(Trojan-spy.html.banfraud.dq,win32.keylogger.aa, win32.greenscreen)
I have been working on this trojan for a few days now! Everytime it looks clean either though a reboot or mainly through IE web browser activation the trojan re turns. Ive tried trojan-remover, smitfraudfix, combofix, highjackthis, several registry cleaners(ie ARD,etc), still no luck at total removal. I know I'm missing something! Any help would be appreciated!!!!
Opsys= XP-home
last combofix:
ComboFix 08-08-23.01 - BRETT 2008-08-24 0:02:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -4:00]
Running from: C:\Documents and Settings\BRETT\My Documents\Billy Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\BRETT\Application Data\macromedia\Flash Player\#SharedObjects\4A8K8BDC\interclick.com
C:\Documents and Settings\BRETT\Application Data\macromedia\Flash Player\#SharedObjects\4A8K8BDC\interclick.com\ud.sol
C:\Documents and Settings\BRETT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\BRETT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\smp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_sysrest.sys
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.
2008-08-23 22:45 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-23 22:45 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-23 22:45 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe.vir
2008-08-23 20:09 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-23 20:09 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-23 20:09 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-23 20:09 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-23 20:09 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-23 20:09 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-23 13:40 . 2008-08-21 23:41 87,552 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-22 19:18 . 2008-08-22 19:18 <DIR> d-------- C:\Documents and Settings\BRETT\Application Data\Symantec
2008-08-20 23:37 . 2008-08-20 23:37 186,880 --a------ C:\WINDOWS\system32\zotkhqjk.exe
2008-08-20 23:37 . 2008-08-20 23:37 86,016 --a------ C:\WINDOWS\system32\vydcnknq.exe
2008-08-20 21:33 . 2008-08-23 22:46 4,186 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-20 20:32 . 2008-08-20 20:32 81,920 --a------ C:\WINDOWS\system32\javmvgda.exe
2008-08-20 18:58 . 2008-08-20 18:59 <DIR> d-------- C:\Program Files\Advanced Registry Doctor
2008-08-20 17:28 . 2008-08-20 17:28 94,208 --a------ C:\WINDOWS\system32\rgxadede.exe
2008-08-20 12:04 . 2008-08-20 12:04 187,392 --a------ C:\WINDOWS\system32\alofifmb.exe
2008-08-20 12:04 . 2008-08-20 12:04 81,920 --a------ C:\WINDOWS\system32\ybixazkx.exe
2008-08-20 11:23 . 2008-08-20 11:23 245 --a------ C:\WINDOWS\tmp119984.bat
2008-08-20 11:22 . 2008-08-20 11:22 81,920 --a------ C:\WINDOWS\system32\hingfyrw.exe
2008-08-20 10:51 . 2008-08-21 01:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 10:51 . 2008-08-20 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 14:26 . 2008-08-19 14:26 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-19 14:26 . 2008-08-19 14:26 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-19 14:26 . 2008-08-19 14:26 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-19 14:26 . 2008-08-19 14:26 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-19 14:25 . 2008-08-24 00:10 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-08-19 13:03 . 2008-08-19 13:05 608 --a------ C:\WINDOWS\PrintScreen.INI
2008-08-19 13:02 . 2008-08-19 13:02 <DIR> d-------- C:\Program Files\Gadwin Systems
2008-08-19 11:05 . 2008-08-19 11:05 187,904 --a------ C:\WINDOWS\system32\yhuzanaj.exe
2008-08-19 10:58 . 2008-08-19 10:58 187,904 --a------ C:\WINDOWS\system32\ynojaloh.exe
2008-08-19 09:49 . 2008-08-23 23:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-19 09:48 . 2008-08-23 17:33 <DIR> d-------- C:\Program Files\Trojan Remover
2008-08-19 09:48 . 2008-08-19 09:48 <DIR> d-------- C:\Documents and Settings\BRETT\Application Data\Simply Super Software
2008-08-19 09:48 . 2008-08-19 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-08-19 09:48 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-08-19 09:48 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-08-19 09:48 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-08-19 09:48 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-08-19 09:38 . 2008-08-19 09:52 <DIR> d-------- C:\Program Files\EndItAll
2008-08-18 12:28 . 2008-08-18 12:28 <DIR> d-------- C:\Program Files\AVG
2008-08-18 12:28 . 2008-08-19 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-18 10:38 . 2008-08-23 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jszsvqhm
2008-08-18 10:38 . 2008-08-18 10:38 86,016 --a------ C:\WINDOWS\system32\xwjatsze.exe
2008-08-13 18:14 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 00:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-23 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-22 02:32 --------- d-----w C:\Program Files\America Online 9.0
2008-08-22 02:18 --------- d-----w C:\Program Files\CoreFTP
2008-08-20 22:57 --------- d-----w C:\Documents and Settings\BRETT\Application Data\U3
