Smitfraud, Virtumonde, CoolWWWSearch, AntiSpywareMaster, and more...

R

rgATL

New member
Hi,

I have a computer that was hit hard by some malware. Spybot continually finds the following items; it says it fixes them, but on repeat scan, it finds them again. The infected computer is NOT connected to the internet (and has not been since I installed/updated Spybot):

ClientMan
CommandService
CoolWWWSearch
CoolWWWSearch.008k
CoolWWWSearch.Aff.ledll
CoolWWWSearch.Aff.Winshow
CoolWWWSearch.Blowsearch
CoolWWWSearch.Bootconf
CoolWWWSearch.Dreplace
CoolWWWSearch.Gonnasearch
CoolWWWSearch.Leftovers
CoolWWWSearch.SmartSearch
CoolWWWSearch.Svcinit
CoolWWWSearch.WCADW
CoolWWWSearch.WinRes
CoolWWWSearch.Yexe
Mincrosoft.WindowsSecurityCenter.TaskManager
Smitfraud-C.
Smitfraud-C.CoreService
Smitfraud-C.generic
Smitfraud-C.gp
ToolbarCC
Virtumonde.dll

In addition, some fake anti-spyware software named "AntiSpywareMaster" has installed itself; as well as "Windows Security Center" (not sure if that's real or not) keeps popping up with a warning about "TrojanDownloader.XS."

The infected computer is rarely used and is not used for any "bad" sites. Could this stuff have traveled through my home network to another computer?

The HJT log is below. I have Symantec Antivirus 10; should I install and run that as well?

Thank you so much for your help,
rg.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:07 PM, on 6/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\444.470
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\portsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\iftuyszv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\winnt\system32\rwwnw64d.exe
C:\Program Files\AntiSpywareMaster\asm.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ocntrkdm.exe
C:\WINNT\System32\Rundll32.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\FNTS~1\chkdsk.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\ocntrkdm.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {5BBCB33C-13E2-4FC2-8099-8D7104F58F19} - C:\WINNT\system32\nnnnOeEw.dll (file missing)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: gooochi browser optimizer - {c2755c80-2be9-9b1f-799b-8c6f31a86ded} - C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {DD31E54D-2DAE-2A5D-FF38-7EA297EE19B6} - C:\WINNT\system32\dvz.dll
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {F83EF2AD-F5FD-4564-8C23-27FC429ECBE5} - C:\Program Files\folder.htt\hyjiloty66225.dll (file missing)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINNT\system32\ddcYpqrP.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [{E5-58-85-51-DW}] C:\winnt\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [782e58fe] rundll32.exe "C:\WINNT\system32\oidtwoug.dll",b
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\ocntrkdm.exe DWram
O4 - HKLM\..\Run: [{2b4f366b-8ad9-efb7-9c4f-82b09731b7f9}] C:\WINNT\System32\Rundll32.exe "C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll" DllStart
O4 - HKCU\..\Run: [Edaa] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\FNTS~1\chkdsk.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINNT\system32\ocntrkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINNT\system32\rwwnw64d.exe
O4 - Startup: UltraVNC Server.lnk = C:\Program Files\UltraVNC\winvnc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: ddcYpqrP - C:\WINNT\SYSTEM32\ddcYpqrP.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINNT\444.470.exe (file missing)
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINNT\portsv.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 6071 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
 
Hi,

Thank you SO much for your reply. The ComboFix and new HJT logs are below:

