Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Viruses Trojan.zlob.dnschanger And Tr/hijacker.gen


  • Please log in to reply
32 replies to this topic

#1 pete harbour

pete harbour

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 22 January 2008 - 09:20 PM

Hi,

I have several viruses on my PC. The observable problems I am having are

1. My webpages are commonly getting hijacked and redirected to
www.trafficexplorer.com
www.zedo.com
and several other pages

2. When I try to send an email I have seen both

Outlook connecting to a POP3 personal account
Yahoo mail

fail to send the email. Once I hit the send button they just get stuck and never send the email.




I have run the following programs to try and remove them. Please see below.

1. I have been running Avira AntiVir PE for about 1 year. It has found some problems that it cannot get rid of. See the recent log for viruses it has found and tried to delete

1/14/2008,23:27:13 [WARNING] Is the Trojan horse TR/Hijacker.Gen!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OLABST6N\file2[1].exe
[ERROR] Unable to delete the file:
0x00000020 - The process cannot access the file because it is being used by another process.
1/14/2008,23:32:46 [WARNING] Is the Trojan horse TR/Hijacker.Gen!
C:\Documents and Settings\Administrator\Local Settings\Temp\1667336889.exe
[INFO] The file will be deleted.
1/14/2008,23:31:54 [WARNING] Is the Trojan horse TR/Hijacker.Gen!
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1667336889.exe
[ERROR] Unable to delete the file:
0x00000002 - The system cannot find the file specified.
1/14/2008,23:44:43 [WARNING] Is the Trojan horse TR/Hijacker.Gen!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JB95PHHM\file2[1].exe
[ERROR] Unable to delete the file:
0x00000020 - The process cannot access the file because it is being used by another process.
1/14/2008,23:44:51 [WARNING] Is the Trojan horse TR/Hijacker.Gen!
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4487051817.exe
[INFO] The file will be deleted.
1/14/2008,23:45:32 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L4WBP145\files[1].exe
[ERROR] Unable to delete the file:
0x00000020 - The process cannot access the file because it is being used by another process.
1/14/2008,23:45:46 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\879138558.exe
[INFO] The file will be deleted.
1/14/2008,23:46:04 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4LQFGHA3\files[1].exe
[ERROR] Unable to delete the file:
0x00000020 - The process cannot access the file because it is being used by another process.
1/14/2008,23:46:09 [WARNING] Is the Trojan horse TR/Crypt.XPACK.Gen!
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2303027723.exe
[INFO] The file will be deleted.




2. I loaded and ran Spybot Search and Destroy 1.5. I ran it 3 times and there is one Trojan it cannot get rid of

Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #1 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C745FCC3-BC8D-497E-B8B5-8E411BC2537C}\NameServer=208.67.220.220,208.67.222.222

Zlob.DNSChanger.Rtk: [SBI $FE3023DF] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System=...KDRVW.EXE...




3. I loaded and ran Bit Defender. It ran and found

Scanned File
Status

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MD1MFMDS\daf1009[1].exe
Infected with: Trojan.DNSChanger.BX

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MD1MFMDS\daf1009[1].exe
Disinfection failed

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MD1MFMDS\daf1009[1].exe
Delete failed

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZNP3R18W\daf1009[1].exe
Infected with: Trojan.DNSChanger.BX

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZNP3R18W\daf1009[1].exe
Disinfection failed

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZNP3R18W\daf1009[1].exe
Deleted


C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP189\A0017562.exe
Infected with: Dropped:Rootkit.Buso.A

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP189\A0017562.exe
Disinfection failed

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP189\A0017562.exe
Deleted
(two places)


C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0017683.dll
Infected with: Trojan.Agent.AGKS

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0017683.dll
Disinfection failed

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0017683.dll
Deleted
(three places)


C:\WINDOWS\SYSTEM32\DRIVERS\ohcuusb.sys
Infected with: Rootkit.Buso.A

C:\WINDOWS\SYSTEM32\DRIVERS\ohcuusb.sys
Disinfection failed

C:\WINDOWS\SYSTEM32\DRIVERS\ohcuusb.sys
Deleted




4. AFter running these 3 programs I have now ran Hijack This. It's log follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:46 PM, on 1/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 7021 bytes





The Trojan Zlob.DNSChanger concerned me the most. There were several *.exe files (noted above) in a "Temporary Internet Files" directory that could not either found/accessed/deleted. I tried using CLEANMGR to remove the temporary internet files. After rebooting twice it still left many files in this directory under the path "Documents and Settings". Spybot and Bit Defender continued to find this thing. So I choose a coarse action to delete ALL files in
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\...

