Recently I managed to accidently download a fake video player program from the internet.I knew as soon as I clicked on the install button it was a bad move!
It was 13.0kb in size.It then began installing the 'nasties' while I could do a thing.
AVG virus checker reported that I was now infected with
Trojan-Horse Downloader.Harnig.AM loadadv559,exe
Trojan-Horse Downloader.Generic2.SZF drsmartload815a.exe
I sent the files to the virus vault
Soon after I started getting waves of pop ups and a BHO Toolbar 888 was installed on my browser.
Spybot claimed that I had two versions of the smitfraud trojan on the computer.Smitfraud-c and smitfraudtoolbar 888and zlobdownloader.
On the first day I could remove all the spyware and trojans and work normally.They then all came back when the computer was next started up.
It became apparent that there were copies of the trojans in the temp folder internet temp folder.In in my program files directory there was a folder known as Inetget 2.All of the traces of the infection were cleared.But they still came back.Even getting into the windows directory.I updated all my definitions in spybot and even immunised my system,but still it came back.
Currently hijack this states that my system currently contains
Logfile of HijackThis v1.99.1
Scan saved at 12:57:22, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\{6C50A0F7-0C80-1033-0321-06120905002c}\Update.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinAce\WinAce.exe
C:\Documents and Settings\Jonathan\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=leed-cache-4.server.ntli.net:8080
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla securitybar - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [storprop] C:\WINDOWS\system32\storprop.exe
O4 - HKCU\..\Run: [usrlbva] C:\WINDOWS\system32\usrlbva.exe
O4 - HKCU\..\Run: [cic] C:\WINDOWS\system32\cic.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [hdaprop] C:\WINDOWS\system32\hdaprop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VTAgentReboot.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160743385406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160743781375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: comrepl.exe - Unknown owner - C:\WINDOWS\system32\comrepl.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mlang.exe - Unknown owner - C:\WINDOWS\system32\mlang.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
This includes normally hidden system files
Can anyone tell me what I need to delete?
TIA
Currently HijackThis states my computer has the following
Logfile of HijackThis v1.99.1
Scan saved at 19:19:06, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\wshext.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinAce\WinAce.exe
C:\Documents and Settings\Jonathan\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=leed-cache-4.server.ntli.net:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [storprop] C:\WINDOWS\system32\storprop.exe
O4 - HKCU\..\Run: [usrlbva] C:\WINDOWS\system32\usrlbva.exe
O4 - HKCU\..\Run: [cic] C:\WINDOWS\system32\cic.exe
O4 - HKCU\..\Run: [wshext] C:\WINDOWS\system32\wshext.exe
O4 - HKCU\..\Run: [sdhcinst] C:\WINDOWS\system32\sdhcinst.exe
O4 - HKCU\..\Run: [ddraw] C:\WINDOWS\system32\ddraw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VTAgentReboot.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160743385406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160743781375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: comrepl.exe - Unknown owner - C:\WINDOWS\system32\comrepl.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mlang.exe - Unknown owner - C:\WINDOWS\system32\mlang.exe
O23 - Service: msxml3r.exe - Unknown owner - C:\WINDOWS\system32\msxml3r.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
The combofix report looks promising,I think its managed to delete The Deluxe Communications dlls as well as the toolbar 888 files which were regenerating inside the common files folder
These were
C:\Program Files\Common Files\{3C50A0F7-0C80-1033-0321-06120905002c}
C:\Program Files\Common Files\{6C50A0F7-0C80-1033-0321-06120905002c}
C:\Program Files\Common Files\{6C50A0F7-0C80-1033-0321-06120905002c}[/COLOR]
Jonathan - 06-10-16 19:03:14.43 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Jonathan\Desktop"
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Jonathan\Application Data\Dxcdmns.dll
C:\Documents and Settings\Jonathan\Application Data\Dxcknwrd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\{3C50A0F7-0C80-1033-0321-06120905002c}
C:\Program Files\Common Files\{6C50A0F7-0C80-1033-0321-06120905002c}
C:\Program Files\Common Files\{6C50A0F7-0C80-1033-0321-06120905002c}
((((((((((((((((((((((((((((((( Files Created from 2006-09-16 to 2006-10-16 ))))))))))))))))))))))))))))))))))
2006-10-16 19:02 45,056 --a------ C:\Documents and Settings\Jonathan\BFEP.exe
2006-10-16 16:29 45,056 --a------ C:\WINDOWS\system32\CGUM.exe
2006-10-16 16:29 45,056 --a------ C:\Documents and Settings\Jonathan\SRJD.exe
2006-10-15 23:13 45,056 --a------ C:\Documents and Settings\Jonathan\RKBC.exe
2006-10-15 23:10 45,056 --a------ C:\Documents and Settings\Jonathan\QJDP.exe