---ComboFix Log---
ComboFix 08-06-12.2 - Administrator 06/14/2008 16:40:02.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.92 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\FNTS~1
C:\Documents and Settings\Administrator\My Documents\FNTS~1\chkdsk.exe
C:\Documents and Settings\Administrator\My Documents\FNTS~1\F?nts\
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\AntiSpywareMaster
C:\Program Files\AntiSpywareMaster\asm.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\444.470
C:\WINNT\accesss.exe
C:\WINNT\astctl32.ocx
C:\WINNT\avpcc.dll
C:\WINNT\clrssn.exe
C:\WINNT\cpan.dll
C:\WINNT\ctfmon32.exe
C:\WINNT\ctrlpan.dll
C:\WINNT\default.htm
C:\WINNT\directx32.exe
C:\WINNT\dnsrelay.dll
C:\WINNT\editpad.exe
C:\WINNT\explore.exe
C:\WINNT\explorer32.exe
C:\WINNT\funniest.exe
C:\WINNT\funny.exe
C:\WINNT\gfmnaaa.dll
C:\WINNT\helpcvs.exe
C:\WINNT\iedll.exe
C:\WINNT\iexplorer.exe
C:\WINNT\inetinf.exe
C:\WINNT\internet.exe
C:\WINNT\lfn.exe
C:\WINNT\loader.exe
C:\WINNT\mainms.vpi
C:\WINNT\megavid.cdt
C:\WINNT\msconfd.dll
C:\WINNT\msspi.dll
C:\WINNT\mssys.exe
C:\WINNT\msupdate.exe
C:\WINNT\mswsc10.dll
C:\WINNT\mswsc20.dll
C:\WINNT\mtwirl32.dll
C:\WINNT\muotr.so
C:\WINNT\notepad32.exe
C:\WINNT\olehelp.exe
C:\WINNT\portsv.exe
C:\WINNT\qttasks.exe
C:\WINNT\quicken.exe
C:\WINNT\rundll16.exe
C:\WINNT\rundll32.vbe
C:\WINNT\searchword.dll
C:\WINNT\sistem.exe
C:\WINNT\svchost32.exe
C:\WINNT\svcinit.exe
C:\WINNT\systeem.exe
C:\WINNT\system32\_{701111f4-4a61-18f9-1974-f0d3753967b1}.dll
C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll
C:\WINNT\system32\3092\31433.dll
C:\WINNT\system32\byXQKdAR.dll
C:\WINNT\system32\cbXOEtQJ.dll
C:\WINNT\system32\ddcDtUNg.dll
C:\WINNT\system32\ddcYpqrP.dll
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\msgpcc.sys
C:\WINNT\system32\dvz.dll
C:\WINNT\system32\efcYSjhI.dll
C:\WINNT\system32\g70.exe
C:\WINNT\system32\geBrqpmn.dll
C:\WINNT\system32\geBrsTlj.dll
C:\WINNT\system32\guowtdio.ini
C:\WINNT\system32\hljwugsf.bin
C:\WINNT\system32\jkkIARlm.dll
C:\WINNT\system32\jkkJcYPH.dll
C:\WINNT\system32\ljJAQGww.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mlJYomLC.dll
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\msnav32.ax
C:\WINNT\system32\ocntrkdm.exe
C:\WINNT\system32\oidtwoug.dll
C:\WINNT\system32\opnnmMFU.dll
C:\WINNT\system32\pac.txt
C:\WINNT\system32\qoMgeFYR.dll
C:\WINNT\system32\rwwnw64d.exe
C:\WINNT\system32\ssqPigEV.dll
C:\WINNT\system32\ssqRIXoP.dll
C:\WINNT\system32\urqPiHww.dll
C:\WINNT\system32\vtUkkjhi.dll
C:\WINNT\system32\wEeOnnnn.ini
C:\WINNT\system32\wEeOnnnn.ini2
C:\WINNT\system32\winpfz33.sys
C:\WINNT\system32\wvUmjHWN.dll
C:\WINNT\system32\xxyaxUnn.dll
C:\WINNT\system32\xxyayXpN.dll
C:\WINNT\system32\xxywXPJA.dll
C:\WINNT\system32\xxywXPJY.dll
C:\WINNT\system32\yayvVMCs.dll
C:\WINNT\system32\yayxyyyy.dll
C:\WINNT\system32\zxdnt3d.cfg
C:\WINNT\systemcritical.exe
C:\WINNT\time.exe
C:\WINNT\users32.exe
C:\WINNT\waol.exe
C:\WINNT\Web\default.htt
C:\WINNT\win32e.exe
C:\WINNT\win64.exe
C:\WINNT\winajbm.dll
C:\WINNT\window.exe
C:\WINNT\winmgnt.exe
C:\WINNT\x.exe
C:\WINNT\xplugin.dll
C:\WINNT\xxxvideo.hta
C:\WINNT\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSGPCC
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_msgpcc
-------\Service_MsSecurity1.209.4
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-10 22:25 . 08-06-10 22:25 376,830 ---h----- C:\WINNT\ShellIconCache
2008-06-10 19:06 . 08-06-10 19:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-10 19:06 . 08-06-10 19:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 17:52 . 08-06-10 17:53 63,918 --a------ C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll-uninst.exe
2008-06-09 00:04 . 08-06-14 16:41 <DIR> d-a------ C:\WINNT\system32\3092
2008-06-08 23:03 . 08-06-08 23:03 <DIR> d--hs---- C:\WINNT\Lg
2008-06-08 23:02 . 08-06-08 23:02 87,513 --a------ C:\WINNT\system32\iftuyszv.exe
2008-06-08 23:01 . 08-06-08 23:01 <DIR> d-a------ C:\WINNT\system32\xrem
2008-06-08 23:01 . 08-06-08 23:01 <DIR> d-a------ C:\WINNT\system32\vntiho01
2008-06-08 23:01 . 08-06-08 23:01 <DIR> d-a------ C:\WINNT\system32\inet2
2008-06-08 23:01 . 08-06-08 23:01 <DIR> d-a------ C:\WINNT\system32\expo
2008-06-08 23:01 . 08-06-08 23:01 <DIR> d-a------ C:\WINNT\system32\btz
2008-06-08 23:01 . 08-06-08 23:01 <DIR> d-a------ C:\WINNT\system32\105772
2008-06-08 23:01 . 08-06-14 16:40 <DIR> d-------- C:\Temp
2008-05-27 01:32 . 08-05-27 01:32 28,672 --a------ C:\b37oz3.exe
2008-05-20 17:02 . 08-05-20 17:02 32,768 --a------ C:\WINNT\system32\vntiho01\vntiho011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 20:42 28,928 ----a-w C:\WINNT\xplugin.dll
2008-06-14 20:42 28,160 ----a-w C:\WINNT\x.exe
2008-06-14 20:42 23,296 ----a-w C:\WINNT\y.exe
2008-02-28 01:54 217,088 ----a-w C:\Program Files\TTC.dll
2006-06-22 23:15 35,899,962 ----a-w C:\Program Files\Program Files.rar
2003-11-05 23:12 271 ---h--w C:\Program Files\desktop.ini
2003-11-05 23:12 21,952 ---h--w C:\Program Files\folder.htt
2001-11-23 04:08 712,704 ----a-w C:\WINNT\inf\OTHER\AUDIO3D.DLL
1999-12-07 13:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-08-02 20:46 187,904 --sha-r C:\WINNT\Lg\asappsrv.dll
2005-08-02 20:58 293,888 --sha-r C:\WINNT\Lg\command.exe
2005-07-29 20:24 472 --sha-r C:\WINNT\Lg\M0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BBCB33C-13E2-4FC2-8099-8D7104F58F19}]
C:\WINNT\system32\nnnnOeEw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F83EF2AD-F5FD-4564-8C23-27FC429ECBE5}]
C:\Program Files\folder.htt\hyjiloty66225.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Edaa"="C:\DOCUME~1\ADMINI~1\MYDOCU~1\FNTS~1\chkdsk.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 06:05 111376 C:\WINNT\system32\mobsync.exe]
"SiS Tray"="" []
"SiS KHooker"="C:\WINNT\system32\khooker.exe" [ ]
"Cmaudio"="cmicnfg.cpl" []
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [03-11-23 22:24 761856]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [05-08-06 19:45 974848]
"{E5-58-85-51-DW}"="C:\winnt\system32\rwwnw64d.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 06:05 186640]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
UltraVNC Server.lnk - C:\Program Files\UltraVNC\winvnc.exe [2006-10-27 11:17:46 974848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ntdll.dll"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 06:05 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 08:05 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 16:44:57
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINNT\system32\nl_msgc.dll
.
Completion time: 2008-06-14 16:46:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 20:46:41

