Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo


  • This topic is locked This topic is locked
72 replies to this topic

#1 BaderThanBad

BaderThanBad

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 22 December 2007 - 03:53 PM

My computer has recently been infected with vundo. My Superantispyware keeps showing it up in the same location and every time it deletes it it comes up again after the reboot, and i am frustrated. I think i got the same problem as http://www.bleepingcomputer.com/forums/t/121985/infected-with-vundo/ but im not really sure.

Here is my Hijackthis log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:00 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqq.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 6697 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 25 December 2007 - 06:05 PM

Hello BaderThanBad,


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 26 December 2007 - 09:58 AM

Thanks for responding man, i know its the holiday season an all but thanks.
I have already downloaded vundo fix before and tried it and it couldnt erase one of the infections and it kept spreading after that to the other locations.

This is my C:\Vundofix.txt :-


VundoFix V6.7.7

Checking Java version...

Scan started at 9:25:11 PM 12/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\cbxyxuu.dll
C:\WINDOWS\system32\efcywtr.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\awtqq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxyxuu.dll
C:\WINDOWS\system32\cbxyxuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcywtr.dll
C:\WINDOWS\system32\efcywtr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\qqtwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efcywtr.dll
C:\WINDOWS\system32\efcywtr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 9:44:03 PM 12/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\efcywtr.dll
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\awtqq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcywtr.dll
C:\WINDOWS\system32\efcywtr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\qqtwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!




By the way I dont know if this is a side effect of the virus or not but java applets in my internet explorer only, not firefox, started to not load or work.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 26 December 2007 - 11:40 AM

Hi baderthanbad,

You need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!


Post the antivirus log and a fresh Hijackthis log.

Edited by SifuMike, 26 December 2007 - 11:44 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 26 December 2007 - 03:51 PM

Thanks for pointing it out. I downloaded Avast and i ran a full system scan. No viruses appeared in the scan, but i do not know how to post an avast log. Here is my Hijackthis new log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:15 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqq.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 7539 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 26 December 2007 - 07:31 PM

Hi BaderThanBad,

but i do not know how to post an avast log.


I would really like to see the log, even if it did not find anything.
Av_avast logs all information to av_avast.log file, so do a search on av_avast.log and you should be able to find it. You should be able to copy and paste it. If it is too long to post then attach it. Thanks.

Edited by SifuMike, 26 December 2007 - 07:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 December 2007 - 06:41 AM

I found another problem with my computer :\, the search is not working. When i press the search button in my start menu a page pops up but there is no search feilds to write in or anything, but the place where im supposed to write it in is blue. I can see the bar and also the "search companion" but i cannot see the search feilds or anything. I think it may be due to the thing that infected me but im not sure, other weird things that happen to my computer are the desktop and the entire bottom bar disappear for a few seconds ( maybe explorer is restarting or something), and ever since i downloaded avast everytime i open my computer it asks me to restart it.

#8 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 December 2007 - 08:44 AM

Cant find the avast log with search and i tried looking for it but i couldnt find it :thumbsup: Maybe you could tell me a location that avast generally uses for storing its logs.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 27 December 2007 - 01:37 PM

Hi,

We will continue and come back to the Avast log later.

Let's run ComboFix.


Disable your Avast antivirus before running ComboFix, as it will stop ComboFix from working.
Right click on the avast! icon in system tray and choose (Stop On-Access Protection).

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 December 2007 - 02:22 PM

This is my Combofix log :-

ComboFix 07-12-21.4 - BTB 2007-12-27 22:07:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1576 [GMT 3:00]
Running from: C:\Documents and Settings\BTB\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\efcywtr.dll
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d-------- C:\Program Files\Fizzy
2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\fizzy
2007-12-27 14:28 . 2007-12-27 14:28 337,920 --a------ C:\WINDOWS\system32\RCX33.tmp
2007-12-27 14:10 . 2007-12-27 14:10 337,920 --a------ C:\WINDOWS\system32\RCX31.tmp
2007-12-26 22:13 . 2007-12-26 22:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-26 22:13 . 2007-12-04 16:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-26 22:13 . 2004-01-09 12:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-26 22:13 . 2007-12-04 15:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-26 22:13 . 2007-12-04 17:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-26 22:13 . 2007-12-04 17:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-26 22:13 . 2007-12-04 17:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-26 22:13 . 2007-12-04 17:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-26 22:13 . 2007-12-04 17:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-26 21:48 . 2007-12-26 21:48 337,920 --a------ C:\WINDOWS\system32\RCX30.tmp
2007-12-25 16:52 . 2007-12-25 16:52 337,920 --a------ C:\WINDOWS\system32\RCX2F.tmp
2007-12-24 22:58 . 2007-12-24 22:58 337,920 --a------ C:\WINDOWS\system32\RCX2E.tmp
2007-12-24 01:27 . 2007-12-24 01:29 <DIR> d-------- C:\Program Files\jvd
2007-12-24 00:53 . 2007-12-24 01:02 402,784 --a------ C:\WINDOWS\system32\deploytk.dll
2007-12-22 22:31 . 2007-12-27 22:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-22 22:31 . 2007-12-22 22:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 22:31 . 2007-12-22 22:31 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\SUPERAntiSpyware.com
2007-12-22 22:31 . 2007-12-22 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-22 22:17 . 2007-12-22 22:17 125 --a------ C:\ioSpecial.ini
2007-12-22 22:07 . 2007-12-22 22:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 21:57 . 2007-12-27 22:15 337,920 --a------ C:\WINDOWS\system32\awtqq.exe
2007-12-22 21:56 . 2007-12-22 21:56 76 --a------ C:\WINDOWS\system32\ikhcore.cfg
2007-12-22 21:25 . 2007-12-22 21:54 <DIR> d-------- C:\VundoFix Backups
2007-12-22 21:12 . 2007-12-27 22:01 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 21:11 . 2007-12-22 21:11 337,920 --a------ C:\WINDOWS\system32\RCX32.tmp
2007-12-22 17:01 . 2007-12-27 22:14 1,622,016 --a------ C:\WINDOWS\system32\nwiz .exe
2007-12-22 16:58 . 2007-12-24 01:02 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-22 16:45 . 2007-12-22 21:11 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-22 16:45 . 2007-12-22 21:11 86,016 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-22 16:45 . 2007-12-22 21:11 81,920 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-22 13:39 . 2007-12-22 13:39 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\Ahead
2007-12-06 17:19 . 2007-12-06 17:19 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\Apple Computer
2007-12-06 17:15 . 2007-12-06 17:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-06 17:15 . 2007-12-06 17:15 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 19:15 --------- d-----w C:\Program Files\QuickTime
2007-12-27 19:14 354,816 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-27 19:14 --------- d-----w C:\Program Files\MSN Messenger
2007-12-27 19:13 334,336 ----a-w C:\WINDOWS\system32\awtqq.dll
2007-12-27 19:05 --------- d-----w C:\Program Files\GetRight
2007-12-27 18:15 --------- d-----w C:\Documents and Settings\BTB\Application Data\uTorrent
2007-12-23 22:02 --------- d-----w C:\Program Files\Java
2007-12-23 21:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 19:23 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-22 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 19:18 --------- d-----w C:\Program Files\thriXXX
2007-12-22 13:58 2,086,912 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-16 22:08 --------- d-----w C:\Documents and Settings\BTB\Application Data\PowerChallenge
2007-12-16 12:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-08 16:47 --------- d-----w C:\Documents and Settings\BTB\Application Data\Hamachi
2007-11-23 10:12 --------- d-----w C:\Documents and Settings\BTB\Application Data\InstallShield
2007-11-23 09:38 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 09:38 --------- d--h--r C:\Documents and Settings\BTB\Application Data\SecuROM
2007-11-18 15:39 --------- d-----w C:\Documents and Settings\BTB\Application Data\Image Zone Express
2007-11-16 20:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 17:30 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-10 18:45 --------- d-----w C:\Program Files\Kaspersky
2007-11-10 18:36 --------- d-----w C:\Documents and Settings\BTB\Application Data\Skype
2007-11-05 15:18 --------- d-----w C:\Documents and Settings\BTB\Application Data\CyberLink
2007-11-03 18:15 --------- d-----w C:\Program Files\Apple Software Update
2007-11-03 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-03 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-03 16:37 --------- d-----w C:\Program Files\Autodesk
2007-11-03 16:36 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-11-03 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 14:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-14 11:49 720,896 ----a-w C:\WINDOWS\iun6002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23C29635-56F3-4F1B-AF62-91019859A941}]
2007-12-27 22:13 334336 --a------ C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2007-12-24 01:02 31744 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-27 22:13]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-12-27 22:07]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:26]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-12-27 22:14]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-27 22:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 17:58 C:\WINDOWS\sttray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-27 22:14]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-12-27 22:14]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-12-27 22:14]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 22:14]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 22:26 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-22 16:58 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 22:26 C:\WINDOWS\system32\rundll32.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-27 22:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-27 22:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2007-12-27 22:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-27 22:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\awtqq.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqq

R0 IFP700;iriver Internet Audio Player IFP-700;C:\WINDOWS\system32\drivers\ifp700.sys [2004-03-29 17:28]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2006-09-26 23:21]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 18:15:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 13:54:00 C:\WINDOWS\Tasks\WebReg psc 1400 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 22:13:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\awtqq.dll
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2007-12-27 22:17:02 - machine was rebooted
.
2007-12-22 09:24:51 --- E O F ---







And my Hijackthis Log :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:20 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqq.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 7433 bytes


As i see it looks like combofix found the same programs vundofix did and was succesfull at deleting them maybe? You are the expert so may you please look at this and help me :thumbsup: btw i appreciate what you are doing.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 27 December 2007 - 03:01 PM

Hi BaderThanBad,

You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\deploytk.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.


**************************


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\awtqq.dll

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23C29635-56F3-4F1B-AF62-91019859A941}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=- 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 27 December 2007 - 03:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 December 2007 - 03:44 PM

Here is the results from the site u asked :-


File deploytk.dll received on 12.27.2007 21:16:39 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.28.10 2007.12.27 -
AntiVir 7.6.0.46 2007.12.27 -
Authentium 4.93.8 2007.12.27 -
Avast 4.7.1098.0 2007.12.27 -
AVG 7.5.0.516 2007.12.27 -
BitDefender 7.2 2007.12.27 -
CAT-QuickHeal 9.00 2007.12.27 -
ClamAV 0.91.2 2007.12.27 -
DrWeb 4.44.0.09170 2007.12.27 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5406 2007.12.27 -
Ewido 4.0 2007.12.27 -
FileAdvisor 1 2007.12.27 -
Fortinet 3.14.0.0 2007.12.27 -
F-Prot 4.4.2.54 2007.12.26 -
F-Secure 6.70.13030.0 2007.12.27 -
Ikarus T3.1.1.15 2007.12.27 -
Kaspersky 7.0.0.125 2007.12.27 -
McAfee 5194 2007.12.27 -
Microsoft 1.3109 2007.12.27 -
NOD32v2 2751 2007.12.27 -
Norman 5.80.02 2007.12.27 -
Panda 9.0.0.4 2007.12.27 -
Prevx1 V2 2007.12.27 -
Rising 20.24.32.00 2007.12.27 -
Sophos 4.24.0 2007.12.27 -
Sunbelt 2.2.907.0 2007.12.27 -
Symantec 10 2007.12.27 -
TheHacker 6.2.9.172 2007.12.27 -
VBA32 3.12.2.5 2007.12.26 -
VirusBuster 4.3.26:9 2007.12.27 -
Webwasher-Gateway 6.6.2 2007.12.27 -
Additional information
File size: 402784 bytes
MD5: 0cda8165c61ad6ebe4e31e379c1dd940
SHA1: 54d851d2a58c321d9effaa0537e8fe5d1637d595
PEiD: -