2006-10-15 23:02 45,056 --a------ C:\WINDOWS\system32\BJMO.exe
2006-10-15 23:02 45,056 --a------ C:\Documents and Settings\Jonathan\MSCI.exe
2006-10-15 12:54 45,056 --a------ C:\Documents and Settings\Jonathan\IRKJ.exe
2006-10-15 12:15 45,056 --a------ C:\WINDOWS\system32\HTAO.exe
2006-10-15 12:14 48,640 --a------ C:\Documents and Settings\Jonathan\7.exe
2006-10-15 12:14 45,056 --a------ C:\Documents and Settings\Jonathan\RAIP.exe
2006-10-14 12:17 45,056 --a------ C:\WINDOWS\system32\PNQT.exe
2006-10-14 12:17 45,056 --a------ C:\Documents and Settings\Jonathan\UHHI.exe
2006-10-14 12:17 35,594 --a------ C:\WINDOWS\system32\cic.exe
2006-10-14 12:17 35,082 --a------ C:\WINDOWS\system32\mlang.exe
2006-10-13 14:30 45,056 --a------ C:\Documents and Settings\Jonathan\OADG.exe
2006-10-13 14:13 45,056 --a------ C:\Documents and Settings\Jonathan\IRND.exe
2006-10-13 13:59 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-13 13:43 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-10-13 11:40 45,056 --a------ C:\Documents and Settings\Jonathan\CLOQ.exe
2006-10-13 11:27 45,056 --a------ C:\Documents and Settings\Jonathan\MARR.exe
2006-10-13 11:27 45,056 --a------ C:\Documents and Settings\Jonathan\INUF.exe
2006-10-13 10:33 45,056 --a------ C:\WINDOWS\system32\UFSB.exe
2006-10-13 10:33 35,594 --a------ C:\WINDOWS\system32\wiavideo.exe
2006-10-13 10:33 35,082 --a------ C:\WINDOWS\system32\storage.exe
2006-10-13 10:32 45,056 --a------ C:\Documents and Settings\Jonathan\THCA.exe
2006-10-12 10:33 35,594 --a------ C:\WINDOWS\system32\usrlbva.exe
2006-10-12 10:33 24,576 --a------ C:\Documents and Settings\Jonathan\FLOD.exe
2006-10-11 18:34 24,576 --a------ C:\Documents and Settings\Jonathan\OPRL.exe
2006-10-11 16:19 24,576 --a------ C:\WINDOWS\system32\IFAFI.exe
2006-10-11 16:18 24,576 --a------ C:\WINDOWS\system32\IAIF.exe
2006-10-11 16:18 24,576 --a------ C:\WINDOWS\system32\FMAJD.exe
2006-10-11 16:18 115,947 --a------ C:\WINDOWS\system32\5.exe
2006-09-18 17:08 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-16 19:04 -------- d-------- C:\Program Files\Common Files
2006-10-16 19:02 -------- d-------- C:\Program Files\Internet Explorer
2006-10-16 18:52 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-16 18:50 -------- d-------- C:\Program Files\HijackThis
2006-10-16 17:43 -------- d-------- C:\Program Files\eMule
2006-10-15 23:32 -------- d-------- C:\Program Files\SysShield Tools
2006-10-15 23:00 -------- d-------- C:\Program Files\Soulseek
2006-10-15 22:46 -------- d-------- C:\Program Files\Common Files\Scanner
2006-10-15 22:46 -------- d-------- C:\Program Files\CA
2006-10-15 22:05 -------- d-------- C:\Program Files\InterMute
2006-10-15 15:19 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-15 15:19 -------- d-------- C:\Program Files\STOPzilla!
2006-10-15 12:52 -------- d-------- C:\Program Files\Windows Defender
2006-10-15 12:52 -------- d-------- C:\Program Files\Winamp
2006-10-15 12:52 -------- d-------- C:\Program Files\WinAce
2006-10-15 12:52 -------- d-------- C:\Program Files\QuickTime
2006-10-15 12:52 -------- d-------- C:\Program Files\Google
2006-10-15 12:52 -------- d-------- C:\Program Files\DeliPlayer2
2006-10-14 20:43 -------- d---s---- C:\Documents and Settings\Jonathan\Application Data\Microsoft
2006-10-13 14:27 -------- d-------- C:\Program Files\Outlook Express
2006-10-13 14:27 -------- d-------- C:\Program Files\Lavasoft
2006-10-13 14:27 -------- d-------- C:\Program Files\FLVPlayer
2006-10-13 14:27 -------- d-------- C:\Program Files\FlashGet
2006-10-13 14:27 -------- d-------- C:\Program Files\Common Files\System
2006-10-13 14:27 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\Registry Booster
2006-10-13 14:27 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\Lavasoft
2006-10-13 11:47 -------- d-------- C:\Program Files\Uniblue
2006-10-11 16:48 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\Google
2006-09-30 16:46 -------- d-------- C:\Program Files\Just Trains
2006-09-27 10:44 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-22 17:53 -------- d-------- C:\Program Files\Java
2006-09-22 17:53 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\Sun
2006-09-22 17:52 -------- d-------- C:\Program Files\Common Files\Java
2006-09-19 19:41 -------- d-------- C:\Program Files\Windows Media Player
2006-09-18 17:08 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\FunWebProducts
2006-09-16 16:51 -------- d-------- C:\Program Files\UP
2006-09-14 14:44 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\Real
2006-09-14 14:39 -------- d-------- C:\Program Files\Real
2006-09-14 14:39 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-14 14:39 -------- d-------- C:\Program Files\Common Files\Real
2006-09-13 21:16 -------- d-------- C:\Program Files\TrainzObjectz
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-01 15:53 -------- d-------- C:\Program Files\KB Piano 2
2006-08-28 12:06 -------- d-------- C:\Program Files\EPSON
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-23 10:51 -------- d-------- C:\Documents and Settings\Jonathan\Application Data\STOPzilla!
