Help! Mysterious virus sending thousands of spam e-mails from my PC :(

Viruses and worms
1

Hi,

My PC has somehow picked up a virus, which has been sending out tonnes of spam for some time :frowning:

I am so careful, virus-scanning all downloads, keeping Windows up-to-date etc., I’m the first person friends and family turn to when they get their PCs in a mess, and in nearly a decade online I’ve never previously had so much as a spyware infection, let alone a spambot!

This has really shocked me and I have no idea how it got onto my PC, still less how to track it down and remove it. (I only know it’s here because the Avast On-Access Scanner window was showing a new outgoing message every few seconds (under ‘Last scanned’) with awful Subjects like “Important security information for your bank account” and so forth.)

Since discovering it I have been blocking traffic carefully so I’m no longer spamming, and have tried System Restore to one and two months ago but it didn’t work, so then I disabled System Restore in case the virus was hiding in the restore files.

A Thorough Scan with Avast didn’t find anything, and nor has Kaspersky’s Online Scanner. Windows Defender also failed to find anything, as did Spybot - Search and Destroy.

Finally, through a complicated chain of investigation I have determined the following:

  1. The process making the connections to send the spam is svchost.exe.
  2. It tries to connect from ports in the 3000 range on my PC to HTTP ports on a range of remote servers such as stormpay.com, leapcash.com and missoula.servershost.net. I guess these are compromised web servers or something.
  3. If I disable the “DCOM Server Process Launcher” (path: “C:\WINDOWS\system32\svchost -k DcomLaunch”) in the Windows Services list, on the next reboot the connection attempts are no longer made. This is an important system service, though, so I can’t just leave this disabled to work around the problem!

Can anyone help me identify what’s behind this problem, why Avast (and other scanners) are not picking up on it, and most importantly what I can do to stop this happening and thoroughly clean my computer of this malware?

Thanks in advance everyone!

2

You should post a combofix Report. yoou can find a guide here:
http://forum.avast.com/index.php?topic=29972.msg246988#msg246988
Only combofix, not the BFU mentioned there!

3

Sometimes, could be good to download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives). Other tools that could help are machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

Maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

4

I tried HijackThis soon after I found the problem and posted the log here:

http://forums.spywareinfo.com/index.php?showtopic=104414&st=0&p=571430

There didn’t look anything amiss in it, and no-one replied, so I guess it didn’t reveal anything, but you’re welcome to have a look and see if you can see anything of course!

I’ve just tried F-Secure Blacklight and it failed to find anything wrong at all.

I’m running ComboFix but it has been going for much longer than the ‘10 minutes’ it says it should take and it doesn’t show any progress bar or anything so it’s hard to know when it will finish, if ever! Hopefully it being so slow is a sign it is finding something!

Do you know where it will save a log of its findings or anything? I saved it to and ran it from my desktop - will the log appear there?

Hmm, does anyone know how long should I leave it running without it saying anything before I decide it’s hung or something? ??? It’s been going for a good half-hour or more now.

5

Are you sure?
What about…
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

6

That file is digitally signed by Microsoft and dated 2004 so unfortunately I don’t think it’s at fault, but I can’t find anything out about it on the internet - the only Google result for rasrad32.dll is my Hijack This forum post!

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

OK, I’ve tried closing ComboFix and starting it again - I assume that’s what you were suggesting I should do. It’s running at the moment so I’m going to leave it going and come back when it’s finished. In the meantime here’s my Hijack This log again - I just ran it again to get an up-to-date one.

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 14:52, on 2007-08-19 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\system32\3007WFP\LcdOsd.exe
C:\WINDOWS\system32\3007WFP\LcdOsd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BBC Alerts\BBC_Alerts.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


(I’ll continue this in another post - it was too long for the forum to allow in a single post unfortunately.)

7

Hijack This log continued…

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all (User '?') O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?') O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.EXE O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Oh dear, out of room again - a third post follows!

8

Hijack This log, part three:

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172765515765 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172938035906 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D940FA-FF03-4B3B-950A-2B22E03A2A18}: NameServer = 192.168.1.1 O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Dell 3007WFP (Service) - Unknown owner - C:\WINDOWS\system32\Service.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe


End of file - 12909 bytes

9

Can I hitch onto this thread and try out a new programe. It doesn’t make any changes to the system it is purely analysis only

Please download http://www.runscanner.net/download.aspx and install
When the first page comes up select Beginner Mode
On the next page select Save a binary .Run file (optional)
Then click Start full computer scan at the bottom
At this time Runscanner.exe may request access to the Internet please allow it to do so
It will then run for 2 or 3 minutes
On completion it will ask for a location to save the file and a name
It will do this for both the .run file and the log
Call the file test and save to your desktop
You will see the .run file on your desktop Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment to your next post.
Along with the Log file produced

10

I can’t actually see any Attachment option on this forum - am I overlooking a button somewhere?
I’ll paste the log in in the meantime:

Runscanner logfile http://www.runscanner.net

000 General info

Computer name : BITOCLASS
Type of scan : Full scan
RunScanner Version : 1.0.1.0
Creation time : 2007-08-19 15:21:27
User rights : Administrator
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : English (United Kingdom)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS
Hosts file location : %SystemRoot%\System32\drivers\etc
Hosts <> 127.0.0.1 : 3

001 Running processes

  • c:\program files\avast4\aswupdsv.exe (ALWIL Software)
  • c:\program files\avast4\ashserv.exe (ALWIL Software)
    c:\program files\nvidia corporation\ntune\ntuneservice.exe (NVIDIA)
  • c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
    c:\windows\system32\service.exe
    c:\windows\system32\3007wfp\lcdosd.exe
    c:\windows\system32\3007wfp\lcdosd.exe
  • c:\program files\sunbelt software\personal firewall\kpf4ss.exe (Sunbelt Software)
    c:\program files\belkin bulldog plus\upsd.exe (Delta)
    c:\program files\ultravnc\winvnc.exe (UltraVNC)
  • c:\program files\sunbelt software\personal firewall\kpf4gui.exe (Sunbelt Software)
  • c:\program files\avast4\ashmaisv.exe (ALWIL Software)
  • c:\program files\avast4\ashwebsv.exe (ALWIL Software)
  • c:\program files\sunbelt software\personal firewall\kpf4gui.exe (Sunbelt Software)
  • c:\program files\analog devices\core\smax4pnp.exe (Analog Devices, Inc.)
  • c:\progra~1\avast4\ashdisp.exe (ALWIL Software)
  • c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe (Adobe Systems Inc.)
  • c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
    c:\program files\bbc alerts\bbc_alerts.exe (Skinkers Communications)
  • c:\program files\kontiki\kservice.exe
  • c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)
    c:\program files\belkin bulldog plus\mups.exe
    c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe (Macrovision Europe Ltd.)
  • c:\documents and settings\paul\desktop\runscanner.exe (Runscanner.net)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

  • c:\program files\analog devices\core\smax4pnp.exe (Analog Devices, Inc.)
    c:\program files\analog devices\soundmax\smax4.exe (Analog Devices, Inc.)
  • c:\windows\system32\nvcpl.dll (NVIDIA Corporation)
    C:\WINDOWS\system32\nwiz.exe
    c:\program files\ultravnc\winvnc.exe (UltraVNC)
  • c:\progra~1\avast4\ashdisp.exe (ALWIL Software)
  • c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe (Adobe Systems Inc.)
    c:\program files\nvidia corporation\ntune\ntunecmd.exe (NVIDIA)
  • c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
  • c:\program files\kontiki\khost.exe (Kontiki Inc.)
  • c:\windows\system32\nvmctray.dll (NVIDIA Corporation)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

c:\program files\bbc alerts\bbc_alerts.exe (Skinkers Communications)

  • c:\program files\kontiki\khost.exe (Kontiki Inc.)
  • c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup

  • c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
  • c:\progra~1\adobe\acroba~1.0\acrobat\adobec~1.exe
    c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)
    c:\progra~1\belkin~1\mups.exe

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)

c:\program files\common files\adobe systems shared\service\adobelmsvc.exe (Adobe LM Service)

  • c:\program files\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
  • c:\program files\avast4\ashserv.exe (avast! Antivirus)
  • c:\program files\avast4\ashmaisv.exe (avast! Mail Scanner)
  • c:\program files\avast4\ashwebsv.exe (avast! Web Scanner)
    c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe (FLEXnet Licensing Service)
    c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe (Windows CardSpace)
  • c:\program files\kontiki\kservice.exe (KService)
    c:\program files\common files\macromedia shared\service\macromedia licensing.exe (Macromedia Licensing Service)
    c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe (Net.Tcp Port Sharing Service)
    c:\program files\nvidia corporation\ntune\ntuneservice.exe (nTune Service)
  • C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service)
    c:\windows\system32\service.exe (Dell 3007WFP)
  • c:\program files\sunbelt software\personal firewall\kpf4ss.exe (Sunbelt Personal Firewall 4)
    c:\program files\belkin bulldog plus\upsd.exe (UPS - UPSentry Service)
    c:\program files\ultravnc\winvnc.exe (VNC Server)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)

  • C:\WINDOWS\system32\drivers\adihdaud.sys (ADI UAA Function Driver for High Definition Audio Service)
  • C:\WINDOWS\system32\drivers\aeaudio.sys (AE Audio Service)
    C:\WINDOWS\system32\drivers\asio.sys (AsIO)
    c:\windows\system32\drivers\entech.sys (ENTECH)
  • c:\windows\system32\drivers\fwdrv.sys (Firewall Driver)
    C:\WINDOWS\system32\drivers\gmer.sys (Base)
  • C:\WINDOWS\system32\drivers\hdaudbus.sys (Microsoft UAA Bus Driver for High Definition Audio)
  • c:\windows\system32\drivers\khips.sys (Kerio HIPS Driver)
  • C:\WINDOWS\system32\drivers\asacpi.sys (ATK0110 ACPI UTILITY)
  • C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
    c:\windows\nvoclock.sys (NVR0Dev)
    C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)
  • C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
  • C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
  • C:\WINDOWS\system32\drivers\rtenicxp.sys (Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver)
    c:\windows\system32\drivers\sbkupnt.sys (SBKUPNT)
  • C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
  • C:\WINDOWS\system32\drivers\senfilt.sys (SenFilt Service)
    C:\WINDOWS\system32\drivers\sfdrv01.sys (StarForce Protection Environment Driver (version 1.x))
  • C:\WINDOWS\system32\drivers\sfdrv01a.sys (StarForce Protection Environment Driver (version 1.x.a))
  • C:\WINDOWS\system32\drivers\sfhlp02.sys (StarForce Protection Helper Driver (version 2.x))
  • C:\WINDOWS\system32\drivers\sfsync04.sys (StarForce Protection Synchronization Driver (version 4.x))
  • C:\WINDOWS\system32\drivers\sfvfs02.sys (StarForce Protection VFS Driver (version 2.x))
    C:\WINDOWS\system32\drivers\sonypvs1.sys (Sony Digital Imaging Video2)
  • C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)

Continued in next post…

11

Runscanner log continued:

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter ------------------------------------------ C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D} C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D} C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler

c:\program files\common files\microsoft shared\web folders\pkmcdo.dll (Microsoft Corporation) {CD00020A-8B95-11D1-82DB-00C04FB1625D}

035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar

  • c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {47833539-D0C5-4125-9FA8-0819E2EAAC93}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

  • c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {47833539-D0C5-4125-9FA8-0819E2EAAC93}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

c:\program files\orbitdownloader\orbitcth.dll (Orbitdownloader.com) {000123B4-9B42-4900-B3F7-F4B073EFC214}

  • c:\program files\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
  • c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {AE7CD045-E861-484f-8273-0445EE161910}
    c:\program files\free download manager\iefdmcks.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205}

061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

  • deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
  • c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
  • c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439}
    c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
    c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
    c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
    c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
    c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
    c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
    c:\windows\system32\phototoys.dll (Microsoft Corporation) {1530F7EE-5128-43BD-9977-84A4B0FAD7DF}
  • c:\program files\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
  • c:\program files\adobe\acrobat 8.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
  • c:\program files\serif\pageplus\12.0\program\thumbnailprovider.dll (Serif (Europe) Ltd) {2170E0A4-42F2-4EB5-911F-ABC2717F6563}
  • c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516}

062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

C:\WINDOWS\system32\rasrad32.dll (Microsoft Corporation)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

  • c:\windows\system32\adobepdf.dll (Adobe Systems Incorporated.)
  • C:\WINDOWS\system32\ebpmon24.dll (SEIKO EPSON CORPORATION)

073 %windir%\Tasks

AboutTime.job : c:\progra~1\aboutt~1\aboutt~1.exe

100 Internet Explorer settings

Start Page HKCU : about:blank
Start Page HKLM : about:blank
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars

  • c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {182EC0BE-5110-49C8-A062-BEB1D02A220B}

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units

GUID / CLSID not found {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}

  • c:\windows\system32\macromed\director\swdir.dll (Adobe Systems, Inc.) {166B1BCA-3F9C-11CF-8075-444553540000}
    c:\windows\downloaded program files\housecall_activex.dll (Trend Micro Inc.) {215B8138-A3CF-44C5-803F-8226143CFC0A}
    c:\windows\downloaded program files\accounttracking.dll (eWise Systems Pty Ltd) {4E62C4DE-627D-4604-B157-4B7D6B09F02E}
  • c:\windows\downloaded program files\sysreqlab2.dll (Husdawg, LLC) {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
  • c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
  • c:\windows\downloaded program files\asinst.dll (Panda Software) {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
  • c:\program files\java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
  • c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
  • c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
  • c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

120 Domain/DNS hijacking

NameServer {F0D940FA-FF03-4B3B-950A-2B22E03A2A18} : 192.168.1.1

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR*\shellex\ContextMenuHandlers

  • c:\program files\adobe\acrobat 8.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
  • c:\program files\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
    GUID / CLSID not found
  • c:\program files\trillian\buddy.dll (Cerulean Studios) {6F1DC701-9891-11d5-B8C6-444553540001}
    c:\progra~1\tugzip\tzshell.dll {B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}

CombiFix is still running without seeming to be doing anything again btw - been going for about half an hour again now.

