Another Virtumonde case. Please Help!!

[intelmic]

Hey there!
I'm usally very good at spyware removal but this Virtumonde is killing me! I just can't get rid of it.

I've tried Symantec's FixVundo. Also VundoFix.exe. Both didn't find anything.

VundoBeGone.exe found part of it but didn't delete it all.

Please help!! I'll post my hijack log. Btw, I renamed it to intelmic.exe

Thanks!

 

[intelmic]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 14, 2007 10:42:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/12/2007
Kaspersky Anti-Virus database records: 482936
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55330
Number of viruses found: 5
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:13:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\intelmic\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\intelmic\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\intelmic\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\intelmic\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\intelmic\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\intelmic\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\intelmic\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021747.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021748.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021749.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021750.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021751.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021752.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021753.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021754.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021755.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021756.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021758.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP168\A0021758.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP170\change.log Object is locked skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP91\A0007860.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP91\A0007860.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP91\A0007860.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP91\A0007860.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\System Volume Information\_restore{7EE673E0-190D-4889-A116-67A24A62B076}\RP91\A0007860.exe NSIS: infected - 4 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_624.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[intelmic]

It's those 2 BHOs:

O2 - BHO: (no name) - {B92D084A-6547-4C96-BDE8-1032DFB30DC5} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: (no name) - {DD1B8E4D-903A-402D-81C7-67A910182565} - (no file)

That awtsr.dll..... I just can't make it disappear.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:35, on 2007-12-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmntray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\intelmic.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B92D084A-6547-4C96-BDE8-1032DFB30DC5} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: (no name) - {DD1B8E4D-903A-402D-81C7-67A910182565} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\bcmntray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1194819825875
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194819814500
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6164 bytes

 

[intelmic]

And I post here the VirtumondoBeGone log. The first part found it and deleted some part of the problem of it such as the WinLogon notify...

Oh and btw, when I run FileMonitor, I see that explorer writes and flush every second on the "C:\WINDOWS\system32\rstwa.ini"

and that lsass.exe access every second that "C:\WINDOWS\system32\awtsr.dll"




