Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c And Virtumonde Malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 sail0rm00n

sail0rm00n

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 08 June 2007 - 07:51 PM

Problem: My computer started getting a bunch of pop-ups while surfing the internet. I've ran Spybot S&D and Ad Aware, but neither seem to get rid of them. I ran Spybot first and it got rid of everything but Smitfraud-c and Virtumonde. Then I ran Ad Aware, and Ad Aware seemed to get rid of everything so I decided to re-run Spybot to make sure. Spybot still detected Smitfraud-c and Virtumonde. Then I stumbled upon this forum while searching for fixes. I tried everything in the "Preparation Guide" before posting here and nothing seemed to work.

Here is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:43:09 PM, on 6/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINNT\System32\mxnjxewq.dll",realset
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 09 June 2007 - 12:40 AM

Hello,

First of all, I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled. Bitdefender and McAfee.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sail0rm00n

sail0rm00n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 09 June 2007 - 02:54 PM

combofix log:
"sarena1" - 06/09/2007 12:39:15 Service Pack 4 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\sarena1\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\tvyay.bak1
C:\WINNT\system32\tvyay.bak2
C:\WINNT\system32\tvyay.ini
C:\WINNT\system32\tvyay.bak1
C:\WINNT\system32\tvyay.bak2
C:\WINNT\system32\tvyay.ini
C:\WINNT\system32\yayvt.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\SMBOLS~1
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINNT\cfg32.exe
C:\WINNT\cfg32a.exe
C:\WINNT\CROSOF~1.NET
C:\WINNT\cs_cache.ini
C:\WINNT\dls0523pmw.exe
C:\WINNT\rau001978.exe
C:\WINNT\retadpu1000106.exe
C:\WINNT\retadpu2000219.exe
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\drivers\core.sys . . . . failed to delete
C:\WINNT\system32\pog
C:\WINNT\system32\T3
C:\WINNT\system32\T4
C:\WINNT\system32\T4\amst5.exe
C:\WINNT\system32\winnb58.dll
C:\WINNT\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 12:41 <DIR> d-------- C:\TEMP\tn3
2007-06-08 16:30 14 --a------ C:\getfile.dat
2007-06-07 23:58 14 --a------ C:\WINNT\system32\getfile.dat
2007-06-07 22:56 58,420 --a------ C:\WINNT\system32\cnpcvvat.dll
2007-06-07 22:48 131,124 --a------ C:\WINNT\system32\mxnjxewq.dll
2007-06-07 20:35 53,248 --a------ C:\WINNT\system32\Process.exe
2007-06-07 20:35 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-06-07 20:35 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-06-07 20:35 1,796 --a------ C:\WINNT\system32\tmp.reg
2007-06-07 17:42 <DIR> d-------- C:\Program Files\CCleaner
2007-06-07 17:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-07 17:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 17:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-06 22:14 6,010,424 --a------ C:\TEMP\Firefox Setup 2.0.0.4.exe
2007-06-06 21:57 <DIR> d--hs---- C:\UWA7P
2007-06-06 21:50 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-06 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 21:48 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-06 21:44 131,124 --a------ C:\WINNT\system32\ehuujyyl.dll
2007-06-06 21:44 131,124 --a------ C:\WINNT\system32\dntkvnql.dll
2007-06-06 21:43 55,316 --a------ C:\WINNT\system32\mjbouhoa.dll
2007-06-06 21:35 932 --a------ C:\WINNT\system32\winpfz32.sys
2007-06-06 21:34 72,832 --------- C:\WINNT\system32\drivers\core.sys
2007-06-06 21:34 551,920 -r-hs---- C:\WINNT\yjrnohkA.exe
2007-06-06 21:34 46,592 --a------ C:\WINNT\yjrnohk.exe
2007-06-06 21:34 33,302 --a------ C:\WINNT\system32\rqronno.dll
2007-06-06 21:34 192,622 --a------ C:\WINNT\system32\rwintndt.exe
2007-06-06 21:34 102,400 --a------ C:\WINNT\MBDownloader_876916.exe
2007-06-06 21:34 <DIR> d-a------ C:\WINNT\system32\TQ0
2007-06-06 21:34 <DIR> d-a------ C:\WINNT\system32\T6
2007-06-06 21:34 <DIR> d-a------ C:\WINNT\system32\T5
2007-06-06 21:34 <DIR> d-a------ C:\WINNT\system32\T1QaSQ
2007-06-06 21:34 <DIR> d-------- C:\TEMP\x2b
2007-06-04 15:18 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 15:17 7,808 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 15:14 5,376 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-05-23 17:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-05-23 17:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-05-23 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-05-23 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-05-23 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-05-09 22:15 <DIR> d-------- C:\DOCUME~1\sarena1\APPLIC~1\TVU Networks
2007-05-09 20:00 <DIR> d-------- C:\Program Files\SopCast
2007-05-09 20:00 <DIR> d-------- C:\DOCUME~1\sarena1\APPLIC~1\SopCast
2007-05-09 19:26 35,018,418 --a------ C:\TEMP\Sambal.Baj.P2P.TV-Pack.1.6.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 19:34:58 -------- d-----w C:\Program Files\McAfee.com
2007-06-08 00:43:16 -------- d-----w C:\Program Files\Yahoo!
2007-06-07 05:42:31 -------- d-----w C:\Program Files\Trillian
2007-06-07 05:39:42 -------- d-----w C:\Program Files\MyWay
2007-05-24 01:02:10 -------- d-----w C:\Program Files\AIM95
2007-05-24 00:44:26 335 ----a-w C:\WINNT\nsreg.dat
2007-05-23 03:57:47 -------- d-----w C:\Program Files\HomeKeylogger
2007-05-10 05:16:08 -------- d-----w C:\Program Files\TVU Player
2007-04-13 22:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [06-10-26 10:28 ]
{08C134D3-087C-4139-A98C-3A078358DFDE}=C:\WINNT\System32\rqronno.dll [07-06-06 21:34 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINNT\System32\cnpcvvat.dll [07-06-07 22:56 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [05-06-20 12:10 ]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [05-05-09 12:19 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\WINNT\System32\rqronno.dll" [07-06-06 21:34 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronno]
rqronno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - CORE

