:\rsit
2008-12-12 23:08 . 2008-12-12 23:08 <DIR> d-------- c:\program files\PragmaDigm
2008-12-12 19:47 . 2008-12-12 19:47 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-12 19:45 . 2008-12-12 19:46 <DIR> d-------- c:\windows\ERUNT
2008-12-11 10:07 . 2008-12-11 10:07 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 14:52 . 2008-12-10 14:52 <DIR> d-------- c:\program files\IObit
2008-12-09 00:07 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-08 14:08 . 2008-12-08 14:08 <DIR> d-------- c:\program files\Belarc
2008-12-08 14:08 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2008-12-08 12:05 . 2001-08-18 06:00 111,104 --a------ c:\windows\system32\fxscfgwz.dll
2008-12-08 12:05 . 2001-08-18 06:00 111,104 --a--c--- c:\windows\system32\dllcache\fxscfgwz.dll
2008-12-06 22:22 . 2008-12-06 22:22 <DIR> d-------- c:\documents and settings\chris\Application Data\s_5849_MjV8fHx8MjV8fHwxMjQxMjUzNTA1fA_
2008-12-03 10:16 . 2008-12-03 10:20 <DIR> d-------- c:\program files\Free PDF to Word Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 03:29 --------- d-----w c:\program files\Warcraft III
2008-12-17 03:24 7,862 ----a-w c:\documents and settings\chris\Application Data\wklnhst.dat
2008-12-16 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 01:54 --------- d-----w c:\program files\Java
2008-12-09 20:45 --------- d-----w c:\documents and settings\chris\Application Data\U3
2008-12-09 06:07 --------- d-----w c:\program files\Panda Security
2008-12-06 22:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-06 06:30 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-06 06:20 --------- d-----w c:\documents and settings\chris\Application Data\IObit
2008-12-06 06:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 04:17 --------- d-----w c:\program files\HyCam2
2008-12-06 04:16 --------- d-----w c:\program files\NCH Swift Sound
2008-12-06 03:50 31,504 -c--a-w c:\windows\system32\drivers\cmdhlp.sys
2008-12-06 03:50 147,192 ----a-w c:\windows\system32\guard32.dll
2008-12-06 03:50 101,776 -c--a-w c:\windows\system32\drivers\cmdguard.sys
2008-12-04 01:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-03 16:46 54,696 ----a-w c:\documents and settings\chris\Application Data\GDIPFONTCACHEV1.DAT
2008-12-03 03:31 --------- d-----w c:\documents and settings\chris\Application Data\Skype
2008-11-22 00:35 --------- d-----w c:\program files\iTunes
2008-11-22 00:35 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 00:34 --------- d-----w c:\program files\iPod
2008-11-22 00:34 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 00:32 --------- d-----w c:\program files\QuickTime
2008-11-11 13:52 --------- d-----w c:\program files\Interbank FX Trader 4
2008-10-31 05:55 --------- d-----w c:\program files\AutoClick
2008-10-24 23:27 --------- d-----w c:\program files\Bonjour
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 16:50 --------- d-----w c:\program files\Quick StartUp
2008-10-23 16:31 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-10-23 16:30 --------- d-----w c:\program files\NOS
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 23:21 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-22 23:21 --------- d-----w c:\program files\Common Files\Adobe
2008-10-22 23:15 --------- d-----w c:\documents and settings\chris\Application Data\AdobeUM
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-05-02 02:14 92,064 ----a-w c:\documents and settings\chris\mqdmmdm.sys
2008-05-02 02:14 9,232 ----a-w c:\documents and settings\chris\mqdmmdfl.sys
2008-05-02 02:14 79,328 ----a-w c:\documents and settings\chris\mqdmserd.sys
2008-05-02 02:14 66,656 ----a-w c:\documents and settings\chris\mqdmbus.sys
2008-05-02 02:14 6,208 ----a-w c:\documents and settings\chris\mqdmcmnt.sys
2008-05-02 02:14 5,936 ----a-w c:\documents and settings\chris\mqdmwhnt.sys
2008-05-02 02:14 4,048 ----a-w c:\documents and settings\chris\mqdmcr.sys
2008-05-02 02:14 25,600 ----a-w c:\documents and settings\chris\usbsermptxp.sys
2008-05-02 02:14 22,768 ----a-w c:\documents and settings\chris\usbsermpt.sys
2008-04-18 01:13 56,912 ----a-w c:\documents and settings\chris\g2mdlhlpx.exe
2007-12-10 18:18 60,968 ----a-w c:\documents and settings\chris\GoToAssistDownloadHelper.exe
2005-12-30 02:57 774,144 -c--a-w c:\program files\RngInterstitial.dll
2004-12-21 23:00 3,008,656 -c--a-w c:\program files\image zone.EXE
2004-11-30 22:43 1,418,296 -c--a-w c:\program files\java.exe
2008-04-22 04:20 23 -csha-w c:\windows\system32\ffdadacd2_g.dll
2008-05-07 05:40 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.

