Win32.tratBHO infection that I can't get rid of!

system · 2008-01-13T03:03:39.000Z

Hello,

I am new to this forum, but I have used avast for the last year. It is an incredible program, but I cannot remove the Win32.TratBHO trojan. I have started the computer in Safe Mode and ran Avast and AdAware to no avail. I have also done a boot-time scan with avast to try and remove the trojan. The scans always find the same file, C:\WINDOWS\SYSTEM32\MLLJG.DLL I have moved the file to the chest, tried to delete it and tried to move it and the file reappears.

I am not very computer literate. I know just enough to be dangerous, and I have tried to remove this bug in a bunch of ways. It appears that it is removed, and then it seems to propagate itself again along with a few other trojans.

When I run Avast with the computer in ‘normal’ mode, I cannot delete MLLJG.DLL because the file is in use. It can remove the file in Safe Mode and during the boot-time scan, but it reappears.

Please help me!!! I don’t know what to do. Thank you in advance for any help that anyone can give.

I downloaded HijackThis from trend micro based on the recommendations I saw in other threads. Here it is!!!

system · 2008-01-13T03:04:12.000Z

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:25 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Web Buying\v1.8.6\webbuying.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Program Files\Web Buying\v1.8.6\webbuying .exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

system · 2008-01-13T03:04:53.000Z

–
End of file - 12009 bytes

THANK YOU

oldman960 · 2008-01-13T03:29:59.000Z

Hi welcome to the forum. Let’s see what we can do.BYW, you can attach logs if you like, use the additional options button on the reply page.

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {c227cf91-4d7d-4ff6-a850-84f29d047a72} - C:\WINDOWS\system32\byevcti.dll
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\efcbbxw.dll
O2 - BHO: (no name) - {F11340B3-7EF8-43A7-B6AC-00A89F050BFB} - C:\Program Files\MSN\hokewodelC:\WINDOWS\system32\vt8\tycodllz83122.exe.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
ALL OF THE 015 LINES
O20 - Winlogon Notify: efcbbxw - C:\WINDOWS\SYSTEM32\efcbbxw.dll

Close all other browsers/windows, click fix, close HJT.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Please do the steps in order posted, getting a new HJT log after the combofix run. Thanks

system · 2008-01-13T18:40:02.000Z

Oldman,

Thank you for your help!!!

I did everything in the order you said… here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:19 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

system · 2008-01-13T18:40:24.000Z

–
End of file - 10121 bytes

system · 2008-01-13T18:41:20.000Z

Here is the combofix log

ComboFix 08-01-13.1 - Compaq_Owner 2008-01-13 13:08:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.607 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\install.dat
C:\Documents and Settings\Compaq_Owner\Application Data\MBSMainPlugin4070.dll
C:\Documents and Settings\Compaq_Owner\Application Data\MBSQTImporterPlugin4175.dll
C:\Documents and Settings\Compaq_Owner\Application Data\MBSRegistrationPlugin4071.dll
C:\Documents and Settings\Compaq_Owner\Application Data\rbap550.dll
C:\Documents and Settings\Compaq_Owner\Application Data\RBInternetEncodings550.dll
C:\Documents and Settings\Compaq_Owner\Application Data\rbqt550.DLL
C:\Documents and Settings\Compaq_Owner\Application Data\RBShell550.dll
C:\Program Files\asks~1
C:\Program Files\asks~2
C:\Program Files\Common Files{8C0E9~1
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\web buying\v1.8.6\webbuying .exe
C:\Program Files\web buying\v1.8.6\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\IA
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\byevcti.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddcbabc.dll
C:\WINDOWS\system32\efcbbxw.dll
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\ljjiggd.dll
C:\WINDOWS\system32\ljjkijh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlljg.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\xxyyvwt.dll
C:\WINDOWS\ymante~1
D:\Autorun.inf
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 13:31 . 2008-01-13 13:31 d-------- C:\temp\tn3
2008-01-13 13:30 . 2008-01-13 13:30 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 12:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 21:44 . 2008-01-12 21:44 d-------- C:\Program Files\Trend Micro
2008-01-12 21:22 . 2008-01-12 21:22 34,816 --a------ C:\winefni.exe
2008-01-12 14:34 . 2005-05-05 12:57 d-------- C:\Documents and Settings\Administrator.YOUR-F78BF48CE2\WINDOWS
2008-01-12 08:37 . 2008-01-13 13:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 08:37 . 2008-01-12 08:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 18:47 . 2008-01-10 18:47 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Yahoo! Messenger
2008-01-10 18:22 . 2008-01-10 18:22 d-------- C:\WINDOWS\system32\svcd
2008-01-10 18:22 . 2008-01-10 18:22 34,816 --a------ C:\winvvys.exe
2008-01-10 18:22 . 2008-01-13 12:10 114 --a------ C:\WINDOWS\system32\url3
2008-01-10 18:22 . 2008-01-13 12:10 102 --a------ C:\WINDOWS\system32\url2
2008-01-10 18:22 . 2008-01-13 12:10 102 --a------ C:\WINDOWS\system32\url1
2008-01-10 18:22 . 2008-01-13 12:10 8 --a------ C:\WINDOWS\system32\CID
2008-01-10 18:22 . 2008-01-12 21:22 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-10 11:25 . 2008-01-12 09:42 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-10 11:12 . 2008-01-10 12:38 d-------- C:\WINDOWS\system32\vt8
2008-01-10 11:12 . 2008-01-10 14:10 d-------- C:\WINDOWS\system32\ob3
2008-01-10 11:12 . 2008-01-10 12:33 d-------- C:\WINDOWS\system32\mp2
2008-01-10 11:12 . 2008-01-10 11:23 d-------- C:\WINDOWS\system32\ez4
2008-01-10 11:12 . 2008-01-10 11:12 d-------- C:\WINDOWS\system32\edcA01
2008-01-10 11:12 . 2008-01-10 11:12 d-------- C:\WINDOWS\system32\che9
2008-01-10 11:12 . 2008-01-10 11:12 d-------- C:\temp\Ryuan1
2008-01-10 11:12 . 2008-01-10 11:12 86,016 --a------ C:\WINDOWS\system32\drivers\intelidee.sys
2008-01-09 23:39 . 2008-01-10 20:10 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-01-09 23:38 . 2008-01-09 23:38 d-------- C:\Documents and Settings\Compaq_Owner.thumbnails
2008-01-09 23:37 . 2008-01-10 20:10 d-------- C:\Documents and Settings\Compaq_Owner.gimp-2.4
2008-01-09 23:36 . 2008-01-09 23:36 d-------- C:\Program Files\GIMP-2.0
2007-12-27 12:18 . 2007-12-27 12:18 d----c— C:\WINDOWS\system32\DRVSTORE
2007-12-27 12:18 . 2007-12-27 12:18 d-------- C:\Program Files\Common Files\Apple
2007-12-27 12:18 . 2007-12-27 12:18 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-23 13:16 . 2007-12-23 13:16 d–h----- C:\CWDS2Temp
2007-12-23 13:14 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-23 13:07 . 2007-12-23 13:07 0 --a------ C:\WINDOWS\system32\SET29.tmp
2007-12-23 13:06 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-23 13:06 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-23 13:06 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-23 12:47 . 2007-12-23 12:47 d-------- C:\Program Files\Common Files\Canon
2007-12-23 12:47 . 2007-12-23 12:52 d-------- C:\Program Files\Canon

system · 2008-01-13T18:41:59.000Z

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 17:56 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\OpenOffice.org2
2008-01-13 17:53 --------- d-----w C:\Program Files\REGSHAVE
2008-01-13 17:53 --------- d-----w C:\Program Files\QuickTime
2008-01-13 17:53 --------- d-----w C:\Program Files\iTunes
2008-01-13 17:53 --------- d-----w C:\Program Files\AIM
2008-01-10 04:29 --------- d-----w C:\Program Files\Artweaver 0.4
2008-01-02 04:10 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Skype
2007-12-28 01:40 --------- d-----w C:\Program Files\iPod
2007-12-27 17:19 --------- d-----w C:\Program Files\Apple Software Update
2007-12-23 18:12 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2007-12-08 15:59 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Snapfish
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-21 02:07 --------- d-----w C:\Program Files\SecondLife
2007-11-18 00:33 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-11-18 00:13 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Artweaver
2007-10-09 16:43 15,754 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-07-23 23:45 0 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\internaldb41.dat
2006-05-21 21:55 3,333 ----a-w C:\Program Files\INSTALL.LOG
2006-05-17 06:20 17 ----a-w C:\Program Files\d.bat
2005-09-09 06:58 48,640 —ha-w C:\Documents and Settings\Compaq_Owner\Application Data\eSelleratePlugin.DLL
2005-09-09 06:43 124 ----a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
.