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 12:46:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 12:47:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-09 12:46

--- E O F ---


new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:50:12 PM, on 6/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINNT\System32\rqronno.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINNT\System32\cnpcvvat.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O20 - Winlogon Notify: rqronno - C:\WINNT\SYSTEM32\rqronno.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 09 June 2007 - 03:03 PM

Hello,

Did you install HomeKeylogger? Or are you aware this is installed?

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\tmp.reg
C:\WINNT\system32\ehuujyyl.dll
C:\WINNT\system32\dntkvnql.dll
C:\WINNT\system32\mjbouhoa.dll
C:\WINNT\system32\winpfz32.sys
C:\WINNT\system32\drivers\core.sys
C:\WINNT\yjrnohkA.exe
C:\WINNT\yjrnohk.exe
C:\WINNT\system32\rqronno.dll
C:\WINNT\system32\rwintndt.exe
C:\WINNT\MBDownloader_876916.exe
C:\WINNT\system32\cnpcvvat.dll
C:\WINNT\system32\mxnjxewq.dll

Folder::
C:\WINNT\system32\TQ0
C:\WINNT\system32\T6
C:\WINNT\system32\T5
C:\WINNT\system32\T1QaSQ
C:\TEMP\x2b
C:\TEMP\tn3
C:\UWA7P
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\Common Files\Companion Wizard

Driver::
CORE

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E12BFF69-38A7-406e-A8EF-2738107A7831}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08C134D3-087C-4139-A98C-3A078358DFDE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronno]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sail0rm00n

sail0rm00n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 09 June 2007 - 03:31 PM

I am aware that homekeylogger was installed. I wanted to uninstall it but couldnt find the uninstall software, nor was it listed in my add/remove programs.

"sarena1" - 06/09/2007 13:20:13 Service Pack 4 NTFS
Command switches used :: "D:\programs\ComboFix-Do.txt"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\yabba.dll
C:\WINNT\system32\abbay.bak1
C:\WINNT\system32\abbay.ini
C:\WINNT\system32\abbay.bak1
C:\WINNT\system32\abbay.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\Common Files\Companion Wizard
C:\Program Files\Common Files\Companion Wizard\CompWiz.xml
C:\Temp\tn3
C:\TEMP\x2b
C:\TEMP\x2b\tmpZTF.log
C:\UWA7P
C:\WINNT\MBDownloader_876916.exe
C:\WINNT\system32\cnpcvvat.dll
C:\WINNT\system32\dntkvnql.dll
C:\WINNT\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINNT\system32\drivers\core.sys . . . . failed to delete
C:\WINNT\system32\ehuujyyl.dll
C:\WINNT\system32\mjbouhoa.dll
C:\WINNT\system32\mxnjxewq.dll
C:\WINNT\system32\rqronno.dll
C:\WINNT\system32\rwintndt.exe
C:\WINNT\system32\T1QaSQ
C:\WINNT\system32\T5
C:\WINNT\system32\T6
C:\WINNT\system32\tmp.reg
C:\WINNT\system32\TQ0
C:\WINNT\system32\winpfz32.sys
C:\WINNT\yjrnohk.exe
C:\WINNT\yjrnohkA.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 13:22 <DIR> d-------- C:\TEMP\tn3
2007-06-09 12:55 131,124 --a------ C:\WINNT\system32\ntvyftsh.dll
2007-06-09 12:47 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-08 16:30 14 --a------ C:\getfile.dat
2007-06-07 23:58 14 --a------ C:\WINNT\system32\getfile.dat
2007-06-07 20:35 53,248 --a------ C:\WINNT\system32\Process.exe
2007-06-07 20:35 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-06-07 20:35 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-06-07 17:42 <DIR> d-------- C:\Program Files\CCleaner
2007-06-07 17:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-07 17:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 17:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-06 22:14 6,010,424 --a------ C:\TEMP\Firefox Setup 2.0.0.4.exe
2007-06-06 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 21:34 72,832 --------- C:\WINNT\system32\drivers\core.sys
2007-06-04 15:18 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 15:17 7,808 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 15:14 5,376 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-05-23 17:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-05-23 17:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-05-23 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-05-23 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-05-23 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-05-09 22:15 <DIR> d-------- C:\DOCUME~1\sarena1\APPLIC~1\TVU Networks
2007-05-09 20:00 <DIR> d-------- C:\Program Files\SopCast
2007-05-09 20:00 <DIR> d-------- C:\DOCUME~1\sarena1\APPLIC~1\SopCast
2007-05-09 19:26 35,018,418 --a------ C:\TEMP\Sambal.Baj.P2P.TV-Pack.1.6.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 19:34:58 -------- d-----w C:\Program Files\McAfee.com
2007-06-08 00:43:16 -------- d-----w C:\Program Files\Yahoo!
2007-06-07 05:42:31 -------- d-----w C:\Program Files\Trillian
2007-06-07 05:39:42 -------- d-----w C:\Program Files\MyWay
2007-05-24 01:02:10 -------- d-----w C:\Program Files\AIM95
2007-05-24 00:44:26 335 ----a-w C:\WINNT\nsreg.dat
2007-05-23 03:57:47 -------- d-----w C:\Program Files\HomeKeylogger
2007-05-10 05:16:08 -------- d-----w C:\Program Files\TVU Player
2007-04-13 22:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [06-10-26 10:28 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [05-06-20 12:10 ]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [05-05-09 12:19 ]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [04-08-25 14:14 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - CORE

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 13:26:24
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 13:27:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-09 13:26
C:\ComboFix2.txt ... 07-06-09 12:47

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 1:28:13 PM, on 6/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Edited by sail0rm00n, 09 June 2007 - 03:35 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 09 June 2007 - 03:49 PM

Hi,

First of all, check and fix next entries in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Then,

Let's get rid of it manually in safe mode, since it won't run there..

