Malware-gen infection

Status
Not open for further replies.
B

badnews_BH

Posts: 11   +0
Hi, all. My apologies for repeating on this subject; I noticed several other people had this infection, but it seemed like a separate thread would make more sense.

As indicated, Avast is telling me "Malware-gen" has infected my PC (that'll teach me to pay more attention to where I click...). Basically, on each restart of the PC, I'm getting a warning that a VB script is attempting to run, but failing, and Avast recognizes the file as a Trojan, I believe. I'm also getting what I'd describe as artificial Blue Screens of Death; each time I restart, and often after the PC sits idle for a few minutes, I'll get notified that a random SYS file is having a random error that requires a restart, but hitting a key on the keyboard is enough to make the screen disappear and the machine continues to run as normal.

I've gone through all the steps indicated in the "Viruses/Spyware/Malware, preliminary removal instructions" thread, and the problem persists. Panda Antirootkit found no issues. Here is the log from HiJackThis; I'm positive that "lphc530j0elel.exe" is part of the infection, as it didn't appear until after I got infected and has been stopped by ZoneAlarm from accessing the Internet. Any assistance you could offer would be greatly appreciated. Thanks.
 
Ok, before we start fixing, we are going to upload that file and see if anybody has definitions on it yet. If not, then I am going to have you send it to the people who make some of the tools we use for removal so they can analyze it.


Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file C:\WINDOWS\system32\lphc530j0elel.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
 
Okay, here's what VirusTotal tells me.

MD5: 759f0ea99bc877c89d296c9aead8d16a
First received: 06.25.2008 17:32:56 (CET)
Date: 06.25.2008 17:32:59 (CET) [+1D]
Results: 8/33

Here are the results from the link...

Antivirus Version Last Update Result
AhnLab-V3 2008.6.25.0 2008.06.25 -
AntiVir 7.8.0.59 2008.06.25 TR/Vundo.Gen
Authentium 5.1.0.4 2008.06.24 -
Avast 4.8.1195.0 2008.06.25 -
AVG 7.5.0.516 2008.06.25 -
BitDefender 7.2 2008.06.25 Trojan.Peed.JNF
CAT-QuickHeal 9.50 2008.06.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.06.25 -
DrWeb 4.44.0.09170 2008.06.25 Trojan.Packed.512
eSafe 7.0.17.0 2008.06.25 Suspicious File
eTrust-Vet 31.6.5904 2008.06.25 -
Ewido 4.0 2008.06.25 -
F-Prot 4.4.4.56 2008.06.24 -
F-Secure 7.60.13501.0 2008.06.24 -
Fortinet 3.14.0.0 2008.06.25 -
GData 2.0.7306.1023 2008.06.25 -
Ikarus T3.1.1.26.0 2008.06.25 -
Kaspersky 7.0.0.125 2008.06.25 -
McAfee 5324 2008.06.24 -
Microsoft 1.3604 2008.06.25 Trojan:Win32/Tibs.GK
NOD32v2 3218 2008.06.25 -
Norman 5.80.02 2008.06.24 -
Panda 9.0.0.4 2008.06.25 -
Prevx1 V2 2008.06.25 Cloaked Malware
Rising 20.50.22.00 2008.06.25 -
Sophos 4.30.0 2008.06.25 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.25 -
TheHacker 6.2.92.361 2008.06.25 -
TrendMicro 8.700.0.1004 2008.06.25 -
VBA32 3.12.6.8 2008.06.25 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.25 Trojan.Vundo.Gen
Additional information
File size: 109056 bytes
MD5...: 759f0ea99bc877c89d296c9aead8d16a
SHA1..: 67b7ee7de57f60b59ff649b585c404088856a49c
SHA256: a35979501e421dfd9d00c1a266ec344169a062d23fe8aabe56b02a7de255beb1
SHA512: 921500bb22275e7d1b0ebf0cc246012168c9b77c985a5be23d1146b7e79fb46e
521360e506bc1f0b6a41e74c220f83472123f7ce0ef24d0865c2020c1cae37e3
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401487
timedatestamp.....: 0x485d33e9 (Sat Jun 21 17:01:29 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8c32 0x6000 7.99 3792bff670ad9dc8e85b5f52bccf2f86
.rdata 0xa000 0x2f89 0x1400 7.96 ce857a7a0f1f7f2b71f3538f7ae594b4
.data 0xd000 0x25ee6 0x11200 8.00 584baef8cdfc1a4f8e49ca56e59adfe1
.rsrc 0x33000 0x2000 0x2000 5.35 d22de19e464757f0d6e1f76a98a9d4d2

