I have had an infection of Trj/ Rebooter. J named virus about a couple of weeks ago on my PC. I am running a Pentium 4 3.2Ghz dual core, 1Gb RAM, 256 Mb video card and Windows XP Home edition SP2 as OS. I ran some self help scans as suggested in the Tutorial section. That seemed to get rid of the virus as all the logs that I poted came up clean.
But, today, it seems that the Virus has come back. My computer restarted a numer of times this morning before finally loading Windows. I have run all the recommended checks and I am posting Hijack log, Kapersky scan log and Panda Antivirus scan log below. Can some one please have a lookand suggest a solution to get rid of this pesky virus. Thanks for your help in advance.
Jack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:17 PM, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
H:\Program Files\MSI\Live Update 3\LMonitor.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
H:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\CyberLink\PowerCinema\PCMService.exe
H:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
H:\Program Files\Netropa\Onscreen Display\OSD.exe
H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
H:\Program Files\Windows Live\Messenger\msnmsgr.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Windows Live\Messenger\usnsvc.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Windows Media Player\wmplayer.exe
H:\Documents and Settings\Owner\Desktop\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [LiveMonitor] H:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] H:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] H:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] H:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [itype] "H:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCMService] "H:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.co...otouploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154593540515
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.csu.edu...tsweb/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - H:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
--
End of file - 8217 bytes
PANDA ANTIVURIS ONLINE SCAN LOG
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-18 16:46:41
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Windows Defender 1.1.3520.0 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139535 Application/Processor HackTools No 0 Yes No H:\Documents and Settings\Owner\Desktop\smitRem.exe[smitRem/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No H:\Documents and Settings\Owner\Desktop\smitRem\Process.exe
00139535 Application/Processor HackTools No 0 Yes No H:\Documents and Settings\Owner\Desktop\SmitfraudFix\Process.exe
00170554 Cookie/Overture TrackingCookie No 0 Yes No H:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No H:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No H:\Documents and Settings\Owner\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No H:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location M>
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description M>
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 3:24:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 782313
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
D:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 105860
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:53:25
Infected Object Name / Virus Name / Last Action
H:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-102146.log Object is locked skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_721C_AA5A_1CAA_195D\dfsr.db Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_721C_AA5A_1CAA_195D\fsr.log Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_721C_AA5A_1CAA_195D\fsrtmp.log Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_721C_AA5A_1CAA_195D\tmp.edb Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E90237D3-308E-49C8-BB41-21B62D718111} Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\temp\~DF9B31.tmp Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\temp\~DF9B3C.tmp Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
H:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
H:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
H:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\Sti_Trace.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\default.LOG Object is locked skipped
H:\WINDOWS\system32\config\Internet.evt Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\software.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\system.LOG Object is locked skipped
H:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\wiadebug.log Object is locked skipped
H:\WINDOWS\wiaservc.log Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.