Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c Infection


  • Please log in to reply
8 replies to this topic

#1 Nihiladrem

Nihiladrem

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 23 January 2008 - 01:21 AM

Symptom:

System Tray alert messages and pop-ups when opening Internet Explorer.



Actions taken so far:

Spybot Cleaning both in Normal and Safemode. Spybot detected Smitfraud-C, claimed to have successfully removed it, and no longer detects it on future scans but symptoms remain.

Adaware Scan (Found nothing)

Smitfraudfix (run in safemode) runs and cleans but is unable to remove infected temporary file:
C:\Documents and Settings\todd\Local Settings\Temp\jrwaihur.dat
All attempts to manually delete file result in Access Denial messages. Have tried deleting/renaming using Killbox and Hijack this, including options to delete on reboot (from same mode). No attempts so far have been able to remove the file.
Smitfraudfix report below.

Identified several other possible culprits using Norton Security Scan.
It identified possible trojan infections in the following location:

Files:
c:\windows\system32\avifil32k.dll

Registry:
HKEY_CLASSES_ROOT\CLSID\{4B7FE1FE-F3A8-4251-A910-4468E9640A9F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B7FE1FE-F3A8-4251-A910-4468E9640A9F}

"c:\windows\system32\avifil32k.dll" has the same deletion problems as jrwaihur.dat, neither killbox or HiJack this can delete this including attempts to delete on reboot from safe mode.
Attempts to manually delete these registry keys (I made a registry backup in case) result in Access Denial messages, or 'Failed to Delete' attempts. Attempts to manually change the keys values have also failed.


Here are the logs from Smitfraudfix and Hijack this, run in that order, during safe mode.


Logs:

SmitFraudFix v2.274

Scan done at 22:14:03.98, Tue 01/22/2008
Run from C:\Documents and Settings\todd\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5D0CAD7E-5718-4B23-B341-D47EB183B4EE}: DhcpNameServer=172.21.1.100 172.21.245.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8845B343-D865-47C8-9841-1D3D38AE72B2}: DhcpNameServer=172.21.1.100 172.21.245.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B883623F-AA82-43CD-A221-A909C2E7BE82}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5D0CAD7E-5718-4B23-B341-D47EB183B4EE}: DhcpNameServer=172.21.1.100 172.21.245.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8845B343-D865-47C8-9841-1D3D38AE72B2}: DhcpNameServer=172.21.1.100 172.21.245.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B883623F-AA82-43CD-A221-A909C2E7BE82}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5D0CAD7E-5718-4B23-B341-D47EB183B4EE}: DhcpNameServer=172.21.1.100 172.21.245.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8845B343-D865-47C8-9841-1D3D38AE72B2}: DhcpNameServer=172.21.1.100 172.21.245.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B883623F-AA82-43CD-A221-A909C2E7BE82}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:09 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {4B7FE1FE-F3A8-4251-A910-4468E9640A9F} - C:\WINDOWS\system32\avifil32k.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://owa.hra.co.santa-cruz.ca.us
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188394165452
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3248 bytes




Any assistance you could render in removing this virus would be appreciated.

Nihiladrem

BC AdBot (Login to Remove)

 


#2 Nihiladrem

Nihiladrem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 25 January 2008 - 07:37 PM

*bump*

#3 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 31 January 2008 - 02:41 PM

NiHiladrem

Sorry for the delay

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#4 Nihiladrem

Nihiladrem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 01 February 2008 - 09:18 PM

Thanks for the response:


ComboFix 08-02.01.6 - todd 2008-02-01 18:04:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1533 [GMT -8:00]
Running from: C:\Documents and Settings\todd\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\avifil32k.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\avifil32k.dll
C:\WINDOWS\system32\drivers\uzmesghx.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ZWNRIKJW
-------\zwnrikjw


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-25 17:04 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-24 17:49 . 2008-01-24 20:53 <DIR> d-------- C:\Documents and Settings\todd\Application Data\AVG7
2008-01-24 17:49 . 2008-01-24 17:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-24 17:49 . 2008-01-24 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-24 17:49 . 2008-01-24 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-22 21:56 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-22 19:35 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-12 17:54 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Advent Rising
2008-01-12 16:31 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-12 16:31 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-12 16:31 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-12 16:31 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-12 16:31 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-12 16:31 . 2008-01-22 22:14 1,804 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 16:14 . 2008-01-12 16:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 17:18 . 2008-01-04 17:18 87 --a------ C:\WINDOWS\wininit.ini
2008-01-04 17:03 . 2008-01-04 17:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-04 17:03 . 2008-01-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-04 17:00 . 2008-01-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 20:39 . 2008-01-09 17:24 <DIR> d-------- C:\WINDOWS\system32\AppCert