After this Spybot still reports the Registry key associated with Zlob.DNSChanger after two runs and restarts.


Could someone please review this information and then suggest what to do. I have all logs available. I did not list them all in this initial email to make emails size reasonable.

Thanks,

Pete

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 22 January 2008 - 09:37 PM

Hello Pete,

Welcome to Bleeping Computer :thumbsup:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 pete harbour

pete harbour
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 24 January 2008 - 10:39 AM

Tea,

Okay, here is the results of the SmitfraudFix run...


SmitFraudFix v2.274

Scan done at 6:50:34.23, Thu 01/24/2008
Run from C:\Program Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Administrator


C:\Documents and Settings\Administrator\Application Data


Start Menu


C:\DOCUME~1\ADMINI~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdrvw.exe"

kdrvw.exe detected !


Rustock



DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 85.255.116.130
DNS Server Search Order: 85.255.112.107

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C745FCC3-BC8D-497E-B8B5-8E411BC2537C}: NameServer=85.255.116.130 85.255.112.107
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C745FCC3-BC8D-497E-B8B5-8E411BC2537C}: NameServer=85.255.116.130 85.255.112.107
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC40C15F-0F9B-411A-B055-16019CEAACF4}: DhcpNameServer=143.166.95.37 143.166.6.24
HKLM\SYSTEM\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


Scanning for wininet.dll infection


End

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 24 January 2008 - 12:14 PM

Hello,

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background. So only run it once!

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 pete harbour

pete harbour
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 26 January 2008 - 07:58 PM

Tea,

Hi. I ran option 2 of SmitfraudFix. I then ran HijackThis again. Copies of their logs are below.

However, after doing these 2 initial steps I attempted to run Internet Explorer. It starts up and uses about 80%+ of system resources even if it is not doing anything (i.e. even if the network connection is disconnected). After starting Internet Explorer the entire Windows platform is completely destablized; applications just crash unexpectedly or cannot be opened (multiple critical errors like the main app code "*.exe cannot be located", etc). Also I only ran SmitfraudFix option 2 once and the Windows desktop was removed (now it is a solid blue background).
What ever option 2 of SmitfraudFix did (1 run only), Windows appears to now be completely destablized once Internet Explorer is launched. Prior to launching IE Windows appears to run fine; I do not notice any strange processes in the TASKMANAGER. Once IE is launched I cannot launch the TASKMANAGER or any other programs; they all crash!
This system instablitiy with IE running was observed about 3 or 4 times. I copied the two text files from the scan runs (SmitfraudFix and HijackThis) to another computer to send to you. Please note that these two steps were done without IE running in the background, as requested from your instructions. And all the problems that I see happen after IE is running. I don't know if you will need any additional information?
PLEASE HELP ME. The system now is essentially in a completely disfunctional state!







SmitfraudFix option 2 run results:






SmitFraudFix v2.274

Scan done at 10:48:34.14, Sat 01/26/2008
Run from C:\Program Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC40C15F-0F9B-411A-B055-16019CEAACF4}: DhcpNameServer=143.166.95.37 143.166.6.24
HKLM\SYSTEM\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdrvw.exe"

Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


Reboot

C:\WINDOWS\system32\kdrvw.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


End







HijackThis log (run right after reboot from SmitfraudFix option 2)






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:41 PM, on 1/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 6687 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 26 January 2008 - 10:55 PM

Hello,

That got rid of the Wareout/DNS changer, but let's see what else might be hiding and giving you such a hard time:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 pete harbour

pete harbour
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 28 January 2008 - 04:34 AM

tea,

I copied ComboFix.exe from another computer on to my infect computer via a memory stick (IE won't run on the infected computer). I installed the Windows Recovery Console before I ran it. I disabled my AntiVirus program (Avira AntiVir).

I launched ComboFix.exe and it started to run Okay. It created a System Restore point and backed up the Windows Registry. It then prompted the message "Scanning for infected files . . .". In the beginning it seemed like it was doing something, there was access to the hard disk for about the 1st minute. After that it never did anything else; it ran for 2+ hours. None of the 41 stages ever completed in the console screen, the clock mode was never altered. I assumed something was wrong. I did not click in its running window or interfere with it, it had the full resource of the PC. So, I shut it down and rebooted.