12

I did a google search on that file and the only hit that it returns is your topic in spywareinfo and that because it is in your HJT log, so if it were an MS signed file I would have thought there would be some hits on google. What does it say in the file properties about what it is/does ?

It may be worthwhile scanning it:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

13

Wow, those sites are brilliant - I will use those whenever I have any suspicions in future, what a great idea they are - thanks!

I’m afraid that both those sites found nothing wrong with rasrad32.dll so it looks like it’s probably OK.

In my Googling I found rasrad.dll came up a bit so maybe this is just a 32-bit update which no-one uses any more or something. Not that I even understood exactly what it was anyway!

45 minutes and counting with CombiFix now, and still no sign of it using any CPU or seeming to do anything :frowning:

14

I’ve just put the run file through the advanced mode and got it up online for you to look at instead:
http://www.runscanner.net/report.aspx?report=54bd4472-80c9-4e01-8b1e-15df2874ee91

Nothing shows up as definitely bad and I think I can account for the blue things so I’m not sure if this is going to help :frowning: But if you can see anything for me to look at further please let me know!

Thanks!

15

Looks good to me, the run file would also have given me the running processes

O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

I can find no info on this at all including the Microsoft dll list which in itself is suspicious. If combofix is not running then you could try winpfind

This is a deep analaysis tool

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck
Reg - Disabled MS Config Items
Reg - IE CmdMapping

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

16

Ah OK - you’re probably not missing much there then because I haven’t yet re-enabled that Service so the virus isn’t actually doing anything at the moment, so I don’t think its process is running.

I have to go out for a few hours now but I am going to leave this WinPFind3U running while I’m out (with everything else shut), since ComboFix still hadn’t done anything over an hour after I started it.

I’ll post my log when I get home later. Thanks very much for your help!

17

The file is 101,252 bytes, which would mean it would take 11 posts to put it up here. Instead I have put it online here:

http://www.digitalhome.plus.com/WinPFind3.txt

Hope it is revealing!

Thanks for your help,

Paul

(P.S. As you will see, in this text file I have censored three of the items in my Hosts file, as they reveal personal information I’d rather keep out of a forum - there’s nothing suspicious about them, I promise!)

18

Last night I shut down just about every little running thing (including system tray stuff) on my PC and tried running ComboFix again. I didn’t so much as hover over the window once it was running, let alone clicking it. This morning it has once again not finished running and does not appear to be doing anything.

There is a folder in my C drive that it has created called ComboFix. It contains 90 objects, of which 18 have modified dates/times of last night when I started running it, and one has a modified time of two minutes later. That last file is called WowErr.cf and contains the following text:

Completed Stage_7

Can anyone tell me why this ComboFix process never finishes, or what Stage 7 is that could make it stall, or anything else helpful? Would it be useful for me to post the contents of any of these other files that were modified when I started running it?

d-delA.cf
DirRoot
attribed.cf
svclist.cf
v-files.cf
suspect_ntfy.cf
ComboFix.txt
errdbg.cf
borlander_folder.cf
borlander_file.cf
Cfolders.cf
Cfiles.cf
whitedir.cf
dll_whitelist.cf
dnd.cf
appdatafolders.cf
setpath.bat

(The 18th item with that same modified date/time is a folder called ‘test’, which is empty.)

Could my virus/rootkit/whatever be actually blocking ComboFix from working in some way?

Any help with this, or with analysing the WinPFind3 log I posted last night, would be much appreciated!

19

Try this…

  1. Go to Start then click Run. 2) Type msconfig. 3) When System Configuration Utility window appear click on Services tab. 4) Check “Hide All Microsoft Services” box. 5) Kill all non-Microsoft services process then run ComboFix or Runscanner.
20

I’m a bit confused - when I run ComboFix.exe I get a Command Prompt window called AutoScan, which has a blue background. It says “Please wait” for a few seconds, then the following:

Scanning for infected files . . .

This typically doesn’t take more than 10 minutes

Scan times for badly infected machines may easily double

ComboFix has changed your clock settings.

Do not change it back. It shall be restored later

Then nothing else happens.

At what point should I be typing 1? I’m not prompted to type 1. Am I running the wrong thing? Should I be running something out of the ComboFix folder rather than the ComboFix.exe file that I downloaded?

Sorry if I appear stupid but I’m a bit confused by this software as it never gets past the above text!