Pre-Run: 5,377,003,520 bytes free
Post-Run: 5,488,738,304 bytes free

226


---2nd HJT Log---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:22 PM, on 6/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5BBCB33C-13E2-4FC2-8099-8D7104F58F19} - C:\WINNT\system32\nnnnOeEw.dll (file missing)
O2 - BHO: (no name) - {F83EF2AD-F5FD-4564-8C23-27FC429ECBE5} - C:\Program Files\folder.htt\hyjiloty66225.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [{E5-58-85-51-DW}] C:\winnt\system32\rwwnw64d.exe DWram
O4 - HKCU\..\Run: [Edaa] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\FNTS~1\chkdsk.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: UltraVNC Server.lnk = C:\Program Files\UltraVNC\winvnc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 2989 bytes
 
Hi

Start hjt, do a system scan, check:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll-uninst.exe
C:\WINNT\system32\iftuyszv.exe
C:\b37oz3.exe
C:\WINNT\xplugin.dll
C:\WINNT\x.exe
C:\WINNT\y.exe

Folder::
C:\WINNT\system32\3092
C:\WINNT\Lg
C:\WINNT\system32\xrem
C:\WINNT\system32\vntiho01
C:\WINNT\system32\inet2
C:\WINNT\system32\expo
C:\WINNT\system32\btz
C:\WINNT\system32\105772
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BBCB33C-13E2-4FC2-8099-8D7104F58F19}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F83EF2AD-F5FD-4564-8C23-27FC429ECBE5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Edaa"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{E5-58-85-51-DW}"=-


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file & a fresh hjt log (without forgetting above meantioned ComboFix resultant log) in your next reply.
 
Hi, thanks so much.

I did as you directed, and the logs are below. A couple of points though:

* In Atribune Temp File Cleaner, "Prefetch" was disabled (ie, greyed out) in the main tab, as was the option for Firefox (though, Firefox is installed on the infected machine).
* I couldn't get Malwarebytes' Anti-Malware to update using any of the mirror sites. I connected the in infected computer to the internet and tested to make sure I could get to a website in Firefox, but MBAB would not connect to any server (it would just stay on the screen that said "Looking for MalwareSupport.com"). Nonetheless, I cleaned with the version I downloaded:
  • Version 6/10/2008
  • Database version 846
  • Fingerprints 35955
Thanks so much,
rg.