I tried running it again and it never tried to create a System Restore point or back up the Windows Registry. It just sat at "ComboFix is preparing to run". That's gone on for ~45 minutes; no hard drive access.

What should I do?

I tried to make it clear in the last email that after running SmitfraudFix option 2 as you requested that the stability of Windows XP is basically ruined after starting Internet Explorer. Once IE is started, it crashes, Windows Explorer crashes, TASKMANAGER can't be started at all, and all other programs crash too (Word, Excel, Adobe, etc). In fact in many cases they don't even get that far, the kernel can't find them at all. The logs I created for you while running SmithfraudFix did not have IE running in the backkground (which I think you wanted). Do you think you have enough information from the previous logs to understand what might be wrong? Before I ran SmitfraudFix option 2 my Windows platform ran Okay (meaning at the application level). Yes, I had illegal DNS redirects (which SmitfraudFix said it fixed), but the applications ran in a stable manner. Now nothing can run, they just all crash if I start IE. If I don't start IE everything runs smooth.

I hope this is a clue for you. What other information can I get you? Should I try and run one of these analysis programs with IE running (I don't think I even can anyway now...) to give more information about the post SmitfraudFix option 2 characteristics?

My computer is still running with the 2nd run of ComboFix. I don't want to destablize it any further. How should I get out of that?

Please recheck the previous logs just to make sure something significant isn't in them. I'd run HijackThis, but ComboFix appears to have hijacked my computer.

Am I missing something?

Thanks,

Pete

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 28 January 2008 - 02:48 PM

Hi Pete,

No, you're not missing anything.....I'm thinking you have a particularly nasty nasty that targets ComboFix. I know it's frustrating, but please sit tight while I confirm this with the creator of the tool that will get rid of it. :thumbsup: I'll get back to you as soon as I can and we'll get started. :blink: You're doing fine....this garbage is just really nasty. :wacko:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 28 January 2008 - 05:28 PM

Hello,

Okay...here we go.....Please delete everything to do with the ComboFix you have now. Empty your Recycle Bin and reboot your computer. Then download this special copy of ComboFix from here:

http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe

Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 pete harbour

pete harbour
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 29 January 2008 - 02:18 AM

tea,

Thanks for making a special build to accommodate me. And if it's not obvious yet I'm not so good without a spell checker. :thumbsup:


Okay Combo-Fix ran successfully. During it's run it rebooted the PC and then finished after the restart. The log does describe some changes. It is listed below plus a HijackThis log. Please let me know what the next step is.

Thanks,
Pete




Combo-Fix run log





ComboFix 08-01-29.2 - Administrator 2008-01-29 1:35:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.701 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\npf.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\LEGACY_OHCIUSB
-------\LEGACY_RPCS
-------\NPF
-------\ohciusb


