I got attacked by the SHeur2 trojan today out of the blue, and need some help getting rid of it. From other sites, including a previous thread on this website, I've seen the consensus of running combofix, which I installed and ran (see the log below).
I was told by the directions to post the log and see if anyone can see files that I must manually delete. I ran ad-aware and AVG 7.5 with no real avail, then went straight to combofix which seems to have at least gotten things to run smoother, though my desktop image is now gone .
I have Windows XP 32-bit version, and I'll be happy to supply any more information you might need.
Here's the log from combofix (my primary harddrive being designated "G" while my secondary harddrive being labled C - all windows system files obviously being in G):
ComboFix 09-04-04.01 - Petrie 2009-04-06 18:45:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1474 [GMT -5:00]
Running from: g:\documents and settings\Petrie\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
g:\docume~1\Petrie\LOCALS~1\Temp\mousehook.dll
g:\docume~1\Petrie\LOCALS~1\Temp\ntdll64.dll
g:\windows\system32\ahtn.htm
g:\windows\system32\amiwezik.ini
g:\windows\system32\drivers\senekabiqqyexm.sys
g:\windows\system32\frmwrk32.exe
g:\windows\system32\kizewima.dll
g:\windows\system32\ntdll64.exe
g:\windows\system32\uniq.tll
g:\windows\system32\warning.gif
g:\windows\system32\win32hlp.cnf
Infected copy of g:\windows\system32\userinit.exe was found and disinfected
Restored copy from - g:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.
2009-04-06 18:33 . 2009-04-06 18:33 27,648 --a------ g:\windows\system32\winsetupsm.exe
2009-04-06 18:18 . 2009-04-06 18:18 27,648 --a------ g:\windows\system32\winsetupsn.exe
2009-03-29 22:43 . 2009-03-29 23:15 <DIR> d-------- g:\documents and settings\Petrie\Application Data\Media Player Classic
2009-03-29 22:38 . 2009-03-29 22:38 <DIR> d-------- g:\program files\Essentials Codec Pack
2009-03-27 14:24 . 2008-04-13 13:45 15,104 --a------ g:\windows\system32\drivers\usbscan.sys
2009-03-27 14:24 . 2008-04-13 13:45 15,104 --a--c--- g:\windows\system32\dllcache\usbscan.sys
2009-03-22 23:23 . 2009-03-22 23:23 <DIR> d-------- g:\windows\system32\IOSUBSYS
2009-03-22 23:22 . 2009-03-22 23:23 <DIR> d-------- g:\program files\Google
2009-03-12 23:27 . 2009-03-12 23:27 <DIR> d-------- g:\program files\Garmin
2009-03-12 23:13 . 2009-03-12 23:19 <DIR> d-------- G:\GARMIN
2009-03-12 23:02 . 2009-03-13 00:33 <DIR> d-------- g:\program files\Palm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 23:33 --------- d-----w g:\documents and settings\All Users\Application Data\avg7
2009-04-05 02:06 --------- d-----w g:\documents and settings\Petrie\Application Data\U3
2009-03-26 20:09 --------- d-----w g:\documents and settings\Petrie\Application Data\LimeWire
2009-03-26 05:29 --------- d-----w g:\documents and settings\Petrie\Application Data\AVG7
2009-03-13 04:24 --------- d--h--w g:\program files\InstallShield Installation Information
2009-03-11 08:01 --------- d-----w g:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-05 04:16 64,160 ----a-w g:\windows\system32\drivers\Lbd.sys
2009-03-05 04:16 --------- d-----w g:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 04:12 --------- dc-h--w g:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 04:12 --------- d-----w g:\program files\Lavasoft
2009-02-06 19:34 --------- d-----w g:\program files\FAATP2008
2009-02-03 16:30 137 ---ha-w g:\documents and settings\Petrie\Application Data\lakerda1967.sys
2009-02-03 16:29 360,580 ----a-w g:\windows\eSellerateEngine.dll
2008-06-12 18:55 724,984 ----a-w g:\documents and settings\Petrie\gotomypc_437.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33ffaaa3-bc9c-400e-93b9-3abcccf4f1e3}]
2009-01-06 18:03 47616 --ahs---- g:\windows\system32\powabino.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="g:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="g:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="g:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 363008]
"Launch Ai Booster"="g:\program files\ASUS\AI Booster\OverClk.exe" [2006-11-28 3714048]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2005-04-22 5898240]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2005-04-22 86016]
"AVG7_CC"="g:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="g:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SoundMAXPnP"="g:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"WinampAgent"="g:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"EPSON Stylus CX4800 Series"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Monitor"="g:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Ad-Watch"="g:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]
"CPM73b98422"="g:\windows\system32\yazabozo.dll" [2009-04-06 87552]
"Mpivicidu"="g:\windows\owireqij.dll" [2008-04-13 156672]
"nwiz"="nwiz.exe" [2005-04-22 g:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="g:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]
g:\documents and settings\Petrie\Start Menu\Programs\Startup\
HotSync Manager.lnk - g:\program files\Palm\HOTSYNC.EXE [2002-08-09 299008]
g:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - g:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "g:\windows\system32\yazabozo.dll" [2009-04-06 87552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - g:\windows\system32\yazabozo.dll [2009-04-06 87552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli uapvmso.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
-ra------ 2005-06-30 14:03 200704 g:\windows\system32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
-ra------ 2005-07-04 13:29 69632 g:\windows\system32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"g:\\Program Files\\Trillian\\trillian.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"g:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Music\\LimeWire\\LimeWire.exe"=
"g:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Program Files\\Winamp\\winampa.exe"=
R0 Lbd;Lbd;g:\windows\system32\drivers\Lbd.sys [2009-03-04 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;g:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-02 24652]
R3 PAC207;Basic Webcam;g:\windows\system32\drivers\PFC027.SYS [2006-11-20 506112]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-02 g:\windows\Tasks\Ad-Aware Update (Weekly).job
- g:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 23:15]
2009-04-02 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-06 g:\windows\Tasks\WECPUpdate.job
- g:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 09:28]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKLM-Run-fuzofehiho - g:\windows\system32\migobemu.dll
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - g:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8B9692D7-5A38-460A-8975-4C6EBC579B87} - hxxp://training.aerosim.com/cab/LicenseUpdate/LicenseUpdate.cab
FF - ProfilePath - g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\3ikw2f4r.default\
FF - component: g:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\3ikw2f4r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: g:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 18:47:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthhskcmjdaruuvhlyjiyotkjtqoifittcc]
"imagepath"="\systemroot\system32\drivers\ovfsthfemapmhnwrdrswjmkaklptfjuitjtlpp.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(756)
g:\windows\uapvmso.dll
g:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
g:\progra~1\Grisoft\AVG7\avgamsvr.exe
g:\progra~1\Grisoft\AVG7\avgupsvc.exe
g:\progra~1\Grisoft\AVG7\avgemc.exe
g:\windows\system32\nvsvc32.exe
g:\windows\system32\wdfmgr.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
g:\windows\system32\wbem\unsecapp.exe
g:\windows\system32\wscntfy.exe
g:\windows\system32\rundll32.exe
g:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-06 18:51:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 23:50:59
Pre-Run: 120,259,862,528 bytes free
Post-Run: 120,611,692,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
209 --- E O F --- 2009-03-23 08:01:12
Do NOT run 'FIXES' before helpers have analyzed the HJT log
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)