Smitfraud.C.CoreService

[Shaba]

Hi

Well that isn't a good thing.

Try this first in order to restore drag and drop:

Download this and save it to desktop.
Doubleclick enabledragndrop.reg, click yes and ok.

Reboot.

Try if drag and drop works now.

If it doesn't, follow instructions below.

Instead of copy/paste type those:

Download OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

C:\WINDOWS\system32\drivers\usbcamd22.sys
C:\WINDOWS\system32\rushmaxk.exe
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

After that, re-run combofix

Post:

- a fresh HijackThis log
- OTMoveIt report
- combofix report

 

[Mark_59]

"nor copy and paste" LOL, lucky the program OTmove allows the even older time fashion of typing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:38 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
D:\Mozilla\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://www.new.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4278 bytes

File move failed. C:\Windows\system32\drivers\usbcamd22.sys scheduled to be moved on reboot.
C:\WIndows\System32\rushmaxk.exe moved successfully.
File/Folder C:\temp\tn3 not found.
File move failed. C:\Windows\System32\drivers\core.cache.dsk scheduled to be moved on reboot.

Created on 01/20/2008 15:55:31

ComboFix 08-01-18.4 - Mark 2008-01-20 16:02:29.5 - NTFSx86
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 16:07 . 2008-01-20 16:07 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-19 14:50 . 2008-01-19 14:52 0 --a------ C:\WINDOWS\Path.idx
2008-01-19 14:45 . 2008-01-19 14:45 <DIR> d-------- C:\WINDOWS\SiS
2008-01-19 14:44 . 2001-12-06 20:11 3,583 -ra------ C:\WINDOWS\SiSport.sys
2008-01-19 14:42 . 2008-01-19 14:42 <DIR> d-------- C:\Asus
2008-01-19 13:31 . 2008-01-19 13:33 250 --a------ C:\WINDOWS\gmer.ini
2008-01-18 14:26 . 2008-01-18 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-18 11:15 . 2008-01-18 11:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 08:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 06:45 . 2008-01-18 11:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-16 15:10 . 2001-08-18 06:00 438,774 --a------ C:\txtsetup.sif
2008-01-16 15:10 . 2004-08-03 23:00 260,272 --a------ C:\$LDR$
2008-01-16 15:10 . 2008-01-15 23:26 194 --ahs---- C:\BOOT.BAK
2008-01-16 13:30 . 2004-08-04 01:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe
2008-01-16 13:03 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\system32\explorer.ex_
2008-01-15 20:55 . 2008-01-17 13:56 <DIR> d-------- C:\Program Files\Avira
2008-01-15 20:55 . 2008-01-15 20:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\CCleaner
2008-01-15 09:16 . 2008-01-15 09:55 <DIR> d-------- C:\VundoFix Backups
2008-01-14 17:01 . 2008-01-18 08:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 15:33 . 2007-03-14 22:19 196,608 --a------ C:\WINDOWS\system32\EasySoap.dll
2008-01-14 15:33 . 2007-03-14 22:07 147,456 --a------ C:\WINDOWS\system32\libexpat.dll
2008-01-14 15:33 . 2007-03-14 22:18 73,728 --a------ C:\WINDOWS\system32\zlib1.dll
2008-01-12 23:09 . 2008-01-12 23:09 86,016 --a------ C:\WINDOWS\system32\drivers\usbcamd22.sys
2008-01-01 15:58 . 2008-01-01 15:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-01 15:57 . 2008-01-20 15:29 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 22:09 --------- d-----w C:\Documents and Settings\Mark\Application Data\nView_Wallpaper
2008-01-19 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 18:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy1.4
2008-01-15 05:52 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-13 06:53 --------- d-----w C:\Program Files\QuickTime
2008-01-13 06:52 --------- d-----w C:\Program Files\hp deskjet 990c series
2008-01-13 05:31 --------- d-----w C:\Program Files\Mouse
2007-12-20 12:11 --------- d-----w C:\Program Files\Google
2007-12-05 03:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InterVideo
2007-12-01 06:01 45,040 ----a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2007-04-24 05:03 144 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_ 9.22.32.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-18 20:26:59 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:59 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-18 20:26:44 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:44 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-01-19 19:31:49 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 15:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
- 1998-10-29 21:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
+ 2002-04-25 13:42:30 316,416 ----a-w C:\WINDOWS\IsUninst.exe
- 2008-01-18 13:50:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-20 18:14:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-18 13:50:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-20 18:14:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-07 18:05:19 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-01-20 18:15:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-01-19 19:31:49 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2004-08-04 06:07:42 41,088 ----a-w C:\WINDOWS\system32\drivers\sisagp.sys
+ 2002-07-17 04:25:18 28,160 ----a-r C:\WINDOWS\system32\drivers\SISAGP.SYS
+ 2004-08-04 06:07:42 41,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\SISAGP.SYS
- 2008-01-18 15:18:14 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_594.dat
+ 2008-01-20 21:57:27 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_594.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-28 23:43 81920 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-10-06 13:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"WheelMouse"="Amoumain.exe" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 04:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Synchronizer"=D:\Adobe\CS2\Acrobat 8\Acrobat\AdobeCollabSync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65871d50-b8b4-11dc-99ea-00e018a54938}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abda4dba-776c-11dc-99b2-806d6172696f}]
\Shell\AutoRun\command - G:\Setup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 10:00:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 16:09:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 16:12:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 22:12:26
ComboFix2.txt 2008-01-19 14:57:11
ComboFix3.txt 2008-01-18 15:22:56
.
2008-01-09 09:07:55 --- E O F ---

 

[Shaba]

Hi

So using that .reg file didn't help for drag & drop?

If not, we can maybe circumvent that CFScript thing by one way.

 

[Mark_59]

Hi,

No, the drag and drop.reg did not fix drag and drop.

And with regard to copy and paste. The copy command is available but the paste command is not. (it's grayed out)

Circumventing the CFScript thing would be helpful.

 

[Shaba]

Hi

Create first CFScript file to desktop with the following text (and make sure that file name is CFScript.txt):

File::
C:\WINDOWS\system32\drivers\usbcamd22.sys

Go to start -> run

Type this in that box and click ok:

"%Userprofile%\Desktop\Combofix.exe" "%Userprofile%\Desktop\CFScript.txt"

Combofix should start now

Post back:

- a fresh HijackThis log
- combofix report

 

[Mark_59]

Cool run command. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:26 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://www.new.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4205 bytes


ComboFix 08-01-18.4 - Mark 2008-01-21 7:52:10.6 - NTFSx86
Running from: C:\Documents and Settings\Mark\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 07:57 . 2008-01-21 07:57 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-19 14:50 . 2008-01-19 14:52 0 --a------ C:\WINDOWS\Path.idx
2008-01-19 14:45 . 2008-01-19 14:45 <DIR> d-------- C:\WINDOWS\SiS
2008-01-19 14:44 . 2001-12-06 20:11 3,583 -ra------ C:\WINDOWS\SiSport.sys
2008-01-19 13:31 . 2008-01-19 13:33 250 --a------ C:\WINDOWS\gmer.ini
2008-01-18 14:26 . 2008-01-18 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-18 11:15 . 2008-01-18 11:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 08:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 06:45 . 2008-01-18 11:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-16 15:10 . 2001-08-18 06:00 438,774 --a------ C:\txtsetup.sif
2008-01-16 15:10 . 2004-08-03 23:00 260,272 --a------ C:\$LDR$
2008-01-16 15:10 . 2008-01-15 23:26 194 --ahs---- C:\BOOT.BAK
2008-01-16 13:30 . 2004-08-04 01:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe
2008-01-16 13:03 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\system32\explorer.ex_
2008-01-15 20:55 . 2008-01-17 13:56 <DIR> d-------- C:\Program Files\Avira
2008-01-15 20:55 . 2008-01-15 20:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\CCleaner
2008-01-15 09:16 . 2008-01-15 09:55 <DIR> d-------- C:\VundoFix Backups
2008-01-14 17:01 . 2008-01-18 08:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 15:33 . 2007-03-14 22:19 196,608 --a------ C:\WINDOWS\system32\EasySoap.dll
2008-01-14 15:33 . 2007-03-14 22:07 147,456 --a------ C:\WINDOWS\system32\libexpat.dll
2008-01-14 15:33 . 2007-03-14 22:18 73,728 --a------ C:\WINDOWS\system32\zlib1.dll
2008-01-12 23:09 . 2008-01-12 23:09 86,016 --a------ C:\WINDOWS\system32\drivers\usbcamd22.sys
2008-01-01 15:58 . 2008-01-01 15:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-01 15:57 . 2008-01-20 17:07 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 13:59 --------- d-----w C:\Documents and Settings\Mark\Application Data\nView_Wallpaper
2008-01-20 23:19 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-19 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 18:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy1.4
2008-01-13 06:53 --------- d-----w C:\Program Files\QuickTime
2008-01-13 06:52 --------- d-----w C:\Program Files\hp deskjet 990c series
2008-01-13 05:31 --------- d-----w C:\Program Files\Mouse
2007-12-20 12:11 --------- d-----w C:\Program Files\Google
2007-12-05 03:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InterVideo
