TechSpot

Malware-gen infection

By badnews_BH
Jun 25, 2008
Topic Status:
Not open for further replies.
  1. Hi, all. My apologies for repeating on this subject; I noticed several other people had this infection, but it seemed like a separate thread would make more sense.

    As indicated, Avast is telling me "Malware-gen" has infected my PC (that'll teach me to pay more attention to where I click...). Basically, on each restart of the PC, I'm getting a warning that a VB script is attempting to run, but failing, and Avast recognizes the file as a Trojan, I believe. I'm also getting what I'd describe as artificial Blue Screens of Death; each time I restart, and often after the PC sits idle for a few minutes, I'll get notified that a random SYS file is having a random error that requires a restart, but hitting a key on the keyboard is enough to make the screen disappear and the machine continues to run as normal.

    I've gone through all the steps indicated in the "Viruses/Spyware/Malware, preliminary removal instructions" thread, and the problem persists. Panda Antirootkit found no issues. Here is the log from HiJackThis; I'm positive that "lphc530j0elel.exe" is part of the infection, as it didn't appear until after I got infected and has been stopped by ZoneAlarm from accessing the Internet. Any assistance you could offer would be greatly appreciated. Thanks.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Where is your combofix or DSS log?
     
  3. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Oops, sorry about that. Here we go.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Ok, before we start fixing, we are going to upload that file and see if anybody has definitions on it yet. If not, then I am going to have you send it to the people who make some of the tools we use for removal so they can analyze it.


    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\system32\lphc530j0elel.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
     
  5. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Okay, here's what VirusTotal tells me.

    MD5: 759f0ea99bc877c89d296c9aead8d16a
    First received: 06.25.2008 17:32:56 (CET)
    Date: 06.25.2008 17:32:59 (CET) [+1D]
    Results: 8/33

    Here are the results from the link...

    Antivirus Version Last Update Result
    AhnLab-V3 2008.6.25.0 2008.06.25 -
    AntiVir 7.8.0.59 2008.06.25 TR/Vundo.Gen
    Authentium 5.1.0.4 2008.06.24 -
    Avast 4.8.1195.0 2008.06.25 -
    AVG 7.5.0.516 2008.06.25 -
    BitDefender 7.2 2008.06.25 Trojan.Peed.JNF
    CAT-QuickHeal 9.50 2008.06.25 (Suspicious) - DNAScan
    ClamAV 0.93.1 2008.06.25 -
    DrWeb 4.44.0.09170 2008.06.25 Trojan.Packed.512
    eSafe 7.0.17.0 2008.06.25 Suspicious File
    eTrust-Vet 31.6.5904 2008.06.25 -
    Ewido 4.0 2008.06.25 -
    F-Prot 4.4.4.56 2008.06.24 -
    F-Secure 7.60.13501.0 2008.06.24 -
    Fortinet 3.14.0.0 2008.06.25 -
    GData 2.0.7306.1023 2008.06.25 -
    Ikarus T3.1.1.26.0 2008.06.25 -
    Kaspersky 7.0.0.125 2008.06.25 -
    McAfee 5324 2008.06.24 -
    Microsoft 1.3604 2008.06.25 Trojan:Win32/Tibs.GK
    NOD32v2 3218 2008.06.25 -
    Norman 5.80.02 2008.06.24 -
    Panda 9.0.0.4 2008.06.25 -
    Prevx1 V2 2008.06.25 Cloaked Malware
    Rising 20.50.22.00 2008.06.25 -
    Sophos 4.30.0 2008.06.25 -
    Sunbelt 3.0.1153.1 2008.06.15 -
    Symantec 10 2008.06.25 -
    TheHacker 6.2.92.361 2008.06.25 -
    TrendMicro 8.700.0.1004 2008.06.25 -
    VBA32 3.12.6.8 2008.06.25 -
    VirusBuster 4.5.11.0 2008.06.23 -
    Webwasher-Gateway 6.6.2 2008.06.25 Trojan.Vundo.Gen
    Additional information
    File size: 109056 bytes
    MD5...: 759f0ea99bc877c89d296c9aead8d16a
    SHA1..: 67b7ee7de57f60b59ff649b585c404088856a49c
    SHA256: a35979501e421dfd9d00c1a266ec344169a062d23fe8aabe56b02a7de255beb1
    SHA512: 921500bb22275e7d1b0ebf0cc246012168c9b77c985a5be23d1146b7e79fb46e
    521360e506bc1f0b6a41e74c220f83472123f7ce0ef24d0865c2020c1cae37e3
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x401487
    timedatestamp.....: 0x485d33e9 (Sat Jun 21 17:01:29 2008)
    machinetype.......: 0x14c (I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x8c32 0x6000 7.99 3792bff670ad9dc8e85b5f52bccf2f86
    .rdata 0xa000 0x2f89 0x1400 7.96 ce857a7a0f1f7f2b71f3538f7ae594b4
    .data 0xd000 0x25ee6 0x11200 8.00 584baef8cdfc1a4f8e49ca56e59adfe1
    .rsrc 0x33000 0x2000 0x2000 5.35 d22de19e464757f0d6e1f76a98a9d4d2

