Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud, Virtumonde, Et. Al.


  • This topic is locked This topic is locked
9 replies to this topic

#1 hfilby2

hfilby2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 17 May 2007 - 03:02 PM

I should have known better, but I downloaded a file from a rather sketchy site, and although I scanned the file with Lavasoft's AdAware and Trend Micro's HouseCall, when I clicked on it, it disappeared (of course) and infected my computer with myriad trojans (including Smitfraud-C Toolbar, Downloader.Generic, Alphabet.Downloader, smanager7, and all their friends). Serves me right for being so stupid, I suppose.

Anyway, I think AVG anti-virus and anti-spyware cleaned up most of the mess, but I suspect there might still be malware lurking on my computer. I have also run SpyBot - Search and Destroy, McAfee Stinger, AVG anti-rootkit, and disabled/enabled System Restore. I also tried to use Knoppix to delete some stubborn files, but my system is NTFS.

Any help would be much appreciated!

HijackThis Log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis.exe

O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://housecall65.trendmicro.com
O15 - Trusted Zone: www.trendmicro.com
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: www.housecall65.trendmicro.com
O15 - Trusted Zone: http://www.trendsecure.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{736DDD73-78A4-46A3-A2F5-7C81C6D8296E}: NameServer = 10.0.0.3,208.67.220.220
O20 - Winlogon Notify: gebyawv - gebyawv.dll (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PQGUGEZVF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\hfilby\LOCALS~1\Temp\PQGUGEZVF.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe (file missing)
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (file missing)
O23 - Service: VMware DHCP Service (VMnetDHCP) - Unknown owner - C:\WINDOWS\system32\vmnetdhcp.exe (file missing)
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)

RootkitRevealer Log:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed - Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg - Access is denied



>>>>> Previous Infections (now cleaned I hope!) <<<<<<<

AVG Anti-Virus Scan Results (gif):

Posted Image

AVG Anti-Spyware Scan Results:

Adaware.Virtumonde
Adaware.PurityScan
Trojan.Small
Downloader.Alphabet

Edited by hfilby2, 17 May 2007 - 04:31 PM.


BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 PM

Posted 19 May 2007 - 05:44 PM

Hello hfilby2,


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of the SmitfraudFix report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

************************


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you.
Post the the SmitfruadFix report, ComboFix log and a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 19 May 2007 - 05:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hfilby2

hfilby2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 22 May 2007 - 09:54 AM

Hello and thank you for your reply,

I ran Combofix, Vundofix, and Smitfraudfix. I will post the logs below.
Note: I downloaded and ran Combofix and Vundofix before I received your message, so the logs are a little dated, and some of the scans were done in SafeMode.

AVG Virus Scanner picked up 5 more trojans on 18/05/2007, after several clean scans, and AVG Anti-Spam picked up another 5 (different) Trojans on 17/05/2007. Today both scans were clean - but, as I mentioned, the scan will be clean one minute, and detect a virus the next. All programs (AVG, Comodo Firewall, Adaware, Spybot etc.) have been updated.

Thanks again - I really appreciate you taking the time to take a look at this mess!


Vundofix Log:

VundoFix V6.3.23
Checking Java version...
Java version is 1.5.0.10
Scan started at 7:16:34 PM 17/05/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:37 PM, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 3RVX.lnk = C:\Program Files\3RVX\3RVX.exe
O4 - Startup: AutoHotkey.lnk = C:\Program Files\AutoHotKey\AutoHotkey.exe
O4 - Startup: gnotify.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Startup: ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar2\Rainlendar2.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://housecall65.trendmicro.com
O15 - Trusted Zone: www.trendmicro.com
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: www.housecall65.trendmicro.com
O15 - Trusted Zone: http://www.trendsecure.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{736DDD73-78A4-46A3-A2F5-7C81C6D8296E}: NameServer = 10.0.0.3,208.67.220.220
O20 - Winlogon Notify: gebyawv - gebyawv.dll (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PQGUGEZVF - Unknown owner - C:\DOCUME~1\hfilby\LOCALS~1\Temp\PQGUGEZVF.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (file missing)
O23 - Service: VMware DHCP Service (VMnetDHCP) - Unknown owner - C:\WINDOWS\system32\vmnetdhcp.exe (file missing)
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)

Combofix Log (3 of 3)
Note: the first two scans are attached as text files.

