Smitfraud-C and Murlo.ff recurring problem.

**pcorrect** · 2007-11-10, 03:27

Hi

Have run avast and Spybot S&D scans over and over and over during the past two weeks and Smitfraud-C just keeps coming back.

A window also keeps popping up saying "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unauthorised access to your files! Click YES to download spyware remover...."

Needless to say, I haven't clicked Yes, but my kids may have.

Also, today have Murlo.ff which Spybot can't seem to remove.

Other symptoms, task manager and control panel disabled even for administrator.

Here's my HJT and Kapersky report.

Regards
Peter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:22 p.m., on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOW2\System32\smss.exe
C:\WINDOW2\system32\winlogon.exe
C:\WINDOW2\system32\services.exe
C:\WINDOW2\system32\lsass.exe
C:\WINDOW2\system32\svchost.exe
C:\WINDOW2\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOW2\system32\spoolsv.exe
C:\WINDOW2\Explorer.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOW2\system32\wscntfy.exe
C:\WINDOW2\system32\proper.exe
C:\WINDOW2\system32\sistray.EXE
C:\WINDOW2\system32\keyhook.exe
C:\WINDOW2\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOW2\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\_install.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Peter\Start Menu\Programs\Startup\_install.exe
d:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.234.1.1:80
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOW2\system32\proper.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOW2\system32\bronto.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOW2\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOW2\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOW2\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareBot] d:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Undefined] C:\WINDOW2\system32\winter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOW2\system32\winter.exe
O4 - HKCU\..\Run: [noskrnl] C:\WINDOW2\noskrnl.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: infos.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: _install.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: infos.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE (User 'Default user')
O4 - .DEFAULT Startup: _install.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: _install.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: _install.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O20 - AppInit_DLLs: C:\WINDOW2\system32\sulimo.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6608 bytes

**pcorrect** · 2007-11-10, 03:28

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 2:22:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 455680
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 110966
Number of viruses found: 13
Number of infected objects: 21
Number of suspicious objects: 4
Duration of the scan process: 01:21:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Start Menu\Programs\Startup\infos.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOW2\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOW2\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOW2\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOW2\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOW2\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk2.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOW2\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\autos.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\Documents and Settings\Jade.CAPTAIN-KIRK\Start Menu\Programs\Startup\infos.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\Documents and Settings\Lhara\Start Menu\Programs\Startup\infos.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\away[1].exe Infected: Email-Worm.Win32.Zhelatin.ml skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Peter\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Peter\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter\Start Menu\Programs\Startup\infos.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\Program Files\simaquarium\setup_incredifind_simaquarium_with_track.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Program Files\simaquarium\setup_incredifind_simaquarium_with_track.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.c skipped
C:\Program Files\simaquarium\setup_incredifind_simaquarium_with_track.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOW2\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOW2\draste.exe Infected: Email-Worm.Win32.Zhelatin.ml skipped
C:\WINDOW2\SchedLgU.Txt Object is locked skipped
C:\WINDOW2\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOW2\system32\bronto.dll Infected: Backdoor.Win32.Small.cls skipped
C:\WINDOW2\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOW2\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOW2\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOW2\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOW2\system32\config\default Object is locked skipped
C:\WINDOW2\system32\config\default.LOG Object is locked skipped
C:\WINDOW2\system32\config\Internet.evt Object is locked skipped
C:\WINDOW2\system32\config\SAM Object is locked skipped
C:\WINDOW2\system32\config\SAM.LOG Object is locked skipped
C:\WINDOW2\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOW2\system32\config\SECURITY Object is locked skipped
C:\WINDOW2\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOW2\system32\config\software Object is locked skipped
C:\WINDOW2\system32\config\software.LOG Object is locked skipped
C:\WINDOW2\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOW2\system32\config\system Object is locked skipped
C:\WINDOW2\system32\config\system.LOG Object is locked skipped
C:\WINDOW2\system32\drivers\etc\hosts.20071104-143508.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOW2\system32\drivers\ip6fw.sys Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\WINDOW2\system32\h323log.txt Object is locked skipped
C:\WINDOW2\system32\proper.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\WINDOW2\system32\skuns.dat Infected: Backdoor.Win32.Small.cbo skipped
C:\WINDOW2\system32\sulimo.dat Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\WINDOW2\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOW2\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOW2\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOW2\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOW2\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOW2\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOW2\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOW2\system32\winter.exe Infected: Trojan.Win32.Qhost.ue skipped
C:\WINDOW2\Temp\Perflib_Perfdata_4ac.dat Object is locked skipped
C:\WINDOW2\WindowsUpdate.log Object is locked skipped
C:\WINDOW2\xlavba3.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\WINDOW2\xlavba6.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\WINDOW2\xlavba8.exe Infected: Trojan-Downloader.Win32.Wixud.i skipped
C:\WINDOW2\xlavra3.exe Infected: Trojan-Downloader.Win32.Wixud.b skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
D:\13404fae2726c10dc3fe8000\download\ole32.dll._p Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\eula.txt Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\KB828741.cat Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\spcustom.dll Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\update.exe Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\update.inf Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\update.url Object is locked skipped
D:\13404fae2726c10dc3fe8000\update\update.ver Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\tmp\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\tmp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

Scan process completed.

**Shaba** · 2007-11-10, 11:05

Hi pcorrect

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

**pcorrect** · 2007-11-10, 20:28

Hi, thanks Shaba

Now Avast is reporting hundreds of spam mails the system is trying to send. I can hardly type this message because of the number of avast warnings that are popping up!

Here are the fresh reports.

Peter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:59 a.m., on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOW2\System32\smss.exe
C:\WINDOW2\system32\winlogon.exe
C:\WINDOW2\system32\services.exe
C:\WINDOW2\system32\lsass.exe
C:\WINDOW2\system32\svchost.exe
C:\WINDOW2\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOW2\system32\spoolsv.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOW2\system32\wscntfy.exe
C:\WINDOW2\Explorer.exe
C:\WINDOW2\system32\sistray.EXE
C:\WINDOW2\system32\keyhook.exe
C:\WINDOW2\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOW2\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOW2\System32\svchost.exe
C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\_install.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Peter\Start Menu\Programs\Startup\_install.exe
C:\WINDOW2\system32\notepad.exe
D:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.234.1.1:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOW2\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOW2\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOW2\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareBot] d:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOW2\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: _install.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE (User 'Default user')
O4 - .DEFAULT Startup: _install.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: _install.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: _install.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5752 bytes

**pcorrect** · 2007-11-10, 20:37

I killed the _install.exe process and the spam generator seems to have stopped. Whew!

I may have made a mistake here - I accidently closed the first Combofix report while clearing the hundreds of pop ups from avast. So I ran it again as I didn't know where it had put the log file. I'm posting both now.

ComboFix 07-11-08.1 - Peter 2007-11-11 8:03:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT 13:00]
Running from: C:\Documents and Settings\Peter\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\Games\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Jade.CAPTAIN-KIRK\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Lhara\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Peter\g2mdlhlpx.exe
C:\Documents and Settings\Peter\Start Menu\Programs\Startup\infos.exe
C:\WINDOW2\system32\7_exception.nls
C:\WINDOW2\system32\bronto.dll
C:\WINDOW2\system32\drivers\ip6fw.sys
C:\WINDOW2\system32\drivers\runtime2.sys
C:\WINDOW2\system32\proper.exe
C:\WINDOW2\system32\skuns.dat
C:\WINDOW2\system32\sulimo.dat
C:\WINDOW2\system32\winter.exe
C:\WINDOW2\xlavba3.exe
C:\WINDOW2\xlavba6.exe
C:\WINDOW2\xlavba8.exe
C:\WINDOW2\xlavra3.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTIO256
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_XLAVBA8
-------\ntio256
-------\runtime
-------\xlavba8