    ( 3 imports )
    > user32.dll: DdePostAdvise, CascadeWindows, ClientToScreen
    > msvcrt.dll: _mbccpy, _mbctombb, _mbsdec, _pctype, _snprintf, _snwprintf
    > kernel32.dll: CompareFileTime, CopyFileW, CreateThread, DefineDosDeviceW, EnumResourceTypesW, GetCommConfig, GetConsoleWindow, GetDateFormatW

    ( 0 exports )
    Prevx info: http[...]info.prevx.com/aboutprogramtext.asp?PX5=FB6F2A9200B0D8C7AAD501D35D4B6100CD282058
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Looks like my antivirus already has definitions on it.


    Let's give Malwarebytes Anti Malware a try and if it can't remove it then we will do it manually.

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  7. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Hello again. MBAM found the issue and tried to fix it, but I'm still getting issues on startup. Avast is still detecting VB script activity, and knows it's a virus, although it seemed that MBAM was catching the phony BSoD before it happened and stopped that activity. Here's the log from the scan.

    Malwarebytes' Anti-Malware 1.18
    Database version: 894

    6:51:19 PM 26/06/2008
    mbam-log-6-26-2008 (18-51-19).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 107985
    Time elapsed: 23 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Bill\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Bill\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Bill\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    After this we need to update java and run an online scan.

    We need to disable teatimer for this to work -

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    ------------------------------------------------------------------------

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  9. badnews_BH

    badnews_BH TS Rookie Topic Starter

    I didn't see any virus activity this time, so the ComboFix run may well have solved the problem. Here's the log, posted in two sections due to length...



    ComboFix 08-06-20.4 - Bill 2008-06-26 19:40:32.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT -3:00]
    Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\blphc530j0elel.scr
    C:\WINDOWS\system32\lphc530j0elel.exe
    C:\WINDOWS\system32\phc530j0elel.bmp
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\blphc530j0elel.scr
    C:\WINDOWS\system32\lphc530j0elel.exe
    C:\WINDOWS\system32\phc530j0elel.bmp

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
    .

    2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
    2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-26 18:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-26 18:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-25 18:46 . 2008-06-25 18:46 <DIR> d-------- C:\VundoFix Backups
    2008-06-25 18:11 . 2008-06-25 18:18 1,864 --a------ C:\WINDOWS\system32\tmp.reg
    2008-06-25 17:56 . 2008-06-25 17:56 <DIR> d-------- C:\Program Files\CCleaner
    2008-06-25 17:52 . 2008-06-25 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-25 17:46 . 2008-06-25 17:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-06-25 17:46 . 2008-06-25 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
    2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-06-25 16:36 . 2008-06-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-25 14:32 . 2008-06-25 16:35 <DIR> d-------- C:\Documents and Settings\Bill\.housecall6.6
    2008-06-23 18:46 . 2008-06-23 18:47 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-06-23 18:42 . 2008-06-25 22:08 <DIR> d-------- C:\SDFix
    2008-06-15 13:13 . 2008-06-15 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NannyMania
    2008-06-15 13:12 . 2008-06-15 13:38 <DIR> d-------- C:\Program Files\NannyMania_at
    2008-06-10 21:02 . 2008-06-13 10:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-10 21:02 . 2008-06-13 10:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-26 22:43 6,377,504 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-06-26 22:09 --------- d-----w C:\Documents and Settings\Bill\Application Data\OpenOffice.org2
    2008-06-26 22:08 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
    2008-06-26 22:07 75,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2008-06-26 18:37 --------- d-----w C:\Program Files\City of Heroes
    2008-06-26 01:02 13,917,360 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    2008-06-26 01:01 2,903,040 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
    2008-06-25 20:52 --------- d-----w C:\Program Files\Lavasoft
    2008-06-25 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-24 01:01 --------- d-----w C:\Program Files\BurgerIsland_at
    2008-06-22 20:17 --------- d-----w C:\Documents and Settings\Al & Paul\Application Data\OpenOffice.org2
    2008-06-15 16:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-06-09 22:27 --------- d-----w C:\Program Files\World of Warcraft
    2008-05-21 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-05-20 06:36 --------- d-----w C:\Program Files\Lavalys
    2008-05-16 14:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-05-15 09:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\media center programs
    2008-05-15 08:43 --------- d-----w C:\Program Files\Funcom
    2008-05-15 08:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Funcom
    2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-29 14:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2008-04-29 14:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
    2008-04-29 14:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
    2008-04-28 00:58 1,462 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2006-08-20 22:05 168 ----a-w C:\Documents and Settings\Al & Paul\Application Data\wklnhst.dat
    2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys
    2005-09-09 16:04 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-06-25_19.32.11.00 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-25 22:00:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-26 22:08:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    - 2008-06-23 21:47:23 4,022,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    + 2008-06-26 00:55:42 4,685,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    - 2008-06-23 21:47:23 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-06-26 00:55:42 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-06-26 22:08:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat
    .
     