"hfilby" - 2007-05-18 18:30:01 Service Pack 2
ComboFix 07-05.17.6.V - Running from: "C:\Program Files\ComboFix\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\hfilby
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1\FNTS~1
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1\SCURIT~1
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1\SCURIT~1\s?curity
C:\qoobox\purity\C\WINDOWS\ASKS~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


2007-05-17 23:41 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-17 20:19 <DIR> d-------- C:\Program Files\OXXOGames
2007-05-17 20:08 <DIR> d-------- C:\Program Files\QuickPar
2007-05-17 20:04 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\GrabIt
2007-05-17 20:03 <DIR> d-------- C:\Program Files\GrabIt
2007-05-17 19:01 <DIR> d-------- C:\Program Files\VundoFix
2007-05-17 18:59 <DIR> d-------- C:\VundoFix Backups
2007-05-17 16:47 <DIR> d-------- C:\Program Files\CPUZ
2007-05-17 16:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-05-17 16:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-05-17 13:36 <DIR> d-------- C:\Program Files\McAfee
2007-05-17 13:14 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\Comodo
2007-05-17 13:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-05-17 13:09 <DIR> d-------- C:\Program Files\Comodo
2007-05-16 11:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-16 10:04 983,864 ---hs---- C:\WINDOWS\system32\nqstv.bak1
2007-05-15 21:55 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-15 21:54 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-11 12:33 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\Uniblue
2007-05-11 11:48 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\Opera
2007-05-09 15:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-09 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-05-05 14:26 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-05 13:24 <DIR> d-------- C:\Program Files\Games
2007-05-05 12:48 <DIR> d-------- C:\Program Files\QuickTime
2007-05-03 22:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-03 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-03 11:07 <DIR> d-------- C:\Documents
2007-04-20 01:51 <DIR> d-------- C:\Program Files\Picasa2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-18 17:18:13 -------- d-----w C:\Program Files\Trend Micro
2007-05-18 17:12:00 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Registry Booster
2007-05-14 22:32:16 -------- d-----w C:\Program Files\Trillian
2007-05-11 16:33:25 -------- d-----w C:\Program Files\Uniblue
2007-05-11 16:20:30 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Launchy
2007-05-08 14:09:08 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\OpenOffice.org2
2007-05-07 16:36:30 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-03 15:20:13 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\VMware
2007-05-03 15:17:21 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Apple Computer
2007-05-03 15:17:09 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Ahead
2007-05-01 19:56:03 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\SecTaskMan
2007-04-29 19:28:51 -------- d-----w C:\Program Files\Foxit Software
2007-04-29 13:47:40 -------- d-----w C:\Program Files\Crimson Editor
2007-04-21 15:14:28 4,585,472 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-04-21 15:06:44 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-04-15 16:04:13 -------- d-----w C:\Program Files\Google
2007-04-15 07:04:01 -------- d-----w C:\Program Files\PowerDefragmenter
2007-04-15 07:00:24 -------- d-----w C:\Program Files\Contig
2007-04-15 02:40:39 -------- d-----w C:\Program Files\AutoHotKey
2007-04-15 01:38:12 -------- d-----w C:\Program Files\Opera
2007-04-09 09:57:32 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Flickr
2007-03-25 13:05:00 -------- d-----w C:\Program Files\MediaCoder
2007-03-25 10:42:37 54,192 ----a-w C:\DOCUME~1\hfilby\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-25 01:03:59 54,192 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 13:41:56 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-03-13 21:03:59 4,092 -c--a-w C:\WINDOWS\mozver.dat
2007-03-13 18:55:49 -------- d-----w C:\Program Files\Google Video Uploader
2007-03-13 18:08:51 -------- d-----w C:\Program Files\msn gaming zone
2007-03-13 14:57:20 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\SSH
2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 07:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"="MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00
"nltide_3"=hex(2):72,75,6e,64,6c,6c,33,32,20,61,64,76,70,61,63,6b,2e,64,6c,6c,\
2c,4c,61,75,6e,63,68,49,4e,46,53,65,63,74,69,6f,6e,45,78,20,6e,4c,69,74,65,\
2e,69,6e,66,2c,43,2c,2c,34,2c,4e,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"NoStartBanner"=dword:00000001
"NoSMMyPictures"=dword:00000001
"NoSMHelp"=dword:00000001
"StartMenuLogoff"=dword:00000001
"ForceStartMenuLogoff"=dword:00000000
"NoUserNameInStartMenu"=dword:00000001
"NoLogoff"=hex:01,00,00,00
"NoSharedDocuments"=hex:01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"NoStartBanner"=dword:00000001
"NoSMMyPictures"=dword:00000001
"NoSMHelp"=dword:00000001
"StartMenuLogoff"=dword:00000001
"ForceStartMenuLogoff"=dword:00000000
"NoUserNameInStartMenu"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyawv]
gebyawv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqn]
C:\WINDOWS\system32\vtsqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32]
winbfi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91a036f0-b532-11db-b80c-005056c00008}]
Shell\AutoRun\command K:\LaunchU3.exe -a