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 02:04 --------- d-----w C:\Program Files\Trillian
2008-01-30 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 02:20 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-26 22:30 --------- d-----w C:\Program Files\World of Warcraft
2008-01-23 01:51 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-21 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-05 01:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 21:11 --------- d-----w C:\Documents and Settings\todd\Application Data\MSN6
2008-01-01 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-12-20 18:01 60,623,724 ----a-w C:\winregbackup.reg
2007-12-12 01:55 --------- d-----w C:\Program Files\NCH Software
2007-12-08 21:36 --------- d-----w C:\Program Files\Ventrilo
2007-12-08 21:30 --------- d-----w C:\Documents and Settings\todd\Application Data\Ventrilo
2007-12-08 02:25 --------- d-----w C:\Documents and Settings\todd\Application Data\uTorrent
2007-12-06 05:39 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-02 21:04 --------- d-----w C:\Program Files\Prey
2007-12-02 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-17 15:23 8478720]
"nwiz"="nwiz.exe" [2007-08-17 15:23 1626112 C:\WINDOWS\system32\nwiz.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 13:08 57344 C:\WINDOWS\system32\ico.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 06:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-17 15:23 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 17:03 267064]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-24 17:49 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 17:49 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 14:27]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-01-24 07:39]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 12:25]
S3 pnicml;pnicml;C:\DOCUME~1\todd\LOCALS~1\Temp\pnicml.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 18:11:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\AppCert\hb13a.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-01 18:12:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 02:12:56

#5 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 04 February 2008 - 10:51 AM

Nihiladrem

Sorry for the delay. I have been under the weather.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\WINDOWS\system32\AppCert\wsil32.dll

Folder::
C:\WINDOWS\system32\AppCert

Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hijackthis log as well
Posted Image
Microsoft MVP - Windows Security

#6 Nihiladrem

Nihiladrem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 05 February 2008 - 09:01 PM

ComboFix 08-02.01.6 - todd 2008-02-05 17:54:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT -8:00]
Running from: C:\Documents and Settings\todd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\todd\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\AppCert\wsil32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AppCert
C:\WINDOWS\system32\AppCert\filter.drv
C:\WINDOWS\system32\AppCert\hb13a.dll
C:\WINDOWS\system32\AppCert\options.dat
C:\WINDOWS\system32\AppCert\prx97w.dll
C:\WINDOWS\system32\AppCert\wnl32.dll
C:\WINDOWS\system32\AppCert\wsil32.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-01-25 17:04 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-24 17:49 . 2008-01-24 20:53 <DIR> d-------- C:\Documents and Settings\todd\Application Data\AVG7
2008-01-24 17:49 . 2008-01-24 17:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-24 17:49 . 2008-01-24 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-24 17:49 . 2008-01-24 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-22 21:56 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-22 19:35 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-12 17:54 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Advent Rising
2008-01-12 16:31 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-12 16:31 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-12 16:31 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-12 16:31 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-12 16:31 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-12 16:31 . 2008-01-22 22:14 1,804 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 16:14 . 2008-01-12 16:14 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 01:53 --------- d-----w C:\Program Files\Trillian
2008-01-30 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 02:20 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-26 22:30 --------- d-----w C:\Program Files\World of Warcraft
2008-01-23 01:51 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-21 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-05 01:03 --------- d-----w C:\Program Files\Lavasoft
2008-01-05 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-05 01:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 21:11 --------- d-----w C:\Documents and Settings\todd\Application Data\MSN6
2008-01-01 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-12-20 18:01 60,623,724 ----a-w C:\winregbackup.reg
2007-12-12 01:55 --------- d-----w C:\Program Files\NCH Software
2007-12-08 21:36 --------- d-----w C:\Program Files\Ventrilo
2007-12-08 21:30 --------- d-----w C:\Documents and Settings\todd\Application Data\Ventrilo
2007-12-08 02:25 --------- d-----w C:\Documents and Settings\todd\Application Data\uTorrent
2007-12-06 05:39 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-17 15:23 8478720]
"nwiz"="nwiz.exe" [2007-08-17 15:23 1626112 C:\WINDOWS\system32\nwiz.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 13:08 57344 C:\WINDOWS\system32\ico.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 06:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-17 15:23 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 17:03 267064]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-24 17:49 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 17:49 219136]

R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 14:27]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-01-24 07:39]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 12:25]
S3 pnicml;pnicml;C:\DOCUME~1\todd\LOCALS~1\Temp\pnicml.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 17:57:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-05 17:58:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 01:58:43
ComboFix2.txt 2008-02-02 02:12:58














Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:28 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scmasquerade.com/forums/index.php
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://owa.hra.co.santa-cruz.ca.us
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188394165452
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4741 bytes

#7 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 08 February 2008 - 11:48 AM

Nihiladrem

How's your PC running now?
Posted Image
Microsoft MVP - Windows Security

#8 Nihiladrem

Nihiladrem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 11 February 2008 - 10:28 PM

Pretty good! Haven't seen any pop-ups in a while. I think we may have gotten it!

Thanks for your help!

#9 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 12 February 2008 - 10:05 AM

Nihiladrem

Glad to hear it.

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u4.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall There is a list HEREAll of which are free
Download and install SiteHound by Firetrust for protection against malicious websites.

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users