( 3 imports )
> user32.dll: DdePostAdvise, CascadeWindows, ClientToScreen
> msvcrt.dll: _mbccpy, _mbctombb, _mbsdec, _pctype, _snprintf, _snwprintf
> kernel32.dll: CompareFileTime, CopyFileW, CreateThread, DefineDosDeviceW, EnumResourceTypesW, GetCommConfig, GetConsoleWindow, GetDateFormatW

( 0 exports )
Prevx info: http[...]info.prevx.com/aboutprogramtext.asp?PX5=FB6F2A9200B0D8C7AAD501D35D4B6100CD282058
 
Looks like my antivirus already has definitions on it.


Let's give Malwarebytes Anti Malware a try and if it can't remove it then we will do it manually.

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
 
Hello again. MBAM found the issue and tried to fix it, but I'm still getting issues on startup. Avast is still detecting VB script activity, and knows it's a virus, although it seemed that MBAM was catching the phony BSoD before it happened and stopped that activity. Here's the log from the scan.

Malwarebytes' Anti-Malware 1.18
Database version: 894

6:51:19 PM 26/06/2008
mbam-log-6-26-2008 (18-51-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 107985
Time elapsed: 23 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Bill\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
 
After this we need to update java and run an online scan.

We need to disable teatimer for this to work -

Disable Teatimer
  • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
  • Open Spybot S&D
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

------------------------------------------------------------------------

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\blphc530j0elel.scr
C:\WINDOWS\system32\phc530j0elel.bmp
C:\WINDOWS\system32\lphc530j0elel.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc530j0elel"="-
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
I didn't see any virus activity this time, so the ComboFix run may well have solved the problem. Here's the log, posted in two sections due to length...



ComboFix 08-06-20.4 - Bill 2008-06-26 19:40:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT -3:00]
Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\blphc530j0elel.scr
C:\WINDOWS\system32\lphc530j0elel.exe
C:\WINDOWS\system32\phc530j0elel.bmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blphc530j0elel.scr
C:\WINDOWS\system32\lphc530j0elel.exe
C:\WINDOWS\system32\phc530j0elel.bmp

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 18:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 18:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-25 18:46 . 2008-06-25 18:46 <DIR> d-------- C:\VundoFix Backups
2008-06-25 18:11 . 2008-06-25 18:18 1,864 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-25 17:56 . 2008-06-25 17:56 <DIR> d-------- C:\Program Files\CCleaner
2008-06-25 17:52 . 2008-06-25 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 17:46 . 2008-06-25 17:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 17:46 . 2008-06-25 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 16:36 . 2008-06-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 14:32 . 2008-06-25 16:35 <DIR> d-------- C:\Documents and Settings\Bill\.housecall6.6
2008-06-23 18:46 . 2008-06-23 18:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 18:42 . 2008-06-25 22:08 <DIR> d-------- C:\SDFix
2008-06-15 13:13 . 2008-06-15 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NannyMania
2008-06-15 13:12 . 2008-06-15 13:38 <DIR> d-------- C:\Program Files\NannyMania_at
2008-06-10 21:02 . 2008-06-13 10:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 21:02 . 2008-06-13 10:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 22:43 6,377,504 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-26 22:09 --------- d-----w C:\Documents and Settings\Bill\Application Data\OpenOffice.org2
2008-06-26 22:08 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-06-26 22:07 75,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-26 18:37 --------- d-----w C:\Program Files\City of Heroes
2008-06-26 01:02 13,917,360 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-26 01:01 2,903,040 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-25 20:52 --------- d-----w C:\Program Files\Lavasoft
2008-06-25 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 01:01 --------- d-----w C:\Program Files\BurgerIsland_at
2008-06-22 20:17 --------- d-----w C:\Documents and Settings\Al & Paul\Application Data\OpenOffice.org2
2008-06-15 16:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 22:27 --------- d-----w C:\Program Files\World of Warcraft
2008-05-21 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 06:36 --------- d-----w C:\Program Files\Lavalys
2008-05-16 14:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 09:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-15 08:43 --------- d-----w C:\Program Files\Funcom
2008-05-15 08:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Funcom
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 14:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 14:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 14:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 00:58 1,462 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2006-08-20 22:05 168 ----a-w C:\Documents and Settings\Al & Paul\Application Data\wklnhst.dat
2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys
2005-09-09 16:04 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_19.32.11.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 22:00:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-26 22:08:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-23 21:47:23 4,022,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-26 00:55:42 4,685,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-06-23 21:47:23 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-26 00:55:42 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-26 22:08:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat
.
 
Part 2...



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 20:06 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 08:04 59392]
"CHotkey"="mHotkey.exe" [2004-02-24 16:05 508416 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2004-02-03 19:15 5794816 C:\WINDOWS\CNYHKey.exe]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
"Dit"="Dit.exe" [2004-07-20 20:18 90112 C:\WINDOWS\Dit.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-02-25 10:04 496752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-26 19:35 8523776]
"nwiz"="nwiz.exe" [2007-12-26 19:35 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-26 19:35 81920]
"lphc530j0elel"="C:\WINDOWS\system32\lphc530j0elel.exe" [ ]

C:\Documents and Settings\Al & Paul\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

C:\Documents and Settings\Bill\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 23:51:01 113664]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2007-04-10 19:20:25 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AOL 9.0\\AOL.exe"=
"C:\\Program Files\\AOL 9.0\\WAOL.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Downloads\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 20:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 09:39]
R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 20:13]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-06-26 19:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603ddb3c-3668-11dc-b88f-00038a000015}]
\Shell\AutoRun\command - J:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 18:20:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 19:43:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-26 19:44:43
ComboFix-quarantined-files.txt 2008-06-26 22:44:38
ComboFix2.txt 2008-06-25 22:32:35

Pre-Run: 267,991,093,248 bytes free
Post-Run: 267,970,912,256 bytes free

173 --- E O F --- 2008-06-20 07:17:21
 
You didn't disable teatimer and the registry entry is still there, though the file has been deleted.

Disable Teatimer
  • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
  • Open Spybot S&D
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc530j0elel"=-
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), attach Combofix.txt in your next reply together with a fresh HJT log.
 
Oops, sorry about that. I had turned it off, but Tea Timer was set to not let the registry change happen. :p

Here are the logs...