<pre>
----a-w            79,224 2008-01-12 14:41:51  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           245,760 2008-01-13 17:09:10  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w           286,720 2008-01-12 14:42:10  C:\Program Files\QuickTime\qttask  .exe
----a-w         1,415,824 2008-01-13 01:23:38  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2008-01-12 14:42:22  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 07:00 15360]
“AIM”=“C:\Program Files\AIM\aim.exe” [2008-01-13 12:09 67160]
“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2008-01-13 12:09 4662776]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-01-13 12:09 68856]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2008-01-13 12:09 313472]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“FFTI”=“C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles[u]0[/u]90rc6lm.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SiSPower”=“SiSPower.dll” [2005-01-04 18:54 49152 C:\WINDOWS\system32\SiSPower.dll]
“HPBootOp”=“C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe” [2008-01-13 12:09 245760]
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [2008-01-13 12:09 253952]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“regcmdcons”=“c:\hp\bin\cloaker.exe” [2008-01-13 12:09 27136]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-01-13 12:09 180269]
“REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2008-01-13 12:09 53248]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” [2008-01-13 12:09 90112]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask .exe”
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-01-13 12:09 267048]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe [2005-05-05 12:59:06]

R1 intelidee;intelidee;C:\WINDOWS\system32\drivers\intelidee.sys [2008-01-10 11:12]
R2 NANU;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-10 18:22]
R3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 16:05]
R3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2003-08-26 03:28]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-05 11:56:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe
“2005-05-05 18:21:55 C:\WINDOWS\Tasks\Symantec NetDetect.job”
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 13:32:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-13 13:37:24 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-01-13 18:37:20

oldman960 · 2008-01-13T21:47:08.000Z

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Open Spybot
Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot

Open HJT, run a system scan only, check mark these lines if present

O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O23 - Service: Security Service (NANU) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\svcd\svchost.exe C:\winefni.exe C:\winvvys.exe C:\WINDOWS\system32\url3 C:\WINDOWS\system32\url2 C:\WINDOWS\system32\url1 C:\WINDOWS\system32\CID C:\WINDOWS\system32\SvcNm C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\intelidee.sys C:\Documents and Settings\Compaq_Owner\Application Data\internaldb41.dat C:\Program Files\d.bat
RENV::
----a-w            79,224 2008-01-12 14:41:51  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           245,760 2008-01-13 17:09:10  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
----a-w           286,720 2008-01-12 14:42:10  C:\Program Files\QuickTime\qttask  .exe
----a-w         1,415,824 2008-01-13 01:23:38  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2008-01-12 14:42:22  C:\WINDOWS\system32\ctfmon .exe
Folder::
C:\WINDOWS\system32\svcd
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\SvcNm
C:\temp\tn3
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\che9
C:\temp\Ryuan1

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

system · 2008-01-14T13:36:57.000Z

Oldman,

Thanks! I’ll do this tonight and post the results!

~Steve

system · 2008-01-17T15:21:08.000Z

Oldman,

Sorry for the delay… Here are my logfiles starting with combofix

ComboFix 08-01-13.1 - Compaq_Owner 2008-01-17 10:03:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.605 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\cfscript.txt

Created a new restore point

FILE
C:\Documents and Settings\Compaq_Owner\Application Data\internaldb41.dat
C:\Program Files\d.bat
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\intelidee.sys
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url3
C:\winefni.exe
C:\winvvys.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\internaldb41.dat
C:\Program Files\d.bat
C:\temp\Ryuan1
C:\temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\che9\farstadcom2.exe
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\intelidee.sys
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\edcA01\edcA011065.exe
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\svcd
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\vt8
C:\winefni.exe
C:\winvvys.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 09:26 . 2008-01-17 09:26 20,480 --a------ C:\WINDOWS\quit.exe
2008-01-13 12:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 21:44 . 2008-01-12 21:44 d-------- C:\Program Files\Trend Micro
2008-01-12 14:34 . 2005-05-05 12:57 d-------- C:\Documents and Settings\Administrator.YOUR-F78BF48CE2\WINDOWS
2008-01-12 08:37 . 2008-01-17 10:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 08:37 . 2008-01-12 08:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 18:47 . 2008-01-10 18:47 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Yahoo! Messenger
2008-01-10 11:25 . 2008-01-12 09:42 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-10 11:25 . 2008-01-12 09:42 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 23:39 . 2008-01-10 20:10 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-01-09 23:38 . 2008-01-09 23:38 d-------- C:\Documents and Settings\Compaq_Owner.thumbnails
2008-01-09 23:37 . 2008-01-10 20:10 d-------- C:\Documents and Settings\Compaq_Owner.gimp-2.4
2008-01-09 23:36 . 2008-01-09 23:36 d-------- C:\Program Files\GIMP-2.0
2007-12-27 12:18 . 2007-12-27 12:18 d----c— C:\WINDOWS\system32\DRVSTORE
2007-12-27 12:18 . 2007-12-27 12:18 d-------- C:\Program Files\Common Files\Apple
2007-12-27 12:18 . 2007-12-27 12:18 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-23 13:16 . 2007-12-23 13:16 d–h----- C:\CWDS2Temp
2007-12-23 13:14 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-23 13:07 . 2007-12-23 13:07 0 --a------ C:\WINDOWS\system32\SET29.tmp
2007-12-23 13:06 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-23 13:06 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-23 13:06 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-23 12:47 . 2007-12-23 12:47 d-------- C:\Program Files\Common Files\Canon
2007-12-23 12:47 . 2007-12-23 12:52 d-------- C:\Program Files\Canon

system · 2008-01-17T15:22:30.000Z

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 15:03 --------- d-----w C:\Program Files\QuickTime
2008-01-17 14:47 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\OpenOffice.org2
2008-01-13 17:53 --------- d-----w C:\Program Files\REGSHAVE
2008-01-13 17:53 --------- d-----w C:\Program Files\iTunes
2008-01-13 17:53 --------- d-----w C:\Program Files\AIM
2008-01-10 04:29 --------- d-----w C:\Program Files\Artweaver 0.4
2008-01-02 04:10 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Skype
2007-12-28 01:40 --------- d-----w C:\Program Files\iPod
2007-12-27 17:19 --------- d-----w C:\Program Files\Apple Software Update
2007-12-23 18:12 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2007-12-08 15:59 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Snapfish
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-21 02:07 --------- d-----w C:\Program Files\SecondLife
2007-11-18 00:33 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-11-18 00:13 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Artweaver
2007-10-09 16:43 15,754 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-05-21 21:55 3,333 ----a-w C:\Program Files\INSTALL.LOG
2005-09-09 06:58 48,640 —ha-w C:\Documents and Settings\Compaq_Owner\Application Data\eSelleratePlugin.DLL
2005-09-09 06:43 124 ----a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_13.37.08.28 )))))))))))))))))))))))))))))))))))))))))
.

2008-01-13 17:24:32 557,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT

2008-01-17 15:03:14 557,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT

2008-01-13 17:24:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat

2008-01-17 15:03:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat

2008-01-13 17:24:32 552,960 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT

2008-01-17 15:03:15 552,960 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT

2008-01-13 17:24:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat

2008-01-17 15:03:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat

2008-01-13 17:24:34 4,640,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT

2008-01-17 15:03:15 4,640,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT

2008-01-13 17:24:34 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat

2008-01-17 15:03:16 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
2008-01-17 15:10:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-01-12 09:42 15360]
“AIM”=“C:\Program Files\AIM\aim.exe” [2008-01-13 12:09 67160]
“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2008-01-13 12:09 4662776]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-01-13 12:09 68856]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2008-01-13 12:09 313472]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“FFTI”=“C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles[u]0[/u]90rc6lm.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SiSPower”=“SiSPower.dll” [2005-01-04 18:54 49152 C:\WINDOWS\system32\SiSPower.dll]
“HPBootOp”=“C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe”
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [2008-01-13 12:09 253952]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-01-12 09:41 79224]
“regcmdcons”=“c:\hp\bin\cloaker.exe” [2008-01-13 12:09 27136]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-01-13 12:09 180269]
“REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2008-01-13 12:09 53248]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” [2008-01-13 12:09 90112]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask .exe”
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-01-13 12:09 267048]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe [2005-05-05 12:59:06]

R3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 16:05]
R3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2003-08-26 03:28]
S1 intelidee;intelidee;C:\WINDOWS\system32\drivers\intelidee.sys
S2 NANU;Security Service;C:\WINDOWS\system32\svcd\svchost.exe

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-05 11:56:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe
“2005-05-05 18:21:55 C:\WINDOWS\Tasks\Symantec NetDetect.job”
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 10:10:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

system · 2008-01-17T15:23:55.000Z

HJT Logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:55 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar8.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar8.dll
O4 - HKLM..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe” /run
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\RunOnce: [FFTI] C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\090rc6lm.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=“C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles/090rc6lm.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}”
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: *.gomyhit.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Security Service (NANU) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

–
End of file - 8958 bytes

oldman960 · 2008-01-17T21:40:51.000Z

Hi,

Please let me know how it is at your end. You can attach the logs by using the additional options button on the reply page.

Open HJT, run a system scan only, check mark these lines if present

O15 - Trusted Zone: *.gomyhit.com
O23 - Service: Security Service (NANU) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

Please download The Avenger by Swandog46 to your Desktop.

1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

[QUOTE]Drivers to unload:
intelidee
NANU

Files to delete:
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\drivers\intelidee.sys
C:\WINDOWS\system32\svcd\svchost.exe
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Copy/Paste [b]all[b] the text in the above quote box into this window by
[*] MAKE SURE THE TEXT MATCHES EXACTLY
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with the combofix log and a new HJT log

Please run the programs in this order, fix the lines in HJT, run avenger, run combofix, get the HJT log.

Thanks you.

Announcements