2007-12-01 06:01 45,040 ----a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2007-04-24 05:03 144 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_ 9.22.32.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 14:23:54 7,606,272 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-21 13:51:43 7,692,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-18 14:23:54 90,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 13:51:43 90,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-18 20:26:59 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:59 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-18 20:26:44 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:44 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-01-19 19:31:49 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 15:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
- 1998-10-29 21:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
+ 2002-04-25 13:42:30 316,416 ----a-w C:\WINDOWS\IsUninst.exe
- 2008-01-18 13:50:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-20 18:14:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-18 13:50:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-20 18:14:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-07 18:05:19 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-01-20 18:15:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-01-19 19:31:49 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2004-08-04 06:07:42 41,088 ----a-w C:\WINDOWS\system32\drivers\sisagp.sys
+ 2002-07-17 04:25:18 28,160 ----a-r C:\WINDOWS\system32\drivers\SISAGP.SYS
- 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
+ 2005-03-21 20:00:20 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll
+ 2004-08-04 06:07:42 41,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\SISAGP.SYS
+ 2008-01-21 13:57:37 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_598.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-28 23:43 81920 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-10-06 13:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"WheelMouse"="Amoumain.exe" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 04:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Synchronizer"=D:\Adobe\CS2\Acrobat 8\Acrobat\AdobeCollabSync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65871d50-b8b4-11dc-99ea-00e018a54938}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abda4dba-776c-11dc-99b2-806d6172696f}]
\Shell\AutoRun\command - G:\Setup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 10:00:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 07:58:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 8:02:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 14:02:01
ComboFix2.txt 2008-01-20 22:12:30
ComboFix3.txt 2008-01-19 14:57:11
ComboFix4.txt 2008-01-18 15:22:56
.
2008-01-09 09:07:55 --- E O F ---

 

[Shaba]

Hi

Did you add both these lines to CFScript (it doesn't work without File:: )?

File::
C:\WINDOWS\system32\drivers\usbcamd22.sys

 

[Mark_59]

Hi,

Yes I typed the line "Files::" then hit the enter key to create a new line and entered the second line of text.

The file SFScript.txt is still on my desktop. Opening, it reads:

Files::
C:\windows\system32\drivers\bsbcamd22.sys

 

[Mark_59]

Sorry typo

...usbcamd22.sys

 

[Shaba]

Hi

Problem is that it needs to be File:: and not Files::

Please check if it reads File:: in CFScript.txt

 

[Mark_59]

Yes it does read "file::" in CFScript.txt

File::
C:\Windows\System32\drivers\usbcamd22.sys

The run command is still in the run line, it reads:
"%Userprofile%\Desktop\combofix.exe" "%Userprofile%\Desktop\CFScript.txt"

 

[Shaba]

Hi

Ok, then we try this.

Boot in safe mode.

Delete this file:

C:\Windows\System32\drivers\usbcamd22.sys

Empty Recycle Bin.

Re-run combofix in safe mode (in normal way, no CFScript)

Reboot back to normal mode if combofix doesn't do it.

