kiko's vundo

[oldman]

kiko please confine your replies to this thread.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

RENV::
<pre>
----a-w            90,112 2008-01-07 10:38:28  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w            68,856 2008-01-07 10:38:31  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           229,952 2008-01-07 10:38:23  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2008-01-07 10:38:21  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           421,888 2008-01-07 10:38:21  C:\Program Files\Picasa2\PicasaMediaDetector .exe
----a-w           282,624 2008-01-07 10:22:26  C:\Program Files\QuickTime\qttask .exe
----a-w           155,648 2008-01-07 10:38:26  C:\WINDOWS\system32\NeroCheck .exe
</pre>

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HJT log.

[kiