netuza32.exe trojan horse

[tsachi]

Here is the ComboFix log.
(Sorry for the delay with me reply)


ComboFix 10-02-26.01 - Owner 02/26/2010 20:16:36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1037.18.1012.281 [GMT 2:00]
Running from: c:\documents and settings\Owner\שולחן העבודה\צחי\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\תפריט התחלה\תוכניות\הפעלה\Logitech . Product Registration.lnk
c:\documents and settings\Owner\Favorites\.url
c:\recycler\S-1-5-21-746137067-1979792683-839522115-1003

.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-17 20:52 . 2010-02-17 20:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-17 20:52 . 2010-01-07 14:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 20:52 . 2010-02-17 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 20:52 . 2010-02-17 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 20:52 . 2010-01-07 14:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 17:40 . 2010-02-09 17:40 -------- d-----w- c:\program files\ERUNT
2010-02-09 17:29 . 2010-02-09 17:29 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-09 17:29 . 2010-02-09 17:29 -------- d-----w- c:\program files\HJT
2010-02-07 15:06 . 2008-04-14 01:57 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-02-07 15:06 . 2008-04-14 01:57 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-02-06 11:52 . 2010-02-06 11:52 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-02-06 06:21 . 2010-02-25 05:48 -------- d-----w- c:\documents and settings\Owner\Tracing
2010-02-05 22:15 . 2010-02-05 22:15 -------- d-----w- c:\program files\Microsoft
2010-02-05 22:13 . 2010-02-05 22:13 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 05:52 . 2006-03-02 12:00 40112 ----a-w- c:\windows\system32\perfc00d.dat
2010-02-25 05:52 . 2006-03-02 12:00 247950 ----a-w- c:\windows\system32\perfh00d.dat
2010-02-10 20:50 . 2007-11-30 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-05 22:14 . 2008-05-30 20:32 -------- d-----w- c:\program files\Windows Live
2010-01-05 09:56 . 2006-03-02 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:56 . 2006-03-02 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:56 . 2006-03-02 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-03-02 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 07:41 . 2007-11-11 15:27 340992 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:09 . 2006-03-02 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:08 . 2006-03-02 12:00 2146816 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:08 . 2004-08-26 17:50 2025472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-03-02 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-12 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-12 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-12 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹�‰…š\„”’Œ„\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-25 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 03:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 09:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36340:TCP"= 36340:TCP:eMule-TCP
"21213:UDP"= 21213:UDP:eMule UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/02/2009 21:14 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/07/2008 19:08 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/07/2008 19:08 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [13/07/2008 08:00 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/07/2008 08:00 297752]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [25/09/2009 20:51 10384]
S0 ouutie;ouutie; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 23:34 1028432]
.
Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 18:14]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789544874-273641727-4004151601-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-14 18:34]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789544874-273641727-4004151601-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-14 18:34]

2010-02-26 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 15:36]

2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{6F2A337C-1259-4DC9-9AEA-A83363B340CB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
uInternet Connection Wizard,ShellNext = iexplore
IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D90A0CFF-7B0F-4B67-B405-A20F424D8CD5} = 80.179.52.100 80.179.55.100
DPF: {F6A553B1-4B5F-4974-866F-98C1D1EBD3DE} - hxxps://tlvportal2.amdocs.com/prx/000/http/proxyv/tc/CPubAppsTCS.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ezaj90tj.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 20:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789544874-273641727-4004151601-1003\RemoteAccess\Profile\״•€|•€|ש•־w*]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014

[HKEY_USERS\S-1-5-21-789544874-273641727-4004151601-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-02-26 20:24:02
ComboFix-quarantined-files.txt 2010-02-26 18:23

Pre-Run: 20,911,796,224 bytes free
Post-Run: 22,137,315,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DE68BA6DE53B78FECF7A0299F5199F97

[shelf life]

hi,

thanks for the info. not much in the combofix log. you can use this tool to remove combofix:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Keep Malwarebytes and note that the free edition must be updated manually and a scan started manually. in other words if YOU dont update it, it will soon be worthless and you must manually start the scanner.
The paid version offers auto updating and a real time protection feature.

You can make anew restore point: the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

Last: if all is good on your end, some tips for you:

10 Tips that should help *Reduce and Prevent* your risk To Malware:


1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. Use the Alt+F4 key to close your browser. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If these are constantly finding malware on your computer then its time to review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source?

5) Don't click on ads/pop ups or any offer from websites requesting that you need to install software to your computer--*for any reason.* Use the Alt+f4 key to close your browser.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. Using them will cause you all kinds of problems. If you download/install files via p2p networks then you are also much more likely to encounter malicious code. Do you really trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.