[12/14/2007, 14:41:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\intelmic\Desktop\VirtumundoBeGone.exe" )
[12/14/2007, 14:41:12] - Detected System Information:
[12/14/2007, 14:41:12] - Windows Version: 5.1.2600, Service Pack 2
[12/14/2007, 14:41:12] - Current Username: intelmic (Admin)
[12/14/2007, 14:41:12] - Windows is in NORMAL mode.
[12/14/2007, 14:41:12] - Searching for Browser Helper Objects:
[12/14/2007, 14:41:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/14/2007, 14:41:13] - BHO 2: {330DB8EF-60ED-4ECC-9AE4-5FFD3770A1B7} ()
[12/14/2007, 14:41:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/14/2007, 14:41:13] - Checking for HKLM\...\Winlogon\Notify\awtsr
[12/14/2007, 14:41:13] - Key not found: HKLM\...\Winlogon\Notify\awtsr, continuing.
[12/14/2007, 14:41:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/14/2007, 14:41:13] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/14/2007, 14:41:13] - BHO 5: {AEBF6926-DBA6-4100-A838-1CED0169AB78} ()
[12/14/2007, 14:41:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/14/2007, 14:41:13] - Checking for HKLM\...\Winlogon\Notify\awtrpmn
[12/14/2007, 14:41:13] - Found: HKLM\...\Winlogon\Notify\awtrpmn - This is probably Virtumundo.
[12/14/2007, 14:41:13] - Assigning {AEBF6926-DBA6-4100-A838-1CED0169AB78} MSEvents Object
[12/14/2007, 14:41:13] - BHO list has been changed! Starting over...
[12/14/2007, 14:41:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/14/2007, 14:41:13] - BHO 2: {330DB8EF-60ED-4ECC-9AE4-5FFD3770A1B7} ()
[12/14/2007, 14:41:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/14/2007, 14:41:13] - Checking for HKLM\...\Winlogon\Notify\awtsr
[12/14/2007, 14:41:13] - Key not found: HKLM\...\Winlogon\Notify\awtsr, continuing.
[12/14/2007, 14:41:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/14/2007, 14:41:13] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/14/2007, 14:41:13] - BHO 5: {AEBF6926-DBA6-4100-A838-1CED0169AB78} (MSEvents Object)
[12/14/2007, 14:41:13] - ALERT: Found MSEvents Object!
[12/14/2007, 14:41:13] - Finished Searching Browser Helper Objects
[12/14/2007, 14:41:13] - *** Detected MSEvents Object
[12/14/2007, 14:41:13] - Trying to remove MSEvents Object...
[12/14/2007, 14:41:14] - Terminating Process: IEXPLORE.EXE
[12/14/2007, 14:41:14] - Terminating Process: RUNDLL32.EXE
[12/14/2007, 14:41:14] - Disabling Automatic Shell Restart
[12/14/2007, 14:41:15] - Terminating Process: EXPLORER.EXE
[12/14/2007, 14:41:15] - Suspending the NT Session Manager System Service
[12/14/2007, 14:41:16] - Terminating Windows NT Logon/Logoff Manager
[12/14/2007, 14:41:16] - Re-enabling Automatic Shell Restart
[12/14/2007, 14:41:16] - File to disable: C:\WINDOWS\system32\awtrpmn.dll
[12/14/2007, 14:41:16] - Renaming C:\WINDOWS\system32\awtrpmn.dll -> C:\WINDOWS\system32\awtrpmn.dll.vir
[12/14/2007, 14:41:16] - File successfully renamed!
[12/14/2007, 14:41:16] - Removing HKLM\...\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}
[12/14/2007, 14:41:17] - Removing HKCR\CLSID\{AEBF6926-DBA6-4100-A838-1CED0169AB78}
[12/14/2007, 14:41:17] - Adding Kill Bit for ActiveX for GUID: {AEBF6926-DBA6-4100-A838-1CED0169AB78}
[12/14/2007, 14:41:17] - Deleting ATLEvents/MSEvents Registry entries
[12/14/2007, 14:41:17] - Removing HKLM\...\Winlogon\Notify\awtrpmn
[12/14/2007, 14:41:17] - Searching for Browser Helper Objects:
[12/14/2007, 14:41:17] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/14/2007, 14:41:17] - BHO 2: {330DB8EF-60ED-4ECC-9AE4-5FFD3770A1B7} ()
[12/14/2007, 14:41:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/14/2007, 14:41:17] - Checking for HKLM\...\Winlogon\Notify\awtsr
[12/14/2007, 14:41:17] - Key not found: HKLM\...\Winlogon\Notify\awtsr, continuing.
[12/14/2007, 14:41:17] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/14/2007, 14:41:17] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/14/2007, 14:41:17] - Finished Searching Browser Helper Objects
[12/14/2007, 14:41:17] - Finishing up...
[12/14/2007, 14:41:17] - A restart is needed.
[12/14/2007, 14:41:51] - Attempting to Restart via STOP error (Blue Screen!)

[12/14/2007, 14:45:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\intelmic\Desktop\VirtumundoBeGone.exe" )
[12/14/2007, 14:45:36] - Detected System Information:
[12/14/2007, 14:45:36] - Windows Version: 5.1.2600, Service Pack 2
[12/14/2007, 14:45:36] - Current Username: intelmic (Admin)
[12/14/2007, 14:45:36] - Windows is in NORMAL mode.
[12/14/2007, 14:45:36] - Searching for Browser Helper Objects:
[12/14/2007, 14:45:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/14/2007, 14:45:36] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/14/2007, 14:45:36] - BHO 3: {5AA93876-2348-4FC4-9FE9-CAA9307866E7} ()
[12/14/2007, 14:45:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/14/2007, 14:45:36] - Checking for HKLM\...\Winlogon\Notify\awtsr
[12/14/2007, 14:45:36] - Key not found: HKLM\...\Winlogon\Notify\awtsr, continuing.
[12/14/2007, 14:45:36] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/14/2007, 14:45:36] - Finished Searching Browser Helper Objects
[12/14/2007, 14:45:36] - Finishing up...
[12/14/2007, 14:45:36] - Nothing found! Exiting...