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-18 18:31:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-18 18:31:54
C:\ComboFix-quarantined-files.txt ... 2007-05-18 18:31
C:\ComboFix2.txt ... 2007-05-18 13:01
C:\ComboFix3.txt ... 2007-05-17 23:41

--- E O F ---


Smitfraudfix Log:

SmitFraudFix v2.186

Scan done at 22:31:20.18, 22/05/2007
Run from C:\Documents and Settings\hfilby\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\hfilby

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\hfilby\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\hfilby\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com Gigabit LOM (3C940) - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.3
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{736DDD73-78A4-46A3-A2F5-7C81C6D8296E}: NameServer=10.0.0.3,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{736DDD73-78A4-46A3-A2F5-7C81C6D8296E}: NameServer=10.0.0.3,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{736DDD73-78A4-46A3-A2F5-7C81C6D8296E}: NameServer=10.0.0.3,208.67.220.220

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 PM

Posted 22 May 2007 - 12:11 PM

Hi hfilby2,

You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Program Files\3RVX\3RVX.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes or if busy, a couple of hours to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hfilby2

hfilby2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 22 May 2007 - 12:43 PM

Hello SifuMike,

Thanks for your quick reply!

The "suspicious file" 3RVX is a program to control the system volume from the keyboard. I could, of course, use AutoHotKey for the same purpose, but 3RVX comes with a lovely mac-like skin! Check it out here: http://matt.malensek.net/software

I have had this program on my computer for a long time (six months or more), so I don't think it is suspicious. If, after all my rambling, you still think I should scan it at virustotal.com, please let me know and I will do so.

Cheers,

hfilby2

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 PM

Posted 22 May 2007 - 02:53 PM

Hello hfilby2,

Since you know 3RVX is safe we will bypass that part.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O20 - Winlogon Notify: gebyawv - gebyawv.dll (file missing)
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O23 - Service: PQGUGEZVF - Unknown owner - C:\DOCUME~1\hfilby\LOCALS~1\Temp\PQGUGEZVF.exe (file missing)



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\nqstv.bak1 <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot to the Normal Mode.


Since ComobFix is updated frequently, delete the ComboFix version you have on your computer and 1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking    
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.    
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.    
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
 

Please do not put your logs in attachments, as they are harder to read that way.

Post a new Hijackthis log, the ComboFix log and tell me how your computer is running.

Edited by SifuMike, 22 May 2007 - 02:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 hfilby2

hfilby2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 22 May 2007 - 04:18 PM

Hi SifuMike,

I love CCleaner! It's one of my must-have programs.

I did the following:

1. Fixed the files you indicated using HijackThis (in Safe Mode)
2. Deleted the file nqstv.bak1 and also the file nqstv.ini - just in case (in Safe Mode)
3. Ran CCleaner (in Safe Mode)
4. Installed new version of ComboFix and ran it in Normal Mode

Here are the results:

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:15:55 AM, on 23/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://housecall65.trendmicro.com
O15 - Trusted Zone: www.trendmicro.com
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: www.housecall65.trendmicro.com
O15 - Trusted Zone: http://www.trendsecure.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{736DDD73-78A4-46A3-A2F5-7C81C6D8296E}: NameServer = 10.0.0.3,208.67.220.220
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (file missing)
O23 - Service: VMware DHCP Service (VMnetDHCP) - Unknown owner - C:\WINDOWS\system32\vmnetdhcp.exe (file missing)
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)

ComboFix Log:

"hfilby" - 2007-05-23 5:00:58 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\hfilby\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\hfilby
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1\FNTS~1
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1\SCURIT~1
C:\qoobox\purity\C\DOCUME~1\hfilby\APPLIC~1\SCURIT~1\s?curity
C:\qoobox\purity\C\WINDOWS\ASKS~1

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-23 ))))))))))))))))))))))))))))))))))