  10. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Part 2...



    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 09:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 20:06 68856]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 08:04 59392]
    "CHotkey"="mHotkey.exe" [2004-02-24 16:05 508416 C:\WINDOWS\mHotkey.exe]
    "ledpointer"="CNYHKey.exe" [2004-02-03 19:15 5794816 C:\WINDOWS\CNYHKey.exe]
    "Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
    "Dit"="Dit.exe" [2004-07-20 20:18 90112 C:\WINDOWS\Dit.exe]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]
    "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-02-25 10:04 496752]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-26 19:35 8523776]
    "nwiz"="nwiz.exe" [2007-12-26 19:35 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-26 19:35 81920]
    "lphc530j0elel"="C:\WINDOWS\system32\lphc530j0elel.exe" [ ]

    C:\Documents and Settings\Al & Paul\Start Menu\Programs\Startup\
    OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

    C:\Documents and Settings\Bill\Start Menu\Programs\Startup\
    OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 23:51:01 113664]
    Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2007-04-10 19:20:25 331776]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\AOL 9.0\\AOL.exe"=
    "C:\\Program Files\\AOL 9.0\\WAOL.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"=
    "C:\\WINDOWS\\system32\\fxsclnt.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Downloads\\utorrent.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service

    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 20:20]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]
    R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 09:39]
    R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 20:13]
    S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-06-26 19:08]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603ddb3c-3668-11dc-b88f-00038a000015}]
    \Shell\AutoRun\command - J:\LaunchU3.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-06-26 18:20:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-26 19:43:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-06-26 19:44:43
    ComboFix-quarantined-files.txt 2008-06-26 22:44:38
    ComboFix2.txt 2008-06-25 22:32:35

    Pre-Run: 267,991,093,248 bytes free
    Post-Run: 267,970,912,256 bytes free

    173 --- E O F --- 2008-06-20 07:17:21
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You didn't disable teatimer and the registry entry is still there, though the file has been deleted.

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), attach Combofix.txt in your next reply together with a fresh HJT log.
     
     
  12. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Oops, sorry about that. I had turned it off, but Tea Timer was set to not let the registry change happen. :p

    Here are the logs...


    ComboFix 08-06-20.4 - Bill 2008-06-26 20:39:28.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.579 [GMT -3:00]
    Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
    .

    2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
    2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-26 18:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-26 18:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-25 18:46 . 2008-06-25 18:46 <DIR> d-------- C:\VundoFix Backups
    2008-06-25 18:11 . 2008-06-25 18:18 1,864 --a------ C:\WINDOWS\system32\tmp.reg
    2008-06-25 17:56 . 2008-06-25 17:56 <DIR> d-------- C:\Program Files\CCleaner
    2008-06-25 17:52 . 2008-06-25 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-25 17:46 . 2008-06-25 17:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-06-25 17:46 . 2008-06-25 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
    2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-06-25 16:36 . 2008-06-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-25 14:32 . 2008-06-25 16:35 <DIR> d-------- C:\Documents and Settings\Bill\.housecall6.6
    2008-06-23 18:46 . 2008-06-23 18:47 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-06-23 18:42 . 2008-06-25 22:08 <DIR> d-------- C:\SDFix
    2008-06-15 13:13 . 2008-06-15 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NannyMania
    2008-06-15 13:12 . 2008-06-15 13:38 <DIR> d-------- C:\Program Files\NannyMania_at
    2008-06-10 21:02 . 2008-06-13 10:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-10 21:02 . 2008-06-13 10:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-26 23:42 6,410,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-06-26 22:48 --------- d-----w C:\Documents and Settings\Bill\Application Data\OpenOffice.org2
    2008-06-26 22:47 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
    2008-06-26 22:46 75,836 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2008-06-26 18:37 --------- d-----w C:\Program Files\City of Heroes
    2008-06-26 01:02 13,917,360 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    2008-06-26 01:01 2,903,040 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
    2008-06-25 20:52 --------- d-----w C:\Program Files\Lavasoft
    2008-06-25 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-24 01:01 --------- d-----w C:\Program Files\BurgerIsland_at
    2008-06-22 20:17 --------- d-----w C:\Documents and Settings\Al & Paul\Application Data\OpenOffice.org2
    2008-06-15 16:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-06-09 22:27 --------- d-----w C:\Program Files\World of Warcraft
    2008-05-21 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-05-20 06:36 --------- d-----w C:\Program Files\Lavalys
    2008-05-16 14:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-05-15 09:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\media center programs
    2008-05-15 08:43 --------- d-----w C:\Program Files\Funcom
    2008-05-15 08:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Funcom
    2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-29 14:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2008-04-29 14:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
    2008-04-29 14:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
    2008-04-28 00:58 1,462 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2006-08-20 22:05 168 ----a-w C:\Documents and Settings\Al & Paul\Application Data\wklnhst.dat
    2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys
    2005-09-09 16:04 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-06-25_19.32.11.00 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-25 22:00:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-26 22:47:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    - 2008-06-23 21:47:23 4,022,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    + 2008-06-26 00:55:42 4,685,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    - 2008-06-23 21:47:23 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-06-26 00:55:42 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-06-26 22:47:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
     