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-11 08:01 51,200 --a------ C:\WINDOW2\NirCmd.exe
2007-11-10 12:38 <DIR> d-------- C:\WINDOW2\system32\Kaspersky Lab
2007-11-10 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW2\Application Data\Kaspersky Lab
2007-11-10 08:45 7,530 --a------ C:\WINDOW2\draste.exe
2007-11-08 22:32 124,770 --a--c--- C:\WINDOW2\system32\dllcache\_install.exe
2007-11-08 22:32 124,770 --a------ C:\WINDOW2\system32\_install.exe
2007-11-08 22:32 124,770 --a------ C:\WINDOW2\system\_install.exe
2007-11-08 22:30 124,770 --a------ C:\WINDOW2\_install.exe
2007-11-08 22:27 124,770 --a------ C:\Program Files\_install.exe
2007-11-08 22:22 124,770 --a------ C:\Documents and Settings\Peter\_install.exe
2007-11-08 22:13 124,770 --a------ C:\_install.exe
2007-11-08 22:10 124,770 --a------ C:\WINDOW2\noskrnl.exe
2007-11-08 22:10 12,960 --a------ C:\WINDOW2\system32\noskrnl.sys
2007-11-07 00:08 41,472 --a------ C:\WINDOW2\system32\levro.exe
2007-11-05 19:48 42,912 --a------ C:\WINDOW2\system32\drivers\aswTdi.sys
2007-11-05 19:48 26,624 --a------ C:\WINDOW2\system32\drivers\aavmker4.sys
2007-11-05 19:48 23,152 --a------ C:\WINDOW2\system32\drivers\aswRdr.sys
2007-11-05 19:47 801,144 --a------ C:\WINDOW2\system32\aswBoot.exe
2007-11-05 19:47 95,608 --a------ C:\WINDOW2\system32\AvastSS.scr
2007-11-05 19:47 94,416 --a------ C:\WINDOW2\system32\drivers\aswmon2.sys
2007-11-05 19:47 92,848 --a------ C:\WINDOW2\system32\drivers\aswmon.sys
2007-11-01 21:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW2\Application Data\Spybot - Search & Destroy
2007-10-30 16:40 <DIR> d-------- C:\Documents and Settings\Games\Application Data\SecondLife
2007-10-30 16:40 114,688 --a------ C:\WINDOW2\rearede.exe
2007-10-17 20:53 <DIR> d-------- C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
2007-10-15 21:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW2\Application Data\SUPERAntiSpyware.com
2007-10-15 21:28 <DIR> d-------- C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Application Data\SUPERAntiSpyware.com
2007-10-15 20:27 <DIR> d-------- C:\Program Files\Citrix
2007-10-13 15:43 <DIR> d-------- C:\Documents and Settings\Peter\.housecall6.6
2007-10-13 15:43 102,664 --a------ C:\WINDOW2\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 09:28 --------- d-----w C:\Program Files\Winamp
2007-11-08 09:28 --------- d-----w C:\Program Files\visionGS PE
2007-11-08 09:28 --------- d-----w C:\Program Files\TwinMOS Mobile Disk2.94
2007-11-08 09:28 --------- d-----w C:\Program Files\Soulseek
2007-11-08 09:28 --------- d-----w C:\Program Files\SimAQUARIUM2
2007-11-08 09:28 --------- d-----w C:\Program Files\simaquarium
2007-11-08 09:28 --------- d-----w C:\Program Files\QuickTime
2007-11-08 09:27 --------- d-----w C:\Program Files\NoAdware
2007-11-08 09:27 --------- d-----w C:\Program Files\MonkeyRally Demo
2007-11-08 09:27 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-08 09:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 07:01 --------- d-----w C:\Program Files\Object Desktop
2007-11-01 06:57 --------- d-----w C:\Program Files\filesubmit
2007-09-24 20:04 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 07:54 --------- d-----w C:\Documents and Settings\Peter\Application Data\LegalSounds
2004-07-05 01:14 18,697,580 ----a-w C:\Program Files\Jazler2227.exe
2004-06-11 00:24 8,076,976 ----a-w C:\Program Files\winamp503_ambulance.exe
1998-11-03 06:43 29,184 ----a-w C:\Documents and Settings\Peter\SETUP.EXE
1998-09-30 02:38 47,104 ----a-w C:\Documents and Settings\Peter\MSCUISTF.DLL
1996-02-21 14:00 87,552 ----a-w C:\Documents and Settings\Peter\MSCOMSTF.DLL
1996-02-21 14:00 68,608 ----a-w C:\Documents and Settings\Peter\MSINSSTF.DLL
1996-02-21 14:00 48,640 ----a-w C:\Documents and Settings\Peter\MSUILSTF.DLL
1996-02-21 14:00 23,552 ----a-w C:\Documents and Settings\Peter\MSSHLSTF.DLL
1996-02-21 14:00 19,968 ----a-w C:\Documents and Settings\Peter\MSDETSTF.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiS Tray"="C:\WINDOW2\system32\sistray.EXE" [2003-10-30 14:10]
"SiS Windows KeyHook"="C:\WINDOW2\system32\keyhook.exe" [2003-10-30 14:09]
"SiSUSBRG"="C:\WINDOW2\SiSUSBrg.exe" [2002-07-12 18:15]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 C:\WINDOW2\AGRSMMSG.exe]
"NPS Event Checker"="C:\PROGRA~1\Navnt\npscheck.exe" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 22:00]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"SpywareBot"="d:\Program Files\SpywareBot\SpywareBot.exe" []
"avast!"="d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW2\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]

C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - D:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21]
Office Startup.lnk - D:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21]
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\Jade.CAPTAIN-KIRK\Start Menu\Programs\Startup\
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\Lhara\Start Menu\Programs\Startup\
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\Peter\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - D:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21]
Office Startup.lnk - D:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21]
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
_install.exe [2007-11-08 22:10:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2005-11-14 16:15 86016]

R2 AntexWAV;Antex Digital Audio Driver;C:\WINDOW2\system32\DRIVERS\AntexWAV.SYS
R3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOW2\system32\noskrnl.sys
S3 USTOR;TwinMOS Mobile Disk;C:\WINDOW2\system32\DRIVERS\UStork.sys
S4 NAV Auto-Protect;NAV Auto-Protect;C:\PROGRA~1\Navnt\navapsvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 22:21:03 C:\WINDOW2\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 08:14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOW2\noskrnl.exe [2476] 0xFF714020

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOW2\system32\noskrnl.sys 12960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"noskrnl"="C:\\WINDOW2\\noskrnl.exe"
.
Completion time: 2007-11-11 8:16:45 - machine was rebooted
.
--- E O F ---

ComboFix 07-11-08.1 - Peter 2007-11-11 8:32:26.2 - NTFSx86
Running from: C:\Documents and Settings\Peter\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-11 08:01 51,200 --a------ C:\WINDOW2\NirCmd.exe
2007-11-10 12:38 <DIR> d-------- C:\WINDOW2\system32\Kaspersky Lab
2007-11-10 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW2\Application Data\Kaspersky Lab
2007-11-10 08:45 7,530 --a------ C:\WINDOW2\draste.exe
2007-11-08 22:32 124,770 --a--c--- C:\WINDOW2\system32\dllcache\_install.exe
2007-11-08 22:32 124,770 --a------ C:\WINDOW2\system32\_install.exe
2007-11-08 22:32 124,770 --a------ C:\WINDOW2\system\_install.exe
2007-11-08 22:30 124,770 --a------ C:\WINDOW2\_install.exe
2007-11-08 22:27 124,770 --a------ C:\Program Files\_install.exe
2007-11-08 22:22 124,770 --a------ C:\Documents and Settings\Peter\_install.exe
2007-11-08 22:13 124,770 --a------ C:\_install.exe
2007-11-07 00:08 41,472 --a------ C:\WINDOW2\system32\levro.exe
2007-11-05 19:48 42,912 --a------ C:\WINDOW2\system32\drivers\aswTdi.sys
2007-11-05 19:48 26,624 --a------ C:\WINDOW2\system32\drivers\aavmker4.sys
2007-11-05 19:48 23,152 --a------ C:\WINDOW2\system32\drivers\aswRdr.sys
2007-11-05 19:47 801,144 --a------ C:\WINDOW2\system32\aswBoot.exe
2007-11-05 19:47 95,608 --a------ C:\WINDOW2\system32\AvastSS.scr
2007-11-05 19:47 94,416 --a------ C:\WINDOW2\system32\drivers\aswmon2.sys
2007-11-05 19:47 92,848 --a------ C:\WINDOW2\system32\drivers\aswmon.sys
2007-11-01 21:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW2\Application Data\Spybot - Search & Destroy
2007-10-30 16:40 <DIR> d-------- C:\Documents and Settings\Games\Application Data\SecondLife
2007-10-30 16:40 114,688 --a------ C:\WINDOW2\rearede.exe
2007-10-17 20:53 <DIR> d-------- C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
2007-10-15 21:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW2\Application Data\SUPERAntiSpyware.com
2007-10-15 21:28 <DIR> d-------- C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Application Data\SUPERAntiSpyware.com
2007-10-15 20:27 <DIR> d-------- C:\Program Files\Citrix
2007-10-13 15:43 <DIR> d-------- C:\Documents and Settings\Peter\.housecall6.6
2007-10-13 15:43 102,664 --a------ C:\WINDOW2\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 09:28 --------- d-----w C:\Program Files\Winamp
2007-11-08 09:28 --------- d-----w C:\Program Files\visionGS PE
2007-11-08 09:28 --------- d-----w C:\Program Files\TwinMOS Mobile Disk2.94
2007-11-08 09:28 --------- d-----w C:\Program Files\Soulseek
2007-11-08 09:28 --------- d-----w C:\Program Files\SimAQUARIUM2
2007-11-08 09:28 --------- d-----w C:\Program Files\simaquarium
2007-11-08 09:28 --------- d-----w C:\Program Files\QuickTime
2007-11-08 09:27 --------- d-----w C:\Program Files\NoAdware
2007-11-08 09:27 --------- d-----w C:\Program Files\MonkeyRally Demo
2007-11-08 09:27 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-08 09:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-08 09:10 124,770 ----a-w C:\WINDOW2\pchealth\UploadLB\Binaries\_install.exe
2007-11-08 09:10 124,770 ----a-w C:\WINDOW2\pchealth\helpctr\binaries\_install.exe
2007-11-08 09:10 124,770 ----a-w C:\WINDOW2\inf\_install.exe
2007-11-08 09:10 124,770 ----a-w C:\WINDOW2\Help\Tours\mmTour\_install.exe
2007-11-01 07:01 --------- d-----w C:\Program Files\Object Desktop
2007-11-01 06:57 --------- d-----w C:\Program Files\filesubmit
2007-09-24 20:04 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 07:54 --------- d-----w C:\Documents and Settings\Peter\Application Data\LegalSounds
2007-08-21 06:15 683,520 ----a-w C:\WINDOW2\system32\inetcomm.dll
2004-07-05 01:14 18,697,580 ----a-w C:\Program Files\Jazler2227.exe
2004-06-11 00:24 8,076,976 ----a-w C:\Program Files\winamp503_ambulance.exe
1998-11-03 06:43 29,184 ----a-w C:\Documents and Settings\Peter\SETUP.EXE
1998-09-30 02:38 47,104 ----a-w C:\Documents and Settings\Peter\MSCUISTF.DLL
1996-02-21 14:00 87,552 ----a-w C:\Documents and Settings\Peter\MSCOMSTF.DLL
1996-02-21 14:00 68,608 ----a-w C:\Documents and Settings\Peter\MSINSSTF.DLL
1996-02-21 14:00 48,640 ----a-w C:\Documents and Settings\Peter\MSUILSTF.DLL
1996-02-21 14:00 23,552 ----a-w C:\Documents and Settings\Peter\MSSHLSTF.DLL
1996-02-21 14:00 19,968 ----a-w C:\Documents and Settings\Peter\MSDETSTF.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiS Tray"="C:\WINDOW2\system32\sistray.EXE" [2003-10-30 14:10]
"SiS Windows KeyHook"="C:\WINDOW2\system32\keyhook.exe" [2003-10-30 14:09]
"SiSUSBRG"="C:\WINDOW2\SiSUSBrg.exe" [2002-07-12 18:15]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 C:\WINDOW2\AGRSMMSG.exe]
"NPS Event Checker"="C:\PROGRA~1\Navnt\npscheck.exe" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 22:00]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"SpywareBot"="d:\Program Files\SpywareBot\SpywareBot.exe" []
"avast!"="d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW2\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]

C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - D:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21]
Office Startup.lnk - D:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21]
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\Jade.CAPTAIN-KIRK\Start Menu\Programs\Startup\
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\Lhara\Start Menu\Programs\Startup\
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\Peter\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - D:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21]
Office Startup.lnk - D:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21]
_install.exe [2007-11-08 22:10:11]

C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
_install.exe [2007-11-08 22:10:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2005-11-14 16:15 86016]

R2 AntexWAV;Antex Digital Audio Driver;C:\WINDOW2\system32\DRIVERS\AntexWAV.SYS
R3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOW2\system32\noskrnl.sys
S3 USTOR;TwinMOS Mobile Disk;C:\WINDOW2\system32\DRIVERS\UStork.sys
S4 NAV Auto-Protect;NAV Auto-Protect;C:\PROGRA~1\Navnt\navapsvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 22:21:03 C:\WINDOW2\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 08:33:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOW2\noskrnl.config 20194 bytes
C:\WINDOW2\noskrnl.exe 124770 bytes executable
IPC error: 2 The system cannot find the file specified.
C:\WINDOW2\system32\noskrnl.sys 12960 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"noskrnl"="C:\\WINDOW2\\noskrnl.exe"
.
Completion time: 2007-11-11 8:34:54
C:\ComboFix2.txt ... 2007-11-11 08:16
.
--- E O F ---

**Shaba** · 2007-11-11, 10:56

Hi

Some rootkits there.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
noskrnl.sys

Rootkit::
C:\WINDOW2\noskrnl.config 
C:\WINDOW2\noskrnl.exe 
C:\WINDOW2\system32\noskrnl.sys 

File::
C:\WINDOW2\draste.exe
C:\WINDOW2\system32\dllcache\_install.exe
C:\WINDOW2\system32\_install.exe
C:\WINDOW2\system\_install.exe
C:\WINDOW2\_install.exe
C:\Program Files\_install.exe
C:\Documents and Settings\Peter\_install.exe
C:\_install.exe
C:\WINDOW2\system32\levro.exe
C:\WINDOW2\rearede.exe
C:\Documents and Settings\Administrator.CAPTAIN-KIRK\Start Menu\Programs\Startup\_install.exe 
C:\Documents and Settings\Jade.CAPTAIN-KIRK\Start Menu\Programs\Startup\_install.exe 
C:\Documents and Settings\Lhara\Start Menu\Programs\Startup\_install.exe 
C:\Documents and Settings\Peter\Start Menu\Programs\Startup\_install.exe 
C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\_install.exe
C:\WINDOW2\pchealth\UploadLB\Binaries\_install.exe
C:\WINDOW2\pchealth\helpctr\binaries\_install.exe
C:\WINDOW2\inf\_install.exe
C:\WINDOW2\Help\Tours\mmTour\_install.exe

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Shaba** · 2007-11-18, 11:13

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thread: Smitfraud-C and Murlo.ff recurring problem.

Thread Tools

Display

Smitfraud-C and Murlo.ff recurring problem.

and here is the KASPERSKY report

Fresh reports - now mail attack!

ComboxFix report.

Posting Permissions