I posted this at the tech guy forums but I’ll throw everything here too:
Allllright, I’m dumb, I know. I went to HDTVxvid.net and downloaded an application I thought was a codec, though it turns out to just tell you your video card isn’t up to snuff and installs a few things.
Firstly, Spybot Search & Destroy picks up Smitfraud-C and Virtumonde.
(Condensed) Report from SSD:
Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-343818398-73586283-682003330-500\Software\Microsoft\instkey
Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP
Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\iOpXbccf.ini2
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\iOpXbccf.ini
— Browser helper object list —
{C369C9CD-29AA-4E75-83EC-2D6F03067CC6} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects
BHO name:
CLSID name:
Path: C:\WINDOWS\system32
Long name: fccbXpOi.dll
Short name:
Date (created): 11/23/2008 10:57:02 PM
Date (last access): 11/23/2008 10:57:02 PM
Date (last write): 11/23/2008 10:57:04 PM
Filesize: 245760
Attributes: archive
MD5: A7B44C09F69269FC29490315F2CDD262
CRC32: 38493B10
Full Hijack-This Report (Highlighted with what I find suspicious:)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:18 AM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\docume~1\admini~1\locals~1\temp\cdm{cc37ec0f-0ffa-4e67-b577-503e2361f8f9}\STacSV.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip..{21579621-7834-4E31-B5B0-15850C5B109E}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip..{21579621-7834-4E31-B5B0-15850C5B109E}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip..{21579621-7834-4E31-B5B0-15850C5B109E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: mogmyg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\docume~1\admini~1\locals~1\temp\cdm{cc37ec0f-0ffa-4e67-b577-503e2361f8f9}\STacSV.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
But wait, I have more!
I’m finding using the SSD process tool that there are DLLs loading as modules in Explorer.exe: mogmyg.dll, fccbXpOi.dll and there are a few others that I’m assuming are just more random filenames.
Avast doesn’t get it, SSD helps but doesn’t resolve the issue. I see NO red X, but there are the occasional popups. I’m also running Teatimer, so I think I’ve blocked all of the attempts to reedit the registry, but from what I notice it randomizes it’s SID and tries again every few minutes.
Trying Windows Defender now, but I’m not holding my breath.
I found this thread: http://forums.techguy.org/malware-re...ption-gif.html
I don’t have corrupted gif’s, but I’ve also locked my hosts file, so if you’re getting redirects then this might too be a symptom.
Any help is appreciated! I’m stuck, I’ve tried manual removal in safe mode, even Avast said it removed 2 infected files when I ran it on startup but it still persists. Thanks!
~J
EDIT: I used Hijacthis to “fix” the selected (what I’d highlighted red.) It seems to have worked. Avast isn’t returning anything, nor is Spybot now. I’ll reboot and see if it reappears (crossing fingers!)
Grr
Nope, didn't work. Still all there even after numerous attempts to remove. Also, it's trying to monitor my websites visited because the popups have what page I'm looking at in the query.
http://url. adtrgt. com/ cpv.jsp?blahblahblah{insert pages I'm on here} (do not visit, this is just for reference! I put spaces in the addy so hopefully it doesn't parse)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What I've done since
I've booted into command prompt safe mode to delete, no luck. I remove the regedit entries (for the BHO and the winlogon notify) and they return immediately, even in safe mode!!!
So I tried going into my windows xp recovery console (booted from the CD,) with the same results. Couldn't do regedit easily (command line regediting isn't my forte) but it appeared to work. I rebooted and here I am, back where I started.
I'm about to just format and start over, my storage drive wasn't affected so I figure a new fresh start in Windows might be good for me.
Avast does a good job of blocking the malicious sites, and it looks like I got the Smitfraud-C gone, it's just the new Virtumonde that's causing a problem.
Popups are still occuring, but I refuse to open IE (using only firefox for now.)
In Firefox Addons I found a browser plugin called Move Media Player. With no research done, I'm disabling it (I've never seen it before.) I just tried restarting firefox after choosing uninstall and it's not gone (still enabled.)
I'll keep trying but at this point I'm about to give up because I'm losing work time.