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 03:31 . 2003-07-16 11:38 245,920 -r-hs---- C:\cmldr
2008-01-28 03:31 . 2004-09-13 09:01 194 --ahs---- C:\BOOT.BAK
2008-01-28 02:36 . 2008-01-28 04:55 <DIR> d-------- C:\ComboFix
2008-01-26 10:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-26 10:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-26 10:47 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-26 10:47 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-26 10:47 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-26 10:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-24 06:50 . 2008-01-26 10:49 1,604 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-24 06:46 . 2008-01-24 06:46 <DIR> d-------- C:\Program Files\SmitfraudFix
2008-01-24 06:42 . 2008-01-24 06:42 1,062,501 --a------ C:\Program Files\SmitfraudFix.zip
2008-01-19 10:23 . 2008-01-19 12:53 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-13 12:35 . 2008-01-13 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 10:10 . 2008-01-12 17:27 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2008-01-12 12:37 . 2008-01-12 13:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-07 01:47 . 2008-01-07 01:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 15:49 . 2008-01-05 15:49 812,344 --a------ C:\Program Files\HJTInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 06:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-01-29 06:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-01-20 08:10 --------- d-----w C:\Program Files\WinTV
2008-01-03 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-12-27 16:31 --------- d-----w C:\Program Files\Hauppauge WinTV drivers 3.4b
2007-12-23 00:54 --------- d-----w C:\Program Files\Atlas4
2007-09-14 05:08 10,010,137 ----a-w C:\Program Files\ExpressPCBSetup.exe
2007-08-17 11:53 11,572,208 ----a-w C:\Program Files\QuickTimeFullInstaller.exe
2007-08-05 20:25 3,723,454 ----a-w C:\Program Files\IZArc_Setup.exe
2007-07-29 14:42 3,443,356 ----a-w C:\Program Files\IZArc2Go_Setup.exe
2007-06-17 22:55 17,180,760 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe
2007-04-01 21:47 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-04-01 18:47 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2007-03-05 04:14 4,842,060 ----a-w C:\Program Files\SBPCI_WebDrvsV5_12_01.exe
2007-03-04 21:01 3,563,171 ----a-w C:\Program Files\CreativeDemoPlayer_Install.exe
2007-02-04 16:00 268,137 ----a-w C:\Program Files\DSFMgr.zip
2007-02-04 01:26 440,868 ----a-w C:\Program Files\graphedit011008.zip
2007-01-31 07:54 2,218,696 ----a-w C:\Program Files\RivaTuner20FR-[Guru3D.com].exe
2007-01-29 10:31 1,722,638 ----a-w C:\Program Files\HSFp_Win98SE.zip
2007-01-25 08:13 1,572,922 ----a-w C:\Program Files\wintvhd_21_20114.exe
2007-01-14 18:05 5,865,254 ----a-w C:\Program Files\FusionHDTVDemo2.60.exe
2007-01-14 17:52 166,144 ----a-w C:\Program Files\DECCHECKSetup.EXE
2006-04-28 08:07 1,297,951 ----a-w C:\Program Files\ati-util-jan-2004.exe
2006-02-09 04:16 12,754,672 ----a-w C:\Program Files\MP10Setup.exe
2006-01-22 21:08 8,062,197 ----a-w C:\Program Files\840-enu-xp.exe
2005-09-16 08:13 638,111 ----a-w C:\Program Files\lftp13.zip
2005-09-04 16:14 48,907,862 ----a-w C:\Program Files\q3ad.exe
2005-01-14 14:58 13,736,688 ----a-w C:\Program Files\AcroReader51_ENU_full.exe
2004-12-20 20:57 4,089,493 ----a-w C:\Program Files\WinCvs13b17-2.zip
2004-12-08 16:35 2,360,972 ----a-w C:\Program Files\Commentary1.55.zip
2004-10-29 16:16 2,421,920 ----a-w C:\Program Files\winzip90.exe
2004-10-22 14:21 456,808 ----a-w C:\Program Files\GoogleDesktopSearchSetup.exe
2004-09-27 19:07 144,438,141 ----a-w C:\Program Files\Setup2004_07_Final.exe
2004-09-22 20:10 67,083,870 ----a-w C:\Program Files\2065r_v603_full_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2004-03-19 17:34 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 12:00 196608]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-11 02:08 249896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-14 21:05 344064]

C:\Documents and Settings\pharbour\Start Menu\Programs\Startup\
Pandion.lnk - C:\Program Files\Pandion\Pandion.exe [2004-08-03 05:53:28 583168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
"wosa"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\woso.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-09-26 05:06]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-09-26 05:06]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\System32\drivers\ES1370MP.sys [2001-08-17 12:19]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\System32\drivers\hcw18bda.sys [2006-11-22 23:16]
R3 SaiH0109;SaiH0109;C:\WINDOWS\System32\DRIVERS\SaiH0109.sys [2004-01-30 08:19]
R3 SaiU0109;SaiU0109;C:\WINDOWS\System32\DRIVERS\SaiU0109.sys [2004-01-30 08:19]
S2 ohdusb;Open Host Controller Miniport USB Driver (rev.d);C:\WINDOWS\System32\drivers\ohdusb.sys []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 11:10]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 01:43:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
.
**************************************************************************
.
Completion time: 2008-01-29 1:46:21 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-01-29 06:46:19





HijackThis log





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:12 AM, on 1/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 6751 bytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 31 January 2008 - 12:17 AM

Hello Pete,

How is it running now please?

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 pete harbour

pete harbour
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 03 February 2008 - 07:54 PM

tea,

All of the efforts you have described after running SmitfraudFix option 2 have not appeared to do anything (even though Combo-Fix did delete two drivers in \windows\system32\drivers\...). I am still having the same problem after running SmitfraudFix option 2, my PC is highly destablized once I launch Internet Explorer and it appears to run fine before IE is launched (this includes situations where programs other than IE download information over a network connection [like updates for Virus scanning applications]).
This time I updated the Java runtime environment to 6u4, ran ATF cleaner, ran Avira anti-virus, ran AVG anti-spyware, and HijackThis; and none of them showed anything expect Avira anti-virus. The logs for each are shown below in the order described in the last sentnce.
I would ask that you please look at the log for Avira anti-virus. It shows two Trojan horses that are hidden in the system restore point files. I have seen Avira anti-virus show viruses like these after each run and during each run I delete those virus files in the system restore point files (even though similarly infected files were deleted in the previous runs).
So, what does this mean?
What is depositing these viruses in the system restore point file systems?
Why can't we see these viruses within some other file on the hard drive?
They must be within another file in order for them to get placed within the system restore point file systems.
Can you please comment on the viruses listed below (there are quoted from the Avira anti-virus log listed below)?
This must be related to the windows instablity problems when IE is running. Again, no programs can run safely while IE is running, they all seem to either fail loading the application or just crash within about one minute of starting them.

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP199\A0018896.sys
[DETECTION] Is the Trojan horse TR/Small.RI.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP200\A0018970.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!

Also Avira anti-virus comments on each run that these two files are locked and cannot be opened. Can anyone on your team check to see if they are supposed to be locked?

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!

Also please note that Avira anti-virus reacts to things in both SmitfraudFix and Combo-Fix; those entries should be obvious. Please ask me if it is unclear.

I recall accessing Asain websites to search for a specific electronic component that is not available here in the US. I recall having virus detected while searching in Asain electronic parts suppliers. I wonder if that could be the source of these things?

Next time let's consider the two Trojan horses listed above first. The tools you have suggested so far have not appeared to have react to these things. Thanks!

Pete









Avira anti-virus log







AntiVir PersonalEdition Classic
Report file date: Saturday, February 02, 2008 20:49

Scanning for 1089289 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: SYSTEM
Computer name: PHARBOUR

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 9/26/2007 10:06:39
AVSCAN.DLL : 7.0.6.0 49192 Bytes 9/26/2007 10:06:39
LUKE.DLL : 7.0.5.3 147496 Bytes 9/26/2007 10:06:40
LUKERES.DLL : 7.0.6.1 10280 Bytes 9/26/2007 10:06:41
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 10:06:46
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 04:06:44
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 1/25/2008 01:08:28
ANTIVIR3.VDF : 7.0.2.81 258560 Bytes 2/1/2008 01:08:28
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/3/2008 01:08:28
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 9/26/2007 10:06:39
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/3/2008 01:08:28
AVREG.DLL : 7.0.1.6 30760 Bytes 9/26/2007 10:06:39
AVARKT.DLL : 1.0.0.20 278568 Bytes 9/26/2007 10:06:38
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 9/26/2007 10:06:38
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 9/26/2007 10:06:25
RCTEXT.DLL : 7.0.62.0 86056 Bytes 9/26/2007 10:06:25
SQLITE3.DLL : 3.3.17.1 339968 Bytes 9/26/2007 10:06:41

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: low
Deviating risk categories........: +APPL,+SPR,

Start of the scan: Saturday, February 02, 2008 20:49

Starting search for hidden objects.
'35078' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'utility.exe' - '1' Module(s) have been scanned
Scan process 'Ir.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'MSMSGS.EXE' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb04.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'vmnetdhcp.exe' - '1' Module(s) have been scanned
Scan process 'vmnat.exe' - '1' Module(s) have been scanned
Scan process 'vmware-authd.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'BAsfIpM.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '32' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\ComboFix\nircmd.cfexe
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[WARNING] The file was ignored!
C:\ComboFix\nircmd.com
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[WARNING] The file was ignored!
C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
[0] Archive type: RAR SFX (self extracting)
--> Combo-Fix\nircmd.com
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
--> Combo-Fix\nircmd.cfexe
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
--> Combo-Fix\psexec.cfexe
[DETECTION] Contains detection pattern of the application APPL/Rmadmin.131072
[WARNING] The file was ignored!
C:\Program Files\SmitfraudFix.zip
[0] Archive type: ZIP
--> SmitfraudFix/Reboot.exe
[DETECTION] Contains detection pattern of the SPR/Tool.Reboot.C program
--> SmitfraudFix/restart.exe
[DETECTION] Contains detection pattern of the SPR/Tool.Hardoff.A program
[WARNING] The file was ignored!
C:\Program Files\SmitfraudFix\SmitfraudFix\Reboot.exe
[DETECTION] Contains detection pattern of the SPR/Tool.Reboot.C program
[WARNING] The file was ignored!
C:\Program Files\SmitfraudFix\SmitfraudFix\restart.exe
[DETECTION] Contains detection pattern of the SPR/Tool.Hardoff.A program
[WARNING] The file was ignored!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP199\A0018896.sys
[DETECTION] Is the Trojan horse TR/Small.RI.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP200\A0018970.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP201\A0020048.com
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP201\A0020088.com
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP201\A0020108.exe
[0] Archive type: RAR SFX (self extracting)
--> nircmd.com
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
--> nircmd.cfexe
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP201\A0020118.exe
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP202\A0020159.com
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[INFO] The file was deleted!
C:\WINDOWS\Nircmd.exe
[DETECTION] Contains detection pattern of the application APPL/NirCmd.3
[INFO] The file was moved to '481810a2.qua'!