---ComboFix Log---
ComboFix 08-06-12.2 - Administrator 06/15/2008 17:16:41.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.114 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\b37oz3.exe
C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll-uninst.exe
C:\WINNT\system32\iftuyszv.exe
C:\WINNT\x.exe
C:\WINNT\xplugin.dll
C:\WINNT\y.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\b37oz3.exe
C:\Temp
C:\WINNT\Lg
C:\WINNT\Lg\asappsrv.dll
C:\WINNT\Lg\command.exe
C:\WINNT\Lg\M0.vbs
C:\WINNT\system32\{701111f4-4a61-18f9-1974-f0d3753967b1}.dll-uninst.exe
C:\WINNT\system32\105772
C:\WINNT\system32\105772\dllsockt.exe
C:\WINNT\system32\3092
C:\WINNT\system32\3092\~!1368p.spt
C:\WINNT\system32\btz
C:\WINNT\system32\btz\L3pars2.exe
C:\WINNT\system32\expo
C:\WINNT\system32\expo\mtcon66225.exe
C:\WINNT\system32\iftuyszv.exe
C:\WINNT\system32\inet2
C:\WINNT\system32\inet2\xVXdll.exe
C:\WINNT\system32\vntiho01
C:\WINNT\system32\vntiho01\vntiho011065.exe
C:\WINNT\system32\xrem
C:\WINNT\system32\xrem\imapIP95.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 17:16 . 06/15/08 05:16p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_268.dat
2008-06-10 22:25 . 06/14/08 05:30p 376,984 ---h----- C:\WINNT\ShellIconCache
2008-06-10 19:06 . 06/10/08 07:06p <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-10 19:06 . 06/10/08 07:07p <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 01:54 217,088 ----a-w C:\Program Files\TTC.dll
2006-06-22 23:15 35,899,962 ----a-w C:\Program Files\Program Files.rar
2003-11-05 23:12 271 ---h--w C:\Program Files\desktop.ini
2003-11-05 23:12 21,952 ---h--w C:\Program Files\folder.htt
2001-11-23 04:08 712,704 ----a-w C:\WINNT\inf\OTHER\AUDIO3D.DLL
1999-12-07 13:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 06:05a 111376 C:\WINNT\system32\mobsync.exe]
"SiS Tray"="" []
"SiS KHooker"="C:\WINNT\system32\khooker.exe" [ ]
"Cmaudio"="cmicnfg.cpl" []
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [11/23/03 10:24p 761856]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [08/06/05 07:45p 974848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 06:05a 186640]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
UltraVNC Server.lnk - C:\Program Files\UltraVNC\winvnc.exe [2006-10-27 11:17:46 974848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ntdll.dll"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [06/19/03 06:05a]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [06/19/03 08:05a]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 17:17:48
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINNT\system32\nl_msgc.dll
.
Completion time: 06/15/2008 17:19:39
ComboFix-quarantined-files.txt 2008-06-15 21:19:37
ComboFix2.txt 2008-06-14 20:46:46

Pre-Run: 5,567,901,696 bytes free
Post-Run: 5,562,142,720 bytes free

100


---MBAM Log---
Malwarebytes' Anti-Malware 1.17
Database version: 846

7:05:10 PM 6/15/2008
mbam-log-6-15-2008 (19-05-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 60861
Time elapsed: 45 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 48

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\TTC.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\FNTS~1\chkdsk.exe.vir (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\AntiSpywareMaster\asm.exe.vir (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\17PHolmes1000106.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\17PHolmes572.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\444.470.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\lfn.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\portsv.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\Lg\asappsrv.dll.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\Lg\command.exe.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\byXQKdAR.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\cbXOEtQJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ddcDtUNg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ddcYpqrP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\dvz.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\efcYSjhI.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\geBrqpmn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\geBrsTlj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\iftuyszv.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\jkkIARlm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\jkkJcYPH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ljJAQGww.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\mlJYomLC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\opnnmMFU.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\qoMgeFYR.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\rwwnw64d.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ssqPigEV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ssqRIXoP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\urqPiHww.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\vtUkkjhi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\wvUmjHWN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\xxyaxUnn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\xxyayXpN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\xxywXPJA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\xxywXPJY.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\yayvVMCs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\yayxyyyy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\_{701111f4-4a61-18f9-1974-f0d3753967b1}.dll.vir (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\105772\dllsockt.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\btz\L3pars2.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\expo\mtcon66225.exe.vir (Adware.TTC) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\inet2\xVXdll.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\xrem\imapIP95.exe.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINNT\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


---3rd HJT Log---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:50 PM, on 6/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: UltraVNC Server.lnk = C:\Program Files\UltraVNC\winvnc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 2291 bytes
 
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok


  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Hi,

Thanks so much! The computer seems to be working okay, but I won't really have a chance to use it much (ie, test it thoroughly) until next week.

Also, I have a laptop with similar problems. Shall I conduct these steps on that computer as well, or should I start over with a new thread and a HJT log?

Thanks again!
rg.
 
You're welcome :) I'll be waiting for your input with this one.

Also, I have a laptop with similar problems. Shall I conduct these steps on that computer as well, or should I start over with a new thread and a HJT log?
Click to expand...
Start over with a new thread.
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top