Hello

For a long time I have been constantly attacked by all sorts of worms and malwares. Currently I’m having the following problem: Anytime I try to scan my machine for viruses (with Avast) or adware (with AVG Anti Spyware), I never manage to finish the scan because the machine hangs up.

Also, I did the VundoSearch with VundoFix and it didn’t find anything.

Also… I sometimes use Ad-Aware as well. That one is also out of the question because ever since a couple months it won’t update the database. It always gives an Error.

Ok, so I did something that was probably wrong: :-\

Out of impatience, I began reading the other posts as soon as I finished this one and there was this post about this guy with a Trojan and someone told him to download and run ComboFix… so I did that. I scanned the machine with ComboFix and rebooted. The first thing I noticed is that it changed my Firefox Icon to an Explorer Icon at the Start Menu. Also, when I opened Firefox, it wasn’t set as default.

Anyway, here’s the log:

ComboFix 08-02-20.2 - il Dottore 2008-02-21 0:32:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -8:00]
Running from: C:\DOCUMENTS AND SETTINGS\IL DOTTORE\DESKTOP\ComboFix.exe

• Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\il Dottore\Start Menu\Programs\Startup\ta_start.lnk
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\WINDOWS\b122.exe.bin
C:\WINDOWS\system32\smpi1

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 07:33 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-01-30 06:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 08:45 --------- d-----w C:\Documents and Settings\il Dottore\Application Data\Cakewalk
2007-12-27 08:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cakewalk
2007-12-27 08:37 --------- d-----w C:\Program Files\Cakewalk
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-07-27 02:19 604 —ha-w C:\Program Files\STLL Notifier
2007-04-01 21:36 258 ----a-w C:\Program Files\First Theorem.sn2
2004-04-13 16:13 35,456 ----a-w C:\WINDOWS\Fonts\requiem1.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2003-09-05 03:24 65536]
“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\ypager.exe” [2005-08-19 19:34 3084288]
“Spyware Doctor”=“C:\Program Files\Spyware Doctor\swdoctor.exe” [2005-02-15 14:54 1469680]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [2007-07-24 23:52 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“00THotkey”=“C:\WINDOWS\System32[u]0[/u]0THotkey.exe” [2003-04-15 20:01 258048]
“000StTHK”=“000StTHK.exe” [2001-06-23 20:28 24576 C:\WINDOWS\system32[u]0[/u]00StTHK.exe]
“TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [2003-01-21 18:00 126976]
“PadTouch”=“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” [2003-10-31 15:01 1019904]
“Start RF Wireless Mouse”=“C:\Program Files\RF Wireless Mouse\cm20.exe” [2002-01-31 10:59 61440]
“ezShieldProtector for Px”=“C:\WINDOWS\system32\ezSP_Px.exe” [2002-08-20 10:29 40960]
“RealTray”=“C:\Program Files\Real\RealPlayer\RealPlay.exe” [2003-11-20 17:24 26112]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 05:24 286720]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-08-14 13:10 6731312]
“LogitechCommunicationsManager”=“C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe” [2007-07-25 15:02 563984]
“LogitechQuickCamRibbon”=“C:\Program Files\Logitech\QuickCam\Quickcam.exe” [2007-07-25 15:06 2027792]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-09-14 09:00 267064]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:56 15360]

C:\Documents and Settings\il Dottore\Start Menu\Programs\Startup
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 11:49:38 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-11 07:23:36 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-24 23:52:32 67128]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-07-19 17:53:18 57344]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 16:58:56 155648]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 11:29:12 1568768]

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 11:50]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 09:03]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 17:38]
S3 VVBETHERNET;Efficient Networks Virtual Bus Ethernet driver;C:\WINDOWS\system32\DRIVERS\vvbEthT.sys [2002-05-22 17:26]
S3 VvBusUsb;Efficient Networks USB Virtual Bus driver;C:\WINDOWS\system32\drivers\vvbususb.sys [2002-05-22 17:26]

.
Contents of the ‘Scheduled Tasks’ folder
“2007-11-23 06:09:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• C:\Program Files\Apple Software Update\SoftwareUpdate.exe
  “2008-02-20 21:26:32 C:\WINDOWS\Tasks\Symantec NetDetect.job”
• C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 00:37:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-02-21 0:40:29
ComboFix-quarantined-files.txt 2008-02-21 08:40:11
.
2008-02-14 03:03:40 — E O F —

Granted, this kind of situation might be too cliche and tedious to respond to for some of you, but can someone please drop a quick line and at least tell me if I had any progress at all with what I did?

Not so much the tedium, but a lack of people to decipher the combofix log. They usually ask for people to post a combofix log when related to their problem. So simply posting the log where they aren’t actively engaged in the topic, they simply might not see it or be available to help.

Combofix should to some degree be able to remove some of the problems has that not helped.

Unfortunately I can’t help, 1) not familiar with combofix, 2) recovering from a broken wrist (so can’t spend much time on-line) and 3) probably worse recovering from the flu.

I see… well, I guess I’ll try scanning the machine now and see if it doesn’t hang up.

Hi :

I am no Expert in reading Combofix logs either, but it showed 2 Symantec/
Norton “Items” still being on your computer; have you ever run the “Norton
Removal Tool” that is available at several Sites ? IF yes, what was the
Result ?
And the Scan Results imply you have “Spyware Doctor” on your computer ;
is this true ?
Worse of all it implies you have a P2P program, called “Limewire”; is this
true ? IF yes, you should realize that using P2P programs quadruples your
risk of getting malware on to your computer .

Well, as far as “Norton Items”, I did have Norton once a long time ago and uninstalled it so as far as I’m concerned, I thought I had completelly gotten rid of it. Does that mean that I still have some Norton crumbs left there?

Yes, I do have Spyware Doctor. Do you recommend uninstalling it?

Yes, I do have Limewire as well. I know it is quite risky and I have been considering it deleting it.

Norton can be a pig to fully remove.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT

That’s a great one. The problem is I can’t remember which specyfic version of Norton I had. I’m pretty sure it was a free version from the ones you get on the internet… but I can’t remember which one.

I don’t recall if Norton was ever free, unless you are talking about something given with your ISP, etc. I’m also not sure how important it is to know the exact version. You could try a process of elimination as it wouldn’t be the later versions.

It may just be the liveupdate remnants (which shouldn’t be as much hassle), see if you can find the ndetect.exe file and see if there is anything in the file properties which may indicate what version.

"2008-02-20 21:26:32 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE