It's been a while since I have been here. I keep having a problem with F-secure popping up telling me that it has found this virus but it always just renames it.
It renames the file extension. I have run "FixIEDef.exe" "Smitfraud.exe" and "Combofix". I have a hijack log and a log from the combofix that I will post.
Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 7:51:04 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Security stuff\HijackThis.exe
O1 - Hosts: 87.106.166.63 www.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
Combofix log
ComboFix 08-02.05.3 - William 2008-02-05 19:42:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.259 [GMT -6:00]
Running from: C:\Documents and Settings\William\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.
2008-02-04 19:04 . 2008-02-04 19:40 1,662 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 11:07 . 2008-01-28 11:07 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-26 21:53 . 2008-01-28 11:05 <DIR> d-------- C:\Program Files\Real
2008-01-19 12:43 . 2008-01-19 12:43 <DIR> d-------- C:\Program Files\Usb to Serial Driver 1.12.25
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 17:07 --------- d-----w C:\Program Files\Common Files\Real
2008-01-28 17:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-28 17:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-28 11:56 --------- d-----w C:\Documents and Settings\William\Application Data\BitTorrent
2008-01-19 18:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-15 09:20 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-15 09:14 --------- d-----w C:\Program Files\Avanquest update
2007-12-15 09:14 --------- d-----w C:\Documents and Settings\William\Application Data\InstallShield
2007-12-15 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-14 15:02 --------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-12-14 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-08 01:54 92,064 ----a-w C:\Documents and Settings\William\mqdmmdm.sys
2007-09-08 01:54 9,232 ----a-w C:\Documents and Settings\William\mqdmmdfl.sys
2007-09-08 01:54 79,328 ----a-w C:\Documents and Settings\William\mqdmserd.sys
2007-09-08 01:54 66,656 ----a-w C:\Documents and Settings\William\mqdmbus.sys
2007-09-08 01:54 6,208 ----a-w C:\Documents and Settings\William\mqdmcmnt.sys
2007-09-08 01:54 5,936 ----a-w C:\Documents and Settings\William\mqdmwhnt.sys
2007-09-08 01:54 4,048 ----a-w C:\Documents and Settings\William\mqdmcr.sys
2007-09-08 01:54 25,600 ----a-w C:\Documents and Settings\William\usbsermptxp.sys
2007-09-08 01:54 22,768 ----a-w C:\Documents and Settings\William\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]
"WinMX"="C:\Program Files\WinMX\WinMX.exe" [2006-03-10 04:24 1069056]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 17:01 43008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 05:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 08:12 90112]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2007-11-01 05:42 182936]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 06:45 356352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 11:05 185896]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-11-01 05:42]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Charter High-Speed Security Suite\HIPS\fshs.sys [2007-11-01 05:42]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2006-02-28 06:00]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 20:52:45 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 19:47:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-05 19:48:47
.
2008-01-09 09:03:17 --- E O F ---
Thanks!