  13. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Part 2 of ComboFix...



    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 09:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 20:06 68856]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 08:04 59392]
    "CHotkey"="mHotkey.exe" [2004-02-24 16:05 508416 C:\WINDOWS\mHotkey.exe]
    "ledpointer"="CNYHKey.exe" [2004-02-03 19:15 5794816 C:\WINDOWS\CNYHKey.exe]
    "Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
    "Dit"="Dit.exe" [2004-07-20 20:18 90112 C:\WINDOWS\Dit.exe]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]
    "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-02-25 10:04 496752]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-26 19:35 8523776]
    "nwiz"="nwiz.exe" [2007-12-26 19:35 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-26 19:35 81920]

    C:\Documents and Settings\Al & Paul\Start Menu\Programs\Startup\
    OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

    C:\Documents and Settings\Bill\Start Menu\Programs\Startup\
    OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 23:51:01 113664]
    Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2007-04-10 19:20:25 331776]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\AOL 9.0\\AOL.exe"=
    "C:\\Program Files\\AOL 9.0\\WAOL.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"=
    "C:\\WINDOWS\\system32\\fxsclnt.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Downloads\\utorrent.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service

    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 20:20]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]
    R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 09:39]
    R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 20:13]
    S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-06-26 19:47]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603ddb3c-3668-11dc-b88f-00038a000015}]
    \Shell\AutoRun\command - J:\LaunchU3.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-06-26 18:20:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-26 20:42:14
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\WINDOWS\HKCYDLL.dll
    .
    Completion time: 2008-06-26 20:43:32
    ComboFix-quarantined-files.txt 2008-06-26 23:43:26
    ComboFix2.txt 2008-06-26 22:44:45
    ComboFix3.txt 2008-06-25 22:32:35

    Pre-Run: 268,353,785,856 bytes free
    Post-Run: 268,330,893,312 bytes free

    166 --- E O F --- 2008-06-20 07:17:21
     
  14. badnews_BH

    badnews_BH TS Rookie Topic Starter

    HijackThis log...



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:44:11, on 26/06/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\Dit.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medionusa.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Event Reminder.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.medionusa.com/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125069054531
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125341811953
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/deliciousdeluxe2/zylomplayer.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.5/ttinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
    O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 9905 bytes
     
  15. dustin_ds3000

    dustin_ds3000 TechSpot Chancellor Posts: 1,128

    i see that you have avast installed, if i was you i would run a boot-time scan to make sure the infection is gone
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
      O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    ----------------------------------------------------------------------

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    -----------------------------------------------------------------------

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    -----------------------------------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  17. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Here's the report from Kaspersky.



    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Monday, June 30, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Monday, June 30, 2008 11:47:42
    Records in database: 898476
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan statistics:
    Files scanned: 71972
    Threat name: 2
    Infected objects: 3
    Suspicious objects: 0
    Duration of the scan: 01:16:19


    File name / Threat name / Threats count
    C:\Downloads\ASRLSetup_download.exe Infected: not-a-virus:AdTool.Win32.VB.b 1
    C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
    C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

    The selected area was scanned.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You need to delete this one file then we can clean up and secure the work we did.

    C:\Downloads\ASRLSetup_download.exe

    -----------------------------------------------------

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------

    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    ---------------------------------------------------------------------------

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

    7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
     
  19. badnews_BH

    badnews_BH TS Rookie Topic Starter

    Thanks a lot, BD. Your help is much appreciated. :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.