2008-08-19 18:26 --------- d-----w C:\Program Files\Symantec
2008-08-19 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-17 18:33 --------- d-----w C:\Documents and Settings\BRETT\Application Data\FUJIFILM
2008-08-05 21:37 --------- d-----w C:\Documents and Settings\BRETT\Application Data\SiteAdvisor
2008-07-16 01:23 --------- d-----w C:\Program Files\MSBuild
2008-07-16 01:23 --------- d-----w C:\Program Files\Microsoft Works
2008-07-15 12:07 --------- d-----w C:\Program Files\Dell Support Center
2008-07-15 12:07 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-07-15 12:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-15 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2006-12-18 04:39 0 -c--a-w C:\Documents and Settings\BRETT\Application Data\wklnhst.dat
2007-02-09 23:42 88 -csh--r C:\WINDOWS\system32\7515257F65.sys
2007-02-09 23:42 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
------- Sigcheck -------
2004-08-04 05:00 17408 8c6804797251aa5afdd9faea8c7df5fa C:\WINDOWS\system32\svchost.exe
2004-08-04 05:00 506368 c810d1558e9bec0275f218190e241693 C:\WINDOWS\system32\winlogon.exe
2007-06-13 06:23 1035776 56a8974040f314c08ac3fc768837dfca C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 05:00 110592 a8a93338e71e24798606fd0019d0ed94 C:\WINDOWS\system32\services.exe
2004-08-04 05:00 14848 990559e8616b14c14df837815f039c31 C:\WINDOWS\system32\lsass.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53 58880 532bc473ba896151392b1a584558c783 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 12:28 139264]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 02:18 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ActInfoWin"="C:\WINDOWS\system32\hingfyrw.exe" [2008-08-20 11:22 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-18 13:42 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-18 13:42 98304]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-18 13:49 169984]
"DellHelp"="C:\Dell\DellHelp\DellHelp.exe" [2004-04-01 15:51 1589248]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 18:34 106496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-08 22:39 36904]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-08-23 17:33 914512]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 18:17 282624 C:\WINDOWS\stsystra.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"="C:\WINDOWS\system32\advpack.dll" [2004-08-04 05:00 99840]
"wextract_cleanup1"="C:\WINDOWS\system32\advpack.dll" [2004-08-04 05:00 99840]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-18 13:41:40 156784]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2007-11-04 18:58:00 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]
Veritrax AS-215.lnk - C:\Program Files\Rosslare\Veritrax AS-215\VeriTrax.exe [2008-04-13 19:16:01 9244672]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-09-21 20:57:14 122880]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActInfoWin]
--a------ 2008-08-20 11:22 81920 C:\WINDOWS\system32\hingfyrw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\utilactweb]
--a------ 2008-08-18 10:38 86016 C:\WINDOWS\system32\xwjatsze.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WPORTAL\\JRE\\bin\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-ISUSPM Startup - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
MSConfigStartUp-ISUSScheduler - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-lphc1llj0e1dr - C:\WINDOWS\system32\lphc1llj0e1dr.exe
MSConfigStartUp-Somefox - C:\DOCUME~1\BRETT\LOCALS~1\Temp\16A8.tmp.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 00:12:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-24 0:18:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 04:17:55
Pre-Run: 52,795,285,504 bytes free
Post-Run: 53,243,609,088 bytes free
233 --- E O F --- 2008-08-20 21:17:19
last Smitfraudfix.exe:
SmitFraudFix v2.339
Scan done at 2:22:19.48, Sun 08/24/2008
Run from C:\Documents and Settings\BRETT\My Documents\Billy Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.25.5.148
DNS Server Search Order: 24.25.5.147
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB6C5234-0461-497C-A2CB-AF1E9B0677A7}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB6C5234-0461-497C-A2CB-AF1E9B0677A7}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BB6C5234-0461-497C-A2CB-AF1E9B0677A7}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Last Highjackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:41:58, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\hingfyrw.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060918
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\BRETT\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\BRETT\LOCALS~1\Temp\IXP001.TMP\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ActInfoWin] C:\WINDOWS\system32\hingfyrw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Veritrax AS-215.lnk = C:\Program Files\Rosslare\Veritrax AS-215\VeriTrax.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 11491 bytes
If anyone can, I would really appreciate!
Thanks,
jbd1270