Post:

- a fresh HijackThis log
- combofix report

 

[Mark_59]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:28 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://www.new.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4206 bytes

ComboFix 08-01-15.4 - Mark 2008-01-22 10:51:40.7 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 10:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-22 10:47 . 2008-01-15 11:28 1,551,537 --a------ C:\Documents and Settings\Mark\ComboFix.exe
2008-01-19 14:50 . 2008-01-19 14:52 0 --a------ C:\WINDOWS\Path.idx
2008-01-19 14:45 . 2008-01-19 14:45 <DIR> d-------- C:\WINDOWS\SiS
2008-01-19 14:44 . 2001-12-06 20:11 3,583 -ra------ C:\WINDOWS\SiSport.sys
2008-01-19 13:31 . 2008-01-19 13:33 250 --a------ C:\WINDOWS\gmer.ini
2008-01-18 14:26 . 2008-01-18 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-18 11:15 . 2008-01-18 11:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-17 06:45 . 2008-01-18 11:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-16 15:10 . 2001-08-18 06:00 438,774 --a------ C:\txtsetup.sif
2008-01-16 15:10 . 2004-08-03 23:00 260,272 --a------ C:\$LDR$
2008-01-16 15:10 . 2008-01-15 23:26 194 --ahs---- C:\BOOT.BAK
2008-01-16 13:30 . 2004-08-04 01:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe
2008-01-16 13:03 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\system32\explorer.ex_
2008-01-15 20:55 . 2008-01-17 13:56 <DIR> d-------- C:\Program Files\Avira
2008-01-15 20:55 . 2008-01-15 20:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\CCleaner
2008-01-15 09:16 . 2008-01-15 09:55 <DIR> d-------- C:\VundoFix Backups
2008-01-14 17:01 . 2008-01-18 08:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 15:33 . 2007-03-14 22:19 196,608 --a------ C:\WINDOWS\system32\EasySoap.dll
2008-01-14 15:33 . 2007-03-14 22:07 147,456 --a------ C:\WINDOWS\system32\libexpat.dll
2008-01-14 15:33 . 2007-03-14 22:18 73,728 --a------ C:\WINDOWS\system32\zlib1.dll
2008-01-01 15:58 . 2008-01-01 15:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-01 15:57 . 2008-01-20 17:07 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 12:29 --------- d-----w C:\Documents and Settings\Mark\Application Data\nView_Wallpaper
2008-01-20 23:19 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-19 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 18:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy1.4
2008-01-13 06:53 --------- d-----w C:\Program Files\QuickTime
2008-01-13 06:52 --------- d-----w C:\Program Files\hp deskjet 990c series
2008-01-13 05:31 --------- d-----w C:\Program Files\Mouse
2007-12-20 12:11 --------- d-----w C:\Program Files\Google
2007-12-05 03:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InterVideo
2007-12-01 06:01 45,040 ----a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 16:19 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-04-24 05:03 144 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_ 9.22.32.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 14:23:54 7,606,272 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-21 13:51:43 7,692,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-18 14:23:54 90,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 13:51:43 90,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-18 20:26:59 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:59 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-18 20:26:44 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:44 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-01-19 19:31:49 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 15:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
- 1998-10-29 21:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
+ 2002-04-25 13:42:30 316,416 ----a-w C:\WINDOWS\IsUninst.exe
- 2008-01-18 13:50:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-22 01:19:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-18 13:50:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-22 01:19:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-22 01:19:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-07 18:05:19 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-01-20 18:15:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-01-19 19:31:49 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2004-08-04 06:07:42 41,088 ----a-w C:\WINDOWS\system32\drivers\sisagp.sys
+ 2002-07-17 04:25:18 28,160 ----a-r C:\WINDOWS\system32\drivers\SISAGP.SYS
- 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
+ 2005-03-21 20:00:20 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll
+ 2004-08-04 06:07:42 41,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\SISAGP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-28 23:43 81920 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-10-06 13:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"WheelMouse"="Amoumain.exe" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 04:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Synchronizer"=D:\Adobe\CS2\Acrobat 8\Acrobat\AdobeCollabSync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65871d50-b8b4-11dc-99ea-00e018a54938}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abda4dba-776c-11dc-99b2-806d6172696f}]
\Shell\AutoRun\command - G:\Setup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 10:00:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 10:56:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 10:57:28
ComboFix-quarantined-files.txt 2008-01-22 16:57:01
ComboFix2.txt 2008-01-21 14:02:05
ComboFix3.txt 2008-01-20 22:12:30
ComboFix4.txt 2008-01-19 14:57:11
ComboFix5.txt 2008-01-18 15:22:56
.
2008-01-09 09:07:55 --- E O F ---

 

[Shaba]

Hi

Now it was successful

Upload these two files next to jotti, please and post back results:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\explorer.ex_

 

[Mark_59]

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\explorer.ex_

status OK, found nothing, for these two files

 

[Shaba]

Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

 

[Shaba]

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.