2007-05-22 22:31 1,238 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-17 23:41 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-17 20:19 <DIR> d-------- C:\Program Files\OXXOGames
2007-05-17 20:08 <DIR> d-------- C:\Program Files\QuickPar
2007-05-17 20:04 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\GrabIt
2007-05-17 20:03 <DIR> d-------- C:\Program Files\GrabIt
2007-05-17 19:01 <DIR> d-------- C:\Program Files\VundoFix
2007-05-17 18:59 <DIR> d-------- C:\VundoFix Backups
2007-05-17 16:47 <DIR> d-------- C:\Program Files\CPUZ
2007-05-17 16:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-05-17 16:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-05-17 13:36 <DIR> d-------- C:\Program Files\McAfee
2007-05-17 13:14 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\Comodo
2007-05-17 13:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-05-17 13:09 <DIR> d-------- C:\Program Files\Comodo
2007-05-16 11:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-15 21:55 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-15 21:54 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-11 12:33 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\Uniblue
2007-05-11 11:48 <DIR> d-------- C:\DOCUME~1\hfilby\APPLIC~1\Opera
2007-05-09 15:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-09 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-05-05 14:26 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-05 13:24 <DIR> d-------- C:\Program Files\Games
2007-05-05 12:48 <DIR> d-------- C:\Program Files\QuickTime
2007-05-03 22:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-03 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-03 11:07 <DIR> d-------- C:\Documents

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-23 08:48:54 -------- d-----w C:\Program Files\Trend Micro
2007-05-23 04:04:15 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\OpenOffice.org2
2007-05-23 02:34:24 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Launchy
2007-05-18 17:12:00 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Registry Booster
2007-05-14 22:32:16 -------- d-----w C:\Program Files\Trillian
2007-05-11 16:33:25 -------- d-----w C:\Program Files\Uniblue
2007-05-07 16:36:30 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-03 15:20:13 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\VMware
2007-05-03 15:17:21 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Apple Computer
2007-05-03 15:17:09 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Ahead
2007-05-01 19:56:03 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\SecTaskMan
2007-04-29 19:28:51 -------- d-----w C:\Program Files\Foxit Software
2007-04-29 13:47:40 -------- d-----w C:\Program Files\Crimson Editor
2007-04-21 15:14:28 4,585,472 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-04-21 15:06:44 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-04-20 05:56:42 -------- d-----w C:\Program Files\Picasa2
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-15 16:04:13 -------- d-----w C:\Program Files\Google
2007-04-15 07:04:01 -------- d-----w C:\Program Files\PowerDefragmenter
2007-04-15 07:00:24 -------- d-----w C:\Program Files\Contig
2007-04-15 02:40:39 -------- d-----w C:\Program Files\AutoHotKey
2007-04-15 01:38:12 -------- d-----w C:\Program Files\Opera
2007-04-09 09:57:32 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\Flickr
2007-03-25 13:05:00 -------- d-----w C:\Program Files\MediaCoder
2007-03-25 10:42:37 54,192 ----a-w C:\DOCUME~1\hfilby\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-25 01:03:59 54,192 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 13:41:56 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-03-13 21:03:59 4,092 -c--a-w C:\WINDOWS\mozver.dat
2007-03-13 18:55:49 -------- d-----w C:\Program Files\Google Video Uploader
2007-03-13 18:08:51 -------- d-----w C:\Program Files\msn gaming zone
2007-03-13 14:57:20 -------- d-----w C:\DOCUME~1\hfilby\APPLIC~1\SSH
2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 07:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoUserNameInStartMenu"=1 (0x1)
"NoLogoff"=01000000
"NoSharedDocuments"=01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91a036f0-b532-11db-b80c-005056c00008}]
AutoRun\command- K:\LaunchU3.exe -a

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 05:02:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-23 5:02:52
C:\ComboFix-quarantined-files.txt ... 2007-05-18 18:31
C:\ComboFix2.txt ... 2007-05-18 18:31
C:\ComboFix3.txt ... 2007-05-18 13:01

--- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 PM

Posted 22 May 2007 - 04:28 PM

Hi hfilby2,

Your log looks clean! :thumbsup: Good job on the cleanup!


I love CCleaner! It's one of my must-have programs.


I couldnt agree with you more. :flowers: Only thing I dont like about it is the registry cleaner; it is just too dangerous in most peoples hands.


Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK



Now we will clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.



Please read and follow How did I get infected?, With steps so it does not happen again!
as well as How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 22 May 2007 - 04:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 hfilby2

hfilby2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 22 May 2007 - 04:58 PM

Hi SifuMike,

I actually like to have all files (system or otherwise) shown so I will be able to notice if a malicious program tries to hide itself, or its files on my computer (i.e. RealPlayer). Well actually, it's because I'm a control freak and seeing all the files gives me a heady sense of control. ;)

But I will disable/enable System Restore.

Thanks for the help. I really appreciate the time you've taken to help me clean up my computer. If any viruses reappear, I will post a new request for help on the forum. Bye for now.

- hfilby

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 PM

Posted 29 May 2007 - 06:10 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users