ComboFix 08-06-20.4 - Bill 2008-06-26 20:39:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.579 [GMT -3:00]
Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-06-26 18:26 . 2008-06-26 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 18:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 18:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-25 18:46 . 2008-06-25 18:46 <DIR> d-------- C:\VundoFix Backups
2008-06-25 18:11 . 2008-06-25 18:18 1,864 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-25 17:56 . 2008-06-25 17:56 <DIR> d-------- C:\Program Files\CCleaner
2008-06-25 17:52 . 2008-06-25 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 17:46 . 2008-06-25 17:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 17:46 . 2008-06-25 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
2008-06-25 16:39 . 2008-06-25 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 16:36 . 2008-06-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 14:32 . 2008-06-25 16:35 <DIR> d-------- C:\Documents and Settings\Bill\.housecall6.6
2008-06-23 18:46 . 2008-06-23 18:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-23 18:42 . 2008-06-25 22:08 <DIR> d-------- C:\SDFix
2008-06-15 13:13 . 2008-06-15 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NannyMania
2008-06-15 13:12 . 2008-06-15 13:38 <DIR> d-------- C:\Program Files\NannyMania_at
2008-06-10 21:02 . 2008-06-13 10:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 21:02 . 2008-06-13 10:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 23:42 6,410,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-26 22:48 --------- d-----w C:\Documents and Settings\Bill\Application Data\OpenOffice.org2
2008-06-26 22:47 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-06-26 22:46 75,836 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-26 18:37 --------- d-----w C:\Program Files\City of Heroes
2008-06-26 01:02 13,917,360 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-26 01:01 2,903,040 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-25 20:52 --------- d-----w C:\Program Files\Lavasoft
2008-06-25 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 01:01 --------- d-----w C:\Program Files\BurgerIsland_at
2008-06-22 20:17 --------- d-----w C:\Documents and Settings\Al & Paul\Application Data\OpenOffice.org2
2008-06-15 16:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 22:27 --------- d-----w C:\Program Files\World of Warcraft
2008-05-21 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 06:36 --------- d-----w C:\Program Files\Lavalys
2008-05-16 14:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 09:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-15 08:43 --------- d-----w C:\Program Files\Funcom
2008-05-15 08:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Funcom
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 14:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 14:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 14:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 00:58 1,462 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2006-08-20 22:05 168 ----a-w C:\Documents and Settings\Al & Paul\Application Data\wklnhst.dat
2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys
2005-09-09 16:04 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_19.32.11.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 22:00:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-26 22:47:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-23 21:47:23 4,022,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-26 00:55:42 4,685,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-06-23 21:47:23 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-26 00:55:42 237,568 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-26 22:47:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
 
Part 2 of ComboFix...



*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 20:06 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 08:04 59392]
"CHotkey"="mHotkey.exe" [2004-02-24 16:05 508416 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2004-02-03 19:15 5794816 C:\WINDOWS\CNYHKey.exe]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
"Dit"="Dit.exe" [2004-07-20 20:18 90112 C:\WINDOWS\Dit.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-02-25 10:04 496752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-26 19:35 8523776]
"nwiz"="nwiz.exe" [2007-12-26 19:35 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-26 19:35 81920]

C:\Documents and Settings\Al & Paul\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

C:\Documents and Settings\Bill\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 23:51:01 113664]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2007-04-10 19:20:25 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AOL 9.0\\AOL.exe"=
"C:\\Program Files\\AOL 9.0\\WAOL.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Downloads\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 20:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 09:39]
R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 20:13]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-06-26 19:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603ddb3c-3668-11dc-b88f-00038a000015}]
\Shell\AutoRun\command - J:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 18:20:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 20:42:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\HKCYDLL.dll
.
Completion time: 2008-06-26 20:43:32
ComboFix-quarantined-files.txt 2008-06-26 23:43:26
ComboFix2.txt 2008-06-26 22:44:45
ComboFix3.txt 2008-06-25 22:32:35

Pre-Run: 268,353,785,856 bytes free
Post-Run: 268,330,893,312 bytes free

166 --- E O F --- 2008-06-20 07:17:21
 
HijackThis log...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44:11, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medionusa.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medionusa.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125069054531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125341811953
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/deliciousdeluxe2/zylomplayer.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9905 bytes
 
Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

----------------------------------------------------------------------

Update your Java Runtime Environment
  • Click the following link
    Java Runtime Environment 6 Update 6
  • The 5th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

-----------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

-----------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Here's the report from Kaspersky.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 30, 2008 11:47:42
Records in database: 898476
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 71972
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:16:19


File name / Threat name / Threats count
C:\Downloads\ASRLSetup_download.exe Infected: not-a-virus:AdTool.Win32.VB.b 1
C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.
 
You need to delete this one file then we can clean up and secure the work we did.

C:\Downloads\ASRLSetup_download.exe

-----------------------------------------------------

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer
  • Download OTCleanIt
  • Click the CleanUp! button.
    • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

---------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.

  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
834
losdavos
losdavos
Cal Jeffrey
Hackers used Ars Technica and Vimeo to deliver malware using obfuscated binary instructions...
Replies
0
Views
134
Cal Jeffrey
Cal Jeffrey
D
Microsoft's next-gen Surface laptops expected to showcase "true AI" features
Replies
11
Views
365
Bobbydpue
Bobbydpue

Latest posts

Back