And the combofix log (i dont know if it worked correctly or not):-



ComboFix 07-12-21.4 - BTB 2007-12-27 23:33:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1575 [GMT 3:00]
Running from: C:\Documents and Settings\BTB\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BTB\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\awtqq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d-------- C:\Program Files\Fizzy
2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\fizzy
2007-12-27 14:28 . 2007-12-27 14:28 337,920 --a------ C:\WINDOWS\system32\RCX33.tmp
2007-12-27 14:10 . 2007-12-27 14:10 337,920 --a------ C:\WINDOWS\system32\RCX31.tmp
2007-12-26 22:13 . 2007-12-26 22:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-26 22:13 . 2007-12-04 16:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-26 22:13 . 2004-01-09 12:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-26 22:13 . 2007-12-04 15:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-26 22:13 . 2007-12-04 17:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-26 22:13 . 2007-12-04 17:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-26 22:13 . 2007-12-04 17:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-26 22:13 . 2007-12-04 17:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-26 22:13 . 2007-12-04 17:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-26 21:48 . 2007-12-26 21:48 337,920 --a------ C:\WINDOWS\system32\RCX30.tmp
2007-12-25 16:52 . 2007-12-25 16:52 337,920 --a------ C:\WINDOWS\system32\RCX2F.tmp
2007-12-24 22:58 . 2007-12-24 22:58 337,920 --a------ C:\WINDOWS\system32\RCX2E.tmp
2007-12-24 01:27 . 2007-12-24 01:29 <DIR> d-------- C:\Program Files\jvd
2007-12-24 00:53 . 2007-12-24 01:02 402,784 --a------ C:\WINDOWS\system32\deploytk.dll
2007-12-22 22:31 . 2007-12-27 23:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-22 22:31 . 2007-12-22 22:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 22:31 . 2007-12-22 22:31 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\SUPERAntiSpyware.com
2007-12-22 22:31 . 2007-12-22 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-22 22:17 . 2007-12-22 22:17 125 --a------ C:\ioSpecial.ini
2007-12-22 22:07 . 2007-12-22 22:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 21:57 . 2007-12-27 23:33 337,920 --a------ C:\WINDOWS\system32\awtqq.exe
2007-12-22 21:56 . 2007-12-22 21:56 76 --a------ C:\WINDOWS\system32\ikhcore.cfg
2007-12-22 21:12 . 2007-12-27 22:01 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 21:11 . 2007-12-22 21:11 337,920 --a------ C:\WINDOWS\system32\RCX32.tmp
2007-12-22 17:01 . 2007-12-27 22:14 1,622,016 --a------ C:\WINDOWS\system32\nwiz .exe
2007-12-22 16:58 . 2007-12-24 01:02 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-22 16:45 . 2007-12-22 21:11 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-22 16:45 . 2007-12-22 21:11 86,016 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-22 16:45 . 2007-12-22 21:11 81,920 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-22 13:39 . 2007-12-22 13:39 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\Ahead
2007-12-06 17:19 . 2007-12-06 17:19 <DIR> d-------- C:\Documents and Settings\BTB\Application Data\Apple Computer
2007-12-06 17:15 . 2007-12-06 17:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-06 17:15 . 2007-12-06 17:15 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 20:33 --------- d-----w C:\Program Files\QuickTime
2007-12-27 20:33 --------- d-----w C:\Program Files\MSN Messenger
2007-12-27 20:32 --------- d-----w C:\Program Files\GetRight
2007-12-27 18:15 --------- d-----w C:\Documents and Settings\BTB\Application Data\uTorrent
2007-12-23 22:02 --------- d-----w C:\Program Files\Java
2007-12-23 21:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 19:23 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-22 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 19:18 --------- d-----w C:\Program Files\thriXXX
2007-12-16 22:08 --------- d-----w C:\Documents and Settings\BTB\Application Data\PowerChallenge
2007-12-16 12:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-08 16:47 --------- d-----w C:\Documents and Settings\BTB\Application Data\Hamachi
2007-11-23 10:12 --------- d-----w C:\Documents and Settings\BTB\Application Data\InstallShield
2007-11-23 09:38 --------- d--h--r C:\Documents and Settings\BTB\Application Data\SecuROM
2007-11-18 15:39 --------- d-----w C:\Documents and Settings\BTB\Application Data\Image Zone Express
2007-11-16 20:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 17:30 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-10 18:45 --------- d-----w C:\Program Files\Kaspersky
2007-11-10 18:36 --------- d-----w C:\Documents and Settings\BTB\Application Data\Skype
2007-11-05 15:18 --------- d-----w C:\Documents and Settings\BTB\Application Data\CyberLink
2007-11-03 18:15 --------- d-----w C:\Program Files\Apple Software Update
2007-11-03 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-03 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-03 16:37 --------- d-----w C:\Program Files\Autodesk
2007-11-03 16:36 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-11-03 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-10-14 11:49 720,896 ----a-w C:\WINDOWS\iun6002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2007-12-24 01:02 31744 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-12-27 23:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:26]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-12-27 23:33]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-27 23:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 17:58 C:\WINDOWS\sttray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-27 23:33]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-12-27 23:33]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-12-27 23:33]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 23:33]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 22:26 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-22 16:58 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 22:26 C:\WINDOWS\system32\rundll32.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-27 23:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-27 23:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2007-12-27 23:33]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-27 23:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\awtqq.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqq


.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 18:15:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 13:54:00 C:\WINDOWS\Tasks\WebReg psc 1400 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 23:37:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\qqtwa.ini 319 bytes
C:\WINDOWS\system32\qqtwa.ini2 319 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\awtqq.dll
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2007-12-27 23:41:19 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-27 22:17
.
2007-12-22 09:24:51 --- E O F ---





and a new hijackthis log :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:17 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqq.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 7493 bytes

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 27 December 2007 - 08:52 PM

Open NOTEPAD.exe and copy/paste the text in the code box below into it:

@echo off
Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
Start notepad log.txt


Save this as check.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on check.bat & allow it to run

It shall produce a log which you must attach (do not post the log) in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 BaderThanBad

BaderThanBad
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 28 December 2007 - 05:35 PM

I attached the check.bat created log.

Attached Files

  • Attached File  Log.txt   4.56KB   40 downloads


#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:52 PM

Posted 28 December 2007 - 07:11 PM

Hi BaderThanBad,

Looks like you have a new Vundo variant file, quite hard to kill :thumbsup:


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\qqtwa.ini 
C:\WINDOWS\system32\qqtwa.ini2 

Registry:: 
[-HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users