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Please read the directions including this one:
http://forums.spybot.info/showthread.php?t=16806

You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.

Please do not run and post the required Kaspersky online scan until I request it.

Since most of Vundo is hidden and I have no idea what you have removed, we will start at the beginning, please delete all tools you have downloaded and follow these directions.

1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

Kaspersky Anti-Virus 7.0
Avast4\
Please uninstall one of those

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.

3) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

4) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

 

[intelmic]

Ok, I uninstalled Kaspersky, I disabled TeaTimer.

I ran Vundo Fix but didn't find anything:

--------------------------------------------
VundoFix V6.7.3

Checking Java version...

Scan started at 11:05:26 2007-12-15

Listing files found while scanning....

No infected files were found.
--------------------------------------------




I ran Combofix, but can't find the log (?) besides
C:\ComboFix\ComboFix.txt

--------------------------------------------
ComboFix 07-12-15.5 - intelmic 2007-12-15 11:31:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503 [GMT -5:00]
Running from: C:\Documents and Settings\intelmic\Desktop\ComboFix.exe
* Created a new restore point
.
--------------------------------------------




And here's the HJT log:

--------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmntray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\intelmic.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9628AAEC-C932-4A5C-8BFC-FB423AB5D26F} - C:\WINDOWS\system32\awtsr.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\bcmntray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1194819825875
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194819814500
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5642 bytes
-------------------------------------------

 

[pskelley]

I need to see that combofix log, this should be it: ComboFix.txt
Open it with notepad and copy/paste the information to this topic.

Make sure you are following the direction, it must run from the Desktop!


Look here: http://forums.spybot.info/showthread.php?t=21252&page=2
Post #15 so you can see about what the log will look like.

Thanks

 

[intelmic]

Hi,

My ComboFix log which is located at (C:\ComboFix\ComboFix.txt) has the same header just as the normal ones but it only have this in it:





ComboFix 07-12-15.5 - intelmic 2007-12-15 14:17:30.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.483 [GMT -5:00]
Running from: C:\Documents and Settings\intelmic\Desktop\ComboFix.exe
.








I do run it from the desktop. At some point in the scan, after the part where is says "deleting files/folders" and I see it deletes some stuff, then my cpu reboots and when I startup again, I just see a rapid flash from the combofix windows and then nothing else.

 

[pskelley]

OK, I want you to take a careful look at this persons topic, as they also had issues with the combofix. I would like you to remove combofix from your computer and download it again. It is possible one of the websides has a bad download as happened in this case, then use the other download. If you follow the directions, you too will get a combofix log to post for me like they did. If someone is available with more computer knowledge, ask them to help. This tool is run countless times daily with results.

Thank you.

http://forums.spybot.info/showthread.php?t=21138

 

[intelmic]

Thanks.

I removed the combofix and the C:\combofix folder and started fresh with a new dled version.

here's the report:




ComboFix 07-12-15.5 - intelmic 2007-12-15 16:58:39.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.493 [GMT -5:00]
Running from: C:\Documents and Settings\intelmic\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\intelmic\Application Data\macromedia\Flash Player\#SharedObjects\4XH8DWPG\iforex.com
C:\Documents and Settings\intelmic\Application Data\macromedia\Flash Player\#SharedObjects\4XH8DWPG\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\intelmic\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\intelmic\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192461388.old
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE






((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-14 21:24 . 2007-12-14 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 18:25 . 2007-12-14 18:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-14 18:23 . 2007-12-14 18:23 <DIR> d-------- C:\KAV
2007-12-14 15:27 . 2007-12-14 15:27 250 --a------ C:\WINDOWS\gmer.ini
2007-12-14 15:03 . 2007-12-14 15:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-14 15:03 . 2007-12-15 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-14 13:14 . 2007-12-14 13:14 <DIR> d-------- C:\VundoFix Backups
2007-12-14 11:56 . 2007-12-14 12:03 952,263 --ahs---- C:\WINDOWS\system32\orkcvkje.ini
2007-12-12 11:46 . 2007-12-12 11:46 <DIR> d-------- C:\WINDOWS\system32\su2
2007-12-12 11:46 . 2007-12-14 20:36 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-12 11:45 . 2007-12-12 11:46 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-12 11:45 . 2007-12-12 11:45 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-12 11:45 . 2007-12-15 11:34 <DIR> d-------- C:\Temp
2007-12-06 21:07 . 2007-12-09 22:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-06 21:07 . 2007-12-06 21:07 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 09:36 --------- d-----w C:\Documents and Settings\intelmic\Application Data\uTorrent
2007-12-12 18:10 --------- d-----w C:\Program Files\Avast4
2007-12-12 17:13 --------- d-----w C:\Program Files\Winamp
2007-12-10 03:59 --------- d-----w C:\Documents and Settings\intelmic\Application Data\LimeWire
2007-12-07 17:44 --------- d-----w C:\Documents and Settings\intelmic\Application Data\mIRC
2007-12-07 17:42 --------- d-----w C:\Program Files\mIRC
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-12 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-12 00:06 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-11 23:49 --------- d-----w C:\Program Files\MSN Messenger
2007-11-06 12:49 --------- d-----w C:\Program Files\XoftSpySE
2007-10-25 23:15 --------- d-----w C:\Program Files\Jasc Software Inc
2007-10-20 16:49 --------- d-----w C:\Program Files\PDF Merger
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,388,544 2004-06-30 17:33:04 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
----a-w 1,388,544 2004-06-30 17:33:04 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

----a-w 847,872 2004-07-07 18:56:34 C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe

----a-w 847,872 2004-07-07 18:56:34 C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe

----a-w 335,872 2004-05-16 01:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Avast4\ashDisp.exe

----a-w 290,816 2004-12-03 17:24:20 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe
----a-w 290,816 2004-12-03 17:24:20 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

----a-w 35,328 2007-05-14 22:22:22 C:\Program Files\Winamp\bak\winampa.exe
----a-w 35,328 2007-05-14 22:22:22 C:\Program Files\Winamp\winampa.exe

----a-w 13,312 2003-03-31 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-08-26 15:59]
"Gestionnaire Antidote.exe"="C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe" [2005-06-22 16:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\bcmntray" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 09:05 C:\WINDOWS\AGRSMMSG.exe]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 12:24]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\585e0725]
rundll32.exe C:\WINDOWS\system32\ejkvckro.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 12:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 01:49:44 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
- C:\Documents and Settings\intelmic\Desktop\alarme.exe
"2007-12-13 01:49:43 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- C:\Documents and Settings\intelmic\Desktop\alarme.exe
"2007-11-06 12:49:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 17:00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 17:01:17

 

[intelmic]

And here's a new HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:37 PM, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmntray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\intelmic.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\bcmntray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by141fd.bay141.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1194819825875
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194819814500
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5578 bytes

 

[pskelley]

Thanks, I knew you could do it and the HJT log is clean. I was about to send you on your way before I say this:
((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))

combofix locates the trojan, it does not clean it, expect this to be some work, and continue to stay offline except when troubleshooting.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.
1. Please download FindAWF and save it to your Desktop

• * Double-click FindAWF.exe to start the tool.
  * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
  * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

Thanks

 

[intelmic]

Thanks!

Here's the awf.txt report:






Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 15/12/2007
The current time is: 17:44:08.31


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AVAST4\BAK

06/09/2007 05:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\EASYME~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

14/05/2007 05:22 PM 35,328 winampa.exe
1 File(s) 35,328 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

31/03/2003 02:00 PM 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

30/06/2004 12:33 PM 1,388,544 SMax4PNP.exe
1 File(s) 1,388,544 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

15/05/2004 08:00 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

03/12/2004 12:24 PM 290,816 EabServr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK\BAK

07/07/2004 01:56 PM 847,872 Smax4.exe
1 File(s) 847,872 bytes

Directory of C:\PROGRA~1\DRUIDE\ANTIDOTE\ANTIDOTE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

12/07/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

79224 Dec 4 2007 "C:\Program Files\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Avast4\bak\ashDisp.exe"
35328 May 14 2007 "C:\Program Files\Winamp\winampa.exe"
35328 May 14 2007 "C:\Program Files\Winamp\bak\winampa.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
1388544 Jun 30 2004 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 Jun 30 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
847872 Jul 7 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
335872 May 15 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
847872 Jul 7 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

 

[pskelley]

Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:


C:\Program Files\Avast4\bak\ashDisp.exe
C:\Program Files\Winamp\bak\winampa.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe


* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

Thanks

 

[intelmic]

Thanks,

here's the awf option 2 report:




Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2007-12-15
The current time is: 18:57:38.90


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AVAST4\BAK

2007-09-06 05:06 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\EASYME~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

2007-05-14 17:22 35,328 winampa.exe
1 File(s) 35,328 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2003-03-31 14:00 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

2004-06-30 12:33 1,388,544 SMax4PNP.exe
1 File(s) 1,388,544 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

2004-05-15 20:00 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

2004-12-03 12:24 290,816 EabServr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK\BAK

2004-07-07 13:56 847,872 Smax4.exe
1 File(s) 847,872 bytes

Directory of C:\PROGRA~1\DRUIDE\ANTIDOTE\ANTIDOTE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

2007-07-12 03:00 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

79224 Dec 4 2007 "C:\Program Files\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Avast4\bak\ashDisp.exe"
35328 May 14 2007 "C:\Program Files\Winamp\winampa.exe"
35328 May 14 2007 "C:\Program Files\Winamp\bak\winampa.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\LastGood\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
1388544 Jun 30 2004 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 Jun 30 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
847872 Jul 7 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
335872 May 15 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
847872 Jul 7 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

 

[pskelley]

Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\Avast4\bak\
C:\Program Files\Winamp\bak\
C:\WINDOWS\system32\bak\
C:\Program Files\Analog Devices\SoundMAX\bak\
C:\Program Files\ATI Technologies\ATI Control Panel\bak\
C:\Program Files\HPQ\Quick Launch Buttons\bak\
C:\Program Files\Analog Devices\SoundMAX\bak\bak\
C:\Program Files\Java\jre1.6.0_02\bin\bak\

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply

Thanks

 

[intelmic]

Thanks

report:



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 15/12/2007
The current time is: 19:26:44.59


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AVAST4\BAK

06/09/2007 05:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\EASYME~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

14/05/2007 05:22 PM 35,328 winampa.exe
1 File(s) 35,328 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

31/03/2003 02:00 PM 13,312 ctfmon.exe
1 File(s) 13,312 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

30/06/2004 12:33 PM 1,388,544 SMax4PNP.exe
1 File(s) 1,388,544 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

15/05/2004 08:00 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

03/12/2004 12:24 PM 290,816 EabServr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK\BAK

07/07/2004 01:56 PM 847,872 Smax4.exe
1 File(s) 847,872 bytes

Directory of C:\PROGRA~1\DRUIDE\ANTIDOTE\ANTIDOTE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

12/07/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

79224 Dec 4 2007 "C:\Program Files\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Avast4\bak\ashDisp.exe"
35328 May 14 2007 "C:\Program Files\Winamp\winampa.exe"
35328 May 14 2007 "C:\Program Files\Winamp\bak\winampa.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\LastGood\system32\ctfmon.exe"
13312 Mar 31 2003 "C:\WINDOWS\system32\bak\ctfmon.exe"
1388544 Jun 30 2004 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 Jun 30 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
847872 Jul 7 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
335872 May 15 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
847872 Jul 7 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

 

[pskelley]

Let's move to Option 4 now:

Double-click FindAWF.exe to start the tool.

Select option #4 - Reset domain zones by typing 4 and press 'Enter'
You will receive a warning to reset domain zones
Press 1 then press Enter.
If you have manually included sites in the trusted zones, these will need to be re-inserted.

Tell me how the computer is running.

 

[intelmic]

thanks!

The computer is running smoothly. No more annoying popups and no more suspicious hard-drive & processes activity.

As far as the AWF removal... I don't think it worked as all the bak folders are still there.