------- Sigcheck -------

2008-07-31 12:25 956373 82a3c2176e5d58099d8f416f66470739 c:\windows\explorer.exe
2007-06-13 05:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-26 8523776]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-12-05 1797880]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-12-05 1797880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^chris^Start Menu^Programs^Startup^AutoClick.lnk]
path=c:\documents and settings\chris\Start Menu\Programs\Startup\AutoClick.lnk
backup=c:\windows\pss\AutoClick.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
"SoundMan"=SOUNDMAN.EXE
"NeroCheck"=c:\windows\system32\\NeroCheck.exe
"PCTVOICE"=pctspk.exe
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"{13656764-f13f-844b-d785-0b9f57889f3e}"=c:\windows\System32\Rundll32.exe "c:\windows\system32\mxppmsgtbaffr.dll" DllStart
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"SiS Tray"=c:\windows\system32\sistray.EXE
"SiS Windows KeyHook"=c:\windows\system32\keyhook.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\ForexCharts\\winros.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Crusader\\Stronghold Crusader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"58597:TCP"= 58597:TCP:*:Disabled:SolidNetworkManager
"58597:UDP"= 58597:UDP:*:Disabled:SolidNetworkManager
"6112:TCP"= 6112:TCP:warcraft3
"6112:UDP"= 6112:UDP:warcraft3
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"47624:TCP"= 47624:TCP:Stronghold crusader
"47624:UDP"= 47624:UDP:stronghold crusader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-09 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-03 111184]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-09-25 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-09-25 31504]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-03 20560]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2004-11-03 267136]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 usbaucmd;usbaucmd;c:\windows\system32\drivers\usbaucmd.sys [2008-10-18 13744]
S3 usbaufl;usbaufl;c:\windows\system32\drivers\usbaufl.sys [2008-10-18 18939]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa1670e4-6672-11dd-8032-00115b5a342e}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-18 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\chris\Application Data\Mozilla\Firefox\Profiles\aycn6u7t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 18:41:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\guard32.dll
.
Completion time: 2008-12-21 18:43:09
ComboFix-quarantined-files.txt 2008-12-22 00:43:03

Pre-Run: 17,303,248,896 bytes free
Post-Run: 17,282,478,080 bytes free

261 --- E O F --- 2008-12-18 04:16:24

katana

2008-12-22, 10:21

Step 1

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
c:\windows\explorer.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

FCopy::
c:\windows\ServicePackFiles\i386\explorer.exe|c:\windows\explorer.exe
File::
c:\windows\system32\ffdadacd2_g.dll
c:\windows\system32\mxppmsgtbaffr.dll
Folder::
C:\fixwareout
C:\Program Files\Trend Micro\HijackThis\backups
C:\SDFix
Driver::
Viewpoint Manager Service
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"{13656764-f13f-844b-d785-0b9f57889f3e}"=-

ADS::
Save this as CFScript.txt and place it on your desktop.

http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Installed Programs

Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 5

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Virus Total Results
Combofix Log
Installed Programs List
kaspersky Log
How are things running now ?