Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Files Detected, Virtumonde And Drive Cleaner 2006


  • Please log in to reply
20 replies to this topic

#1 barbtrd

barbtrd

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 06 January 2008 - 11:52 AM

Using all of the steps outlined in your malware topic, I have discovered Virtumonde and Drive Cleaner 2006 over the past two days. Using AdAware and Spybot, I delete them but they came back. The Bitdefender site identified several Trojan.dropper, Trojan.Vundo (both DVC and DVD and DUP) and Trojan.clicker files as well as a Backdoor.Hackarmy.E file. It's been better since then but I suspect there is still a problem.

At this point I am getting two notices upon startup: One is cannot find ddabx.exe and another is a rundll erro: system32\vfsblvrw.dll

I just installed the Sygate personal firewall but I'm clueless about whether or not I am allowing the correct sites entry if they don't have a name I recognize like Avast

Can you please look at my log and let me know what, if anything, I still need to do? Thanks.

My Hijack this log:


11:35 AM 1/6/2008Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:48 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Barbara\My Documents\Downloads\HiJackThis_v2.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddabx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {39b1eb3f-1a9e-7fbb-c054-1ea5cacb4be8} - {8eb4bcac-5ae1-450c-bbf7-e9a1f3be1b93} - C:\WINDOWS\system32\upbgljgl.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\xxywxvw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Getca] C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [e87ec776] rundll32.exe "C:\WINDOWS\system32\vfsblvrw.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: xxywxvw - xxywxvw.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5581 bytes

BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 06 January 2008 - 02:57 PM

Hello barbtrd

Welcome to Bleeping Computer!

My name is Stelios and I will be dealing with your log.
Please give me some time to look it over and I will get back to you as soon as possible.


Stelios

#3 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 06 January 2008 - 03:28 PM

Hi barbtrd

Please download Combofix to your desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Doubleclick combo.exe to launch the application.
  • Follow the prompts that will be displayed on the screen.
  • Don't click on the window while the fix is running, because that will cause your system to hang.
  • When finished, it should produce a log, combofix.txt.
  • Post this log in your next reply together with a new hijackthis log.
Note:
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Stelios

#4 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 06 January 2008 - 04:18 PM

Thank you for your help!

Here's the combofix log:

ComboFix 08-01-04.1 - Barbara 2008-01-06 16:09:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.278 [GMT -5:00]
Running from: C:\Documents and Settings\Barbara\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\upbgljgl.dll
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2

<pre>
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe" replaces infected copy of "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" moved to QooBox
"C:\Program Files\iTunes\iTunesHelper .exe" replaces infected copy of "C:\Program Files\iTunes\iTunesHelper.exe"
"C:\Program Files\QuickTime\qttask						   .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe" replaces infected copy of "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe" moved to QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 16:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 11:32 . 2008-01-06 11:35 <DIR> d-------- C:\Program Files\Hijack This
2008-01-06 11:08 . 2008-01-06 11:08 <DIR> d-------- C:\Program Files\Sygate
2008-01-06 11:08 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-06 11:08 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-06 11:08 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-04 06:50 . 2008-01-05 13:39 1,044,100 --ahs---- C:\WINDOWS\system32\wrvlbsfv.ini
2008-01-04 06:39 . 2008-01-04 06:39 1,038,585 --ahs---- C:\WINDOWS\system32\bhufvldj.ini
2008-01-02 18:14 . 2008-01-05 18:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-02 06:45 . 2008-01-02 06:45 1,031,458 --ahs---- C:\WINDOWS\system32\vnxckjgg.ini
2008-01-02 06:45 . 2008-01-02 06:45 1,031,398 --ahs---- C:\WINDOWS\system32\eltvelta.ini
2007-12-31 08:54 . 2008-01-04 06:37 1,031,854 --ahs---- C:\WINDOWS\system32\irybdbxf.ini
2007-12-31 07:54 . 2007-12-31 07:55 1,031,139 --ahs---- C:\WINDOWS\system32\eofhvwpf.ini
2007-12-29 18:19 . 2007-12-29 18:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 18:19 . 2007-12-29 18:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 18:19 . 2007-12-29 18:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 18:19 . 2007-12-29 18:19 1,406 --a------ C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 21:12 --------- d-----w C:\Program Files\QuickTime
2008-01-06 21:12 --------- d-----w C:\Program Files\iTunes
2008-01-04 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 23:30 --------- d-----w C:\Program Files\BELKIN USB Wireless Monitor
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 13:20 --------- d-----w C:\Program Files\Sonic
2007-12-01 13:20 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
<pre>
----a-w		 1,694,208 2008-01-02 20:04:46  C:\Program Files\Messenger\msmsgs .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 13:16 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-01-06 11:09 679936]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 13:16 741376 C:\WINDOWS\system32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Getca"="C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-06 11:09 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 11:09 256576]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"e87ec776"="C:\WINDOWS\system32\vfsblvrw.dll" [ ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 02:01:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxvw]
xxywxvw.dll

R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 12:53]
R2 Belkin 54Mbps Wireless USB;Belkin 54Mbps Wireless USB Network Service;C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe [2003-06-09 10:24]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 16:12:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 16:15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 21:15:06
.
2008-01-02 12:12:26 --- E O F ---


and here's a new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:23 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Getca] C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [e87ec776] rundll32.exe "C:\WINDOWS\system32\vfsblvrw.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: xxywxvw - xxywxvw.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4883 bytes

#5 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 07 January 2008 - 02:48 AM

Hi barbtrd

You've got a new infection that basically infects the programs that run on startup. In your case, Avast4 and Spybot - Search & Destroy are infected. You will likely have to reinstall them at some point.
=====

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

=====

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\wrvlbsfv.ini
C:\WINDOWS\system32\bhufvldj.ini
C:\WINDOWS\system32\vnxckjgg.ini
C:\WINDOWS\system32\eltvelta.ini
C:\WINDOWS\system32\irybdbxf.ini
C:\WINDOWS\system32\eofhvwpf.ini

RENV::
----a-w 1,694,208 2008-01-02 20:04:46 C:\Program Files\Messenger\msmsgs .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxvw]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e87ec776"=-


Save this as "CFScript"
Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause [i]"unpredictable results"

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
=====

Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be promted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Stelios

#6 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 07 January 2008 - 07:47 AM

Thank you. I lost cable connection during the night and just got back online. I'll do the fixes when I return from work. I apologize for the delay in getting this done.
Barb

#7 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 07 January 2008 - 09:27 AM

No problem Barbara!!

Take your time but do it right



Stelios :thumbsup:

#8 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 07 January 2008 - 06:09 PM

Here are the results of the combo fix and hijack this logs. I'm going to start the Kaspersky WebScanner next.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:10 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Getca] C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4735 bytes

#9 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 07 January 2008 - 06:11 PM

I'm sorry, I only posted Hijack This previously. Here are the results of the combo fix and hijack this logs. Thanks for your patience.


ComboFix 08-01-04.1 - Barbara 2008-01-07 18:03:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.267 [GMT -5:00]
Running from: C:\Documents and Settings\Barbara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Barbara\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bhufvldj.ini
C:\WINDOWS\system32\eltvelta.ini
C:\WINDOWS\system32\eofhvwpf.ini
C:\WINDOWS\system32\irybdbxf.ini
C:\WINDOWS\system32\vnxckjgg.ini
C:\WINDOWS\system32\wrvlbsfv.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bhufvldj.ini
C:\WINDOWS\system32\eltvelta.ini
C:\WINDOWS\system32\eofhvwpf.ini
C:\WINDOWS\system32\irybdbxf.ini
C:\WINDOWS\system32\vnxckjgg.ini
C:\WINDOWS\system32\wrvlbsfv.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 16:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 11:32 . 2008-01-06 16:18 <DIR> d-------- C:\Program Files\Hijack This
2008-01-06 11:08 . 2008-01-06 11:08 <DIR> d-------- C:\Program Files\Sygate
2008-01-06 11:08 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-06 11:08 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-06 11:08 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-06 11:08 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-02 18:14 . 2008-01-05 18:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-29 18:19 . 2007-12-29 18:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 18:19 . 2007-12-29 18:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 18:19 . 2007-12-29 18:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 18:19 . 2007-12-29 18:19 1,406 --a------ C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 21:12 --------- d-----w C:\Program Files\QuickTime
2008-01-06 21:12 --------- d-----w C:\Program Files\iTunes
2008-01-04 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 23:30 --------- d-----w C:\Program Files\BELKIN USB Wireless Monitor
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-01 13:20 --------- d-----w C:\Program Files\Sonic
2007-12-01 13:20 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_16.14.52.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 16:13:47 41,040 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-07 17:40:46 41,040 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 16:13:47 314,838 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 17:40:46 314,838 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 17:36:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-02 15:04 1694208]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 13:16 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-01-06 11:09 679936]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 13:16 741376 C:\WINDOWS\system32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Getca"="C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-06 11:09 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 11:09 256576]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 02:01:00]

R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 12:53]
R2 Belkin 54Mbps Wireless USB;Belkin 54Mbps Wireless USB Network Service;C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe [2003-06-09 10:24]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 18:05:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 18:05:35
ComboFix-quarantined-files.txt 2008-01-07 23:05:27
ComboFix2.txt 2008-01-06 21:15:09
.
2008-01-02 12:12:26 --- E O F ---


New Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:10 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Getca] C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4735 bytes

#10 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 07 January 2008 - 06:20 PM

The link to the Kaspersky site doesn't take me to the symbol you describe. I can't see what it is I'm supposed to click on at their website. Can you doublecheck and let me know? Maybe they've changed their homepage and the symbol you showed above has been removed. Thanks.

Barb

#11 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 08 January 2008 - 05:50 AM

If you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Note: This Scanner is for Internet Explorer Only!



Stelios

#12 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 08 January 2008 - 06:28 AM

I guess I wasn't real clear on my last post. I'm not as far as the accept button. When I link to the Kaspersky site I can't find any link to the online scan that you are talking about. There's no magnifying glass symbol. I can see a link at the very top of the page which says virus scan and when I click on that it brings me back to the homepage. It appears that there is nothing on their page except opportunities to buy software, or take a free trial of Internet Sectuity 7.0 or AntiVirus 7.0, and that's where I'm confused. Since the symbol with the magnifying glass is not there, if there's a phrase or other link I can click on to get started, please let me know. Thanks,
Barb

#13 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 08 January 2008 - 06:43 AM

This is what I see:

[attachment=3309:7.png]

But you can try this:

Please go HERE to run Panda's Posted Image ActiveScan
  • Note: This Scanner is for Internet Explorer Only!
  • Once you are on the Panda site click the Posted Image button
  • A new window will open.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Posted Image
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Posted Image to start the scan
  • When the scan completes, if anything malicious is detected, click the Posted Image button, then click the Posted Image button and save it to a convenient location. Post the contents of the ActiveScan report

:thumbsup:

#14 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 08 January 2008 - 10:13 AM

Thanks. Here's the report from Panda:


Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@247realmedia[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@ads.pointroll[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@bluestreak[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@ehg-dig.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@go[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@linksynergy[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@realmedia[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@statcounter[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@statse.webtrendslive[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@toplist[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@www.burstbeacon[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Barbara\Cookies\barbara@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Barbara\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Barbara\Desktop\ComboFix.exe[nircmd.cfexe]
Possible Virus. Not disinfected C:\Documents and Settings\Barbara\My Documents\Documents and Settings\Default User\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Barbara\My Documents\Documents and Settings\Owner\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Spyware:Spyware/Vundo Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\ddabx.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Spyware:Cookie/Mediaplex Not disinfected F:\Documents and Settings\Barbara Toth\Application Data\Mozilla\Profiles\default\5inqq33j.slt\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Barbara Toth\Application Data\Mozilla\Profiles\default\5inqq33j.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Barbara Toth\Application Data\Mozilla\Profiles\default\5inqq33j.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Barbara Toth\Application Data\Mozilla\Profiles\default\5inqq33j.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Bfast Not disinfected F:\Documents and Settings\Barbara Toth\Application Data\Mozilla\Profiles\default\5inqq33j.slt\cookies.txt[.bfast.com/]
Virus:W32/Sober.V.worm!CME-456 Disinfected Personal Folders\Deleted Items\Your Password\account_info.zip[Winzipped-Text_Data.txt .pif]
Possible Virus. Not disinfected F:\Documents and Settings\Default User\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected F:\Documents and Settings\Owner\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected F:\I386\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Virus:Bck/MIRCBased.BI Disinfected F:\Program Files\mIRC\mirc.exe
Adware:Adware/SaveNow Not disinfected F:\WINDOWS\Alzgtubvyp.hpw\whenu.exe[VVSN_BKSP9419Inst.exe]
Virus:Trj/Clicker.FC Disinfected F:\WINDOWS\bkdsp.exe
Virus:Generic Malware Disinfected F:\WINDOWS\bsx32\CASH2.bsx
Virus:Generic Malware Disinfected F:\WINDOWS\bsx32\MORT5.bsx
Adware:Adware/SAHAgent Not disinfected F:\WINDOWS\INF\bi1.inf
Spyware:Spyware/BetterInet Not disinfected F:\WINDOWS\INF\biini.inf
Adware:Adware/SAHAgent Not disinfected F:\WINDOWS\INF\biK.inf
Virus:Trj/Keyhost.A Disinfected F:\WINDOWS\INF\host.inf
Possible Virus. Not disinfected F:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]

#15 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:07:33 AM

Posted 08 January 2008 - 04:22 PM

Hi Barbara

Please print out or copy this instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
=====

Please download ATF Cleaner. by Atribune. Don’t run it yet.
=====

Download Avg anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded Avg anti-spyware, locate the icon Posted Image on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run Avg and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
    Don’t run it yet Close Avg anti-spyware .
    =====

    Please reboot your computer in SafeMode by doing the following:
    • Restart your computer.
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear.
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here <--link to tutorial
    =====
    • Still in safe mode run: ATF
    Double-click Posted Image to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    If you use Firefox browserClick Firefox at
    the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please
    click No at the prompt.
    If you use Opera browserClick Opera at the
    top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please
    click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located
    at the bottom of each menu.]
    =====
  • Lauch Avg-anti-spyware by double-clicking the icon Posted Image on your desktop.IMPORTANT: Do not open any other windows or programs while Avg is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Avg will now begin the scanning process, be patient this may take a little time.
  • Avg will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Avg will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Avg.
IMPORTANT: Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button
=====

Reboot back to normal mode.
Please post back:

1) The Avg report
2) New HijackThis log


Please reinstall Avast4 and make a full system scan, and Spybot - Search & Destroy.

Let us know how is your computer working now?

Stelios




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users