New combofix log:


ComboFix 07-12-15.5 - intelmic 2007-12-15 21:14:44.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.442 [GMT -5:00]
Running from: C:\Documents and Settings\intelmic\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 18:57 . 2007-12-15 18:57 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-15 18:57 . 2003-03-31 14:00 13,312 --a------ C:\WINDOWS\system32\OLDD.tmp
2007-12-14 21:24 . 2007-12-14 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 18:25 . 2007-12-14 18:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-14 18:23 . 2007-12-14 18:23 <DIR> d-------- C:\KAV
2007-12-14 15:27 . 2007-12-14 15:27 250 --a------ C:\WINDOWS\gmer.ini
2007-12-14 15:03 . 2007-12-14 15:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-14 15:03 . 2007-12-15 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-14 13:14 . 2007-12-14 13:14 <DIR> d-------- C:\VundoFix Backups
2007-12-14 11:56 . 2007-12-14 12:03 952,263 --ahs---- C:\WINDOWS\system32\orkcvkje.ini
2007-12-12 11:46 . 2007-12-12 11:46 <DIR> d-------- C:\WINDOWS\system32\su2
2007-12-12 11:46 . 2007-12-14 20:36 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-12 11:45 . 2007-12-12 11:46 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-12 11:45 . 2007-12-12 11:45 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-12 11:45 . 2007-12-15 11:34 <DIR> d-------- C:\Temp
2007-12-06 21:07 . 2007-12-09 22:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-06 21:07 . 2007-12-06 21:07 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 09:36 --------- d-----w C:\Documents and Settings\intelmic\Application Data\uTorrent
2007-12-12 18:10 --------- d-----w C:\Program Files\Avast4
2007-12-12 17:13 --------- d-----w C:\Program Files\Winamp
2007-12-10 03:59 --------- d-----w C:\Documents and Settings\intelmic\Application Data\LimeWire
2007-12-07 17:44 --------- d-----w C:\Documents and Settings\intelmic\Application Data\mIRC
2007-12-07 17:42 --------- d-----w C:\Program Files\mIRC
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-12 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-12 00:06 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-11 23:49 --------- d-----w C:\Program Files\MSN Messenger
2007-11-06 12:49 --------- d-----w C:\Program Files\XoftSpySE
2007-10-25 23:15 --------- d-----w C:\Program Files\Jasc Software Inc
2007-10-20 16:49 --------- d-----w C:\Program Files\PDF Merger
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_17.00.28.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-03-31 19:00:00 13,312 ----a-w C:\WINDOWS\LastGood\system32\ctfmon.exe
+ 2004-08-04 05:56:50 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,388,544 2004-06-30 17:33:04 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
----a-w 1,388,544 2004-06-30 17:33:04 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

----a-w 847,872 2004-07-07 18:56:34 C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe

----a-w 847,872 2004-07-07 18:56:34 C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe

----a-w 335,872 2004-05-16 01:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Avast4\ashDisp.exe

----a-w 290,816 2004-12-03 17:24:20 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe
----a-w 290,816 2004-12-03 17:24:20 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

----a-w 35,328 2007-05-14 22:22:22 C:\Program Files\Winamp\bak\winampa.exe
----a-w 35,328 2007-05-14 22:22:22 C:\Program Files\Winamp\winampa.exe

----a-w 13,312 2003-03-31 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-08-26 15:59]
"Gestionnaire Antidote.exe"="C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe" [2005-06-22 16:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\bcmntray" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 09:05 C:\WINDOWS\AGRSMMSG.exe]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 12:24]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\585e0725]
rundll32.exe C:\WINDOWS\system32\ejkvckro.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 12:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 01:49:44 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
- C:\Documents and Settings\intelmic\Desktop\alarme.exe
"2007-12-13 01:49:43 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- C:\Documents and Settings\intelmic\Desktop\alarme.exe
"2007-11-06 12:49:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 21:15:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 21:16:20
C:\ComboFix2.txt ... 2007-12-15 19:00
C:\ComboFix3.txt ... 2007-12-15 17:01

 

[intelmic]

I think I found what went wrong. On option 3, to remove bak folders, you gave me path with a "trailing slash"... There must be no trailing slash in the folders path.