End of the scan: Sunday, February 03, 2008 14:10
Used time: 17:20:59 min

The scan has been done completely.

9691 Scanning directories
440206 Files were scanned
18 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
7 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
440188 Files not concerned
4409 Archives were scanned
8 Warnings
45 Notes
35078 Objects were scanned with rootkit scan
0 Hidden objects were found








AVG anti-spyware log








---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:02:16 PM 2/3/2008

+ Scan result:



Nothing found.



::Report end








HijackThis log







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:25 PM, on 2/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3099576A-4200-49CD-B430-FD33A2DECF1D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{42090B5F-DD37-41F8-B1C0-AE25E5175CE1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{45A563EB-0A3D-45CD-A3DF-378AFD4BC4C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A007A57-0AEB-45BD-AB12-D87ED406F209}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6ACD3BD-964B-4C80-96DF-67A3C7C65770}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{06BC9007-D1AA-4B16-A34E-B62D08567C52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 7295 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 04 February 2008 - 12:51 PM

Hello,

(this includes situations where programs other than IE download information over a network connection [like updates for Virus scanning applications]).

Please note that you are running SP1, and that IE needs to be updated to 7 as well.

I have seen Avira anti-virus show viruses like these after each run and during each run I delete those virus files in the system restore point files (even though similarly infected files were deleted in the previous runs).
So, what does this mean?
What is depositing these viruses in the system restore point file systems?
Why can't we see these viruses within some other file on the hard drive?

You also have several other protection programs that could have infections in their quarantine folders, and those will get set in System Restore also.You can empty those and see how system restore looks after a reset. Qoobox, part of ComboFix, also contains these things. We will delete that folder later.

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!

Protected files cannot usually be opened.

Also please note that Avira anti-virus reacts to things in both SmitfraudFix and Combo-Fix;

It should....most AntiVirus programs flag nircmd.exe, restart.exe, process.exe,etc............ which those tools use in their cleaning process. :blink:

I recall accessing Asain websites to search for a specific electronic component that is not available here in the US. I recall having virus detected while searching in Asain electronic parts suppliers. I wonder if that could be the source of these things?

This is quite probable.

Any other questions? :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 pete harbour

pete harbour
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 04 February 2008 - 09:00 PM

tea,

Yes. I'm sorry if it appears like I am complaining, but my PC is now basically disfunctional when I try to run Internet Explorer. I want to know what to do to correct that. That was the point of describing the two Trojan horses in the last post.

Are you surprised that AVG anti-spyware did not find anything while IE is unable to run stable on my PC?

Are you suggesting that I uninstall IE version 6 and load IE version 7? I don't think I can. I cannot connect to Microsoft to get it through the internet now on the target PC, IE crashes after the 2nd or 3rd webpage link typically.

What concerns me is that Internet Explorer version 6 ran for me before I ran SmitfraudFix option 2. There were unwanted DNS redirects that caused me problems, but the application itself ran in a stable manner before doing all this. Now IE basically crashes when I run it and all other applications crash too. Is this expected after running SmitfraudFix option 2?

What do I do? Windows applications should never self-crash or be unable to load because the kernel cannot locate the executable on the hard disk. I can't use my computer to get on the internet in its present state. Does this sound correct to you?

Will updating to IE version 7 correct this?

If I am missing something please let me know.

Thanks,

Pete

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:04 PM

Posted 08 February 2008 - 09:13 PM

Hello Pete,

I apologize for my delayed reply. :blink:

If you're still having the problem with IE, then I'd like for you to download Firefox and see if it runs better. We'll use that to finish this up. I use it exclusively, so you may want to keep it after we're done. :thumbsup: http://www.mozilla.org/products/firefox/

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users