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 10:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-08-07 14:13 560 --a------ C:\Program Files\Global.sw
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 16:11 1587200 --a------ C:\VirtualPiano.exe
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"storprop"="C:\\WINDOWS\\system32\\storprop.exe"
"usrlbva"="C:\\WINDOWS\\system32\\usrlbva.exe"
"cic"="C:\\WINDOWS\\system32\\cic.exe"
"wshext"="C:\\WINDOWS\\system32\\wshext.exe"
"sdhcinst"="C:\\WINDOWS\\system32\\sdhcinst.exe"
"ddraw"="C:\\WINDOWS\\system32\\ddraw.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Ulead AutoDetector v2"="C:\\Program Files\\Common Files\\Ulead Systems\\AutoDetector\\monitor.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 06-10-16 19:09:08.59
C:\ComboFix.txt ... 06-10-16 19:09
C:\ComboFix2.txt ... 06-10-16 18:55
Hi
Yes, DeluxeCommunications seems to be gone :)
Open HijackThis, click do a system scan only and checkmark these:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [storprop] C:\WINDOWS\system32\storprop.exe
O4 - HKCU\..\Run: [usrlbva] C:\WINDOWS\system32\usrlbva.exe
O4 - HKCU\..\Run: [cic] C:\WINDOWS\system32\cic.exe
O4 - HKCU\..\Run: [wshext] C:\WINDOWS\system32\wshext.exe
O4 - HKCU\..\Run: [sdhcinst] C:\WINDOWS\system32\sdhcinst.exe
O4 - HKCU\..\Run: [ddraw] C:\WINDOWS\system32\ddraw.exe
O23 - Service: comrepl.exe - Unknown owner - C:\WINDOWS\system32\comrepl.exe (file missing)
O23 - Service: mlang.exe - Unknown owner - C:\WINDOWS\system32\mlang.exe
O23 - Service: msxml3r.exe - Unknown owner - C:\WINDOWS\system32\msxml3r.exe (file missing)
Close all windows including browser and press fix checked.
Please click Start > Run and type in: services.msc
Click OK
In the Services window find: comrepl.exe
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete comrepl.exe
Click: OK
Repeat step above for these:
mlang.exe
msxml3r.exe
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\storprop.exe
C:\WINDOWS\system32\usrlbva.exe
C:\WINDOWS\system32\cic.exe
C:\WINDOWS\system32\wshext.exe
C:\WINDOWS\system32\sdhcinst.exe
C:\WINDOWS\system32\ddraw.exe
C:\WINDOWS\system32\comrepl.exe
C:\WINDOWS\system32\mlang.exe
C:\WINDOWS\system32\msxml3r.exe
C:\Documents and Settings\Jonathan\BFEP.exe
C:\WINDOWS\system32\CGUM.exe
C:\Documents and Settings\Jonathan\SRJD.exe
C:\Documents and Settings\Jonathan\RKBC.exe
C:\Documents and Settings\Jonathan\QJDP.exe
C:\WINDOWS\system32\BJMO.exe
C:\Documents and Settings\Jonathan\MSCI.exe
C:\Documents and Settings\Jonathan\IRKJ.exe
C:\WINDOWS\system32\HTAO.exe
C:\Documents and Settings\Jonathan\7.exe
C:\Documents and Settings\Jonathan\RAIP.exe
C:\WINDOWS\system32\PNQT.exe
C:\Documents and Settings\Jonathan\UHHI.exe
C:\Documents and Settings\Jonathan\OADG.exe
C:\Documents and Settings\Jonathan\IRND.exe
C:\Documents and Settings\Jonathan\CLOQ.exe
C:\Documents and Settings\Jonathan\MARR.exe
C:\Documents and Settings\Jonathan\INUF.exe
C:\WINDOWS\system32\UFSB.exe
C:\WINDOWS\system32\wiavideo.exe
C:\WINDOWS\system32\storage.exe
C:\Documents and Settings\Jonathan\THCA.exe
C:\WINDOWS\system32\usrlbva.exe
C:\Documents and Settings\Jonathan\FLOD.exe
C:\Documents and Settings\Jonathan\OPRL.exe
C:\WINDOWS\system32\IFAFI.exe
C:\WINDOWS\system32\IAIF.exe
C:\WINDOWS\system32\FMAJD.exe
C:\WINDOWS\system32\5.exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Re-run combofix
Send:
- a fresh HijackThis log
- combofix report
- kaspersky report
You may need several replies; that's ok.