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

In safe mode, delete next file and folders:

C:\TEMP\tn3 <== folder
C:\WINNT\system32\ntvyftsh.dll <== file
C:\WINNT\system32\drivers\core.sys <== file
C:\Program Files\HomeKeylogger <== folder

reboot back to normal mode and move the ComboFix-Do.txt from your D:\ to your desktop, because you are using two seperate drives for a fix and this may interfere.
Then, drag the ComboFix-Do.txt present on your desktop into the Combofix.exe

Then post the log in your next reply together with a new HijackThislog

Edited by miekiemoes, 09 June 2007 - 03:50 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sail0rm00n

sail0rm00n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 09 June 2007 - 04:10 PM

"sarena1" - 06/09/2007 13:59:46 Service Pack 4 NTFS
Command switches used :: ""C:\Documents and Settings\sarena1\Desktop\ComboFix-Do.txt""


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\drivers\core.cache.dsk


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 12:47 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-08 16:30 14 --a------ C:\getfile.dat
2007-06-07 23:58 14 --a------ C:\WINNT\system32\getfile.dat
2007-06-07 20:35 53,248 --a------ C:\WINNT\system32\Process.exe
2007-06-07 20:35 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-06-07 20:35 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-06-07 17:42 <DIR> d-------- C:\Program Files\CCleaner
2007-06-07 17:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-07 17:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 17:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-06 22:14 6,010,424 --a------ C:\TEMP\Firefox Setup 2.0.0.4.exe
2007-06-06 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-04 15:18 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 15:17 7,808 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 15:14 5,376 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-05-23 17:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-05-23 17:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-05-23 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-05-23 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-05-23 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-05-09 22:15 <DIR> d-------- C:\DOCUME~1\sarena1\APPLIC~1\TVU Networks
2007-05-09 20:00 <DIR> d-------- C:\Program Files\SopCast
2007-05-09 20:00 <DIR> d-------- C:\DOCUME~1\sarena1\APPLIC~1\SopCast
2007-05-09 19:26 35,018,418 --a------ C:\TEMP\Sambal.Baj.P2P.TV-Pack.1.6.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 19:34:58 -------- d-----w C:\Program Files\McAfee.com
2007-06-08 00:43:16 -------- d-----w C:\Program Files\Yahoo!
2007-06-07 05:42:31 -------- d-----w C:\Program Files\Trillian
2007-06-07 05:39:42 -------- d-----w C:\Program Files\MyWay
2007-05-24 01:02:10 -------- d-----w C:\Program Files\AIM95
2007-05-24 00:44:26 335 ----a-w C:\WINNT\nsreg.dat
2007-05-10 05:16:08 -------- d-----w C:\Program Files\TVU Player
2007-04-13 22:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [06-10-26 10:28 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [05-06-20 12:10 ]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [05-05-09 12:19 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 14:04:35
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 14:05:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-09 14:05
C:\ComboFix2.txt ... 07-06-09 13:27
C:\ComboFix3.txt ... 07-06-09 12:47

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 2:06:05 PM, on 6/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 09 June 2007 - 04:22 PM

Hi,

That worked.

Check and fix next entries in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 sail0rm00n

sail0rm00n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 09 June 2007 - 04:36 PM

I ran spybot search and destroy and it found 1 entry of smitfraud-c toolbar888.
I clicked on the fix problem button and it seemed to have taken care of it.
I am now going to restart Windows and play around with Internet Explorer to see if I get any random pop-ups.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 09 June 2007 - 04:39 PM

Everything should be ok now.
It is normal that scanners will still find some leftovers, but this time; they should be able to delete it since we deleted the active malware and anything else malware related I could see in logs.


Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 sail0rm00n

sail0rm00n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 09 June 2007 - 04:40 PM

It seems as if everything is okay again. Thanks a lot for your help! I really appreciate it!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 09 June 2007 - 04:42 PM

You're welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:29 AM

Posted 10 June 2007 - 04:59 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users