I scan with Ad-aware, then Spybot, then AVG 7.5. I tried to remove it in "safe mode" with various tools. AVG is what detects it. It is detected in the following files on her PC:
C:\windows\system32\aaclien.dll
C:\windows\system32\drivers\etc\hosts
The file is protected and "Combofix" and "Killbox" can not remove it. Can someone help? There must be some other files controlling the premission to remove the virus. I have the XP Recovery Console installed.
Here is my is my Highjackthis log followed by my Combofix log.
Can anyone help?
Thanks
=================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:10 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {98DF1B0D-F968-493E-B8C8-86357A2CA1D6} - C:\WINDOWS\system32\aaclien.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191622796015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lmab_device - - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4799 bytes
=================================================================
ComboFix 08-08-08.08 - Nova 2008-08-10 13:15:19.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.609 [GMT -4:00]
Running from: C:\Documents and Settings\Nova\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.
2008-08-09 21:42 . 2008-08-09 21:46 <DIR> d-------- C:\!KillBox
2008-08-09 12:00 . 2008-08-09 12:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 17:20 227,848,224 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-10 16:37 2,670,524 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-10 15:09 --------- d-----w C:\Documents and Settings\Nova\Application Data\AVG7
2008-08-10 14:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-10 13:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-10 00:18 6,436,854 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-09 16:01 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 13:20 --------- d-----w C:\Documents and Settings\Kate\Application Data\AVG7
2008-08-08 23:27 --------- d-----w C:\Documents and Settings\Sarah\Application Data\.purple
2008-08-08 22:46 --------- d-----w C:\Documents and Settings\Sarah\Application Data\AVG7
2008-07-11 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 01:36 --------- d-----w C:\Documents and Settings\Kate\Application Data\.purple
2008-07-07 18:27 --------- d-----w C:\Documents and Settings\Mom\Application Data\AVG7
2008-07-06 22:18 --------- d-----w C:\Program Files\Yahoo! Games
2008-07-06 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-07-01 20:33 --------- d-----w C:\Documents and Settings\Kate\Application Data\PlayFirst
2008-07-01 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-01 20:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-01 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2008-06-27 23:38 --------- d-----w C:\Program Files\Java
2008-06-11 22:30 --------- d-----w C:\Documents and Settings\Sarah\Application Data\gtk-2.0
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 00:23 13,312 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-05-12 00:23 1,608,704 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-05-11 16:34 1,867,264 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2006-06-14 07:16 32 --sha-w C:\WINDOWS\{47751F05-B4DE-4B08-85F3-5193977E2CAA}.dat
2006-06-14 07:15 32 --sha-w C:\WINDOWS\{9E573930-6D75-445D-95F8-2D72C1AC8CAB}.dat
2006-06-14 07:15 32 --sha-w C:\WINDOWS\{ACEC7F40-5124-4E94-B194-FEF0A83D45C3}.dat
2006-06-14 07:15 32 --sha-w C:\WINDOWS\system32\{0C49533B-7491-4F16-8E09-3EFA5EA5AB08}.dat
2006-06-14 07:15 32 --sha-w C:\WINDOWS\system32\{418BF9B1-CE5F-4812-AC6B-803BDE10C8E0}.dat
2006-06-14 07:16 32 --sha-w C:\WINDOWS\system32\{D527C9DC-A2EE-480E-9200-A07631AA94AF}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-24_22.12.32.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 12:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 12:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2008-04-29 15:19:50 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
- 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2008-04-29 15:19:54 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
- 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-04-29 15:20:00 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2007-07-12 05:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-05-26 14:58:43 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98DF1B0D-F968-493E-B8C8-86357A2CA1D6}]
2008-03-04 18:20 98048 --a------ C:\WINDOWS\system32\aaclien.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-23 21:41 579584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-09 15:50 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe"
"WINDVDPatch"=CTHELPER.EXE
"IMONTRAY"=C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
"Jet Detection"=C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LMabcoms.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 ougcrcrt;ougcrcrt;C:\WINDOWS\system32\drivers\gknzjqeb.dat []
R3 3c1807pd;U.S. Robotics V.92 Fax Win Int;C:\WINDOWS\system32\DRIVERS\3c1807pd.sys [2005-11-18 20:02]
S0 hfwfjs;hfwfjs;C:\WINDOWS\system32\drivers\myfyt.sys []
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 09:28]
.
Contents of the 'Scheduled Tasks' folder
2008-08-08 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
- C:\Program Files\Norton SystemWorks\OBC.exe [2002-08-29 00:53]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 13:19:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ougcrcrt]
"ImagePath"="system32\drivers\gknzjqeb.dat"
.
Completion time: 2008-08-10 13:22:53
ComboFix-quarantined-files.txt 2008-08-10 17:22:44
ComboFix2.txt 2008-08-10 00:26:23
ComboFix3.txt 2008-08-09 23:19:00
ComboFix4.txt 2008-08-09 19:48:41
ComboFix5.txt 2008-08-10 17:14:50
Pre-Run: 89,162,436,608 bytes free
Post-Run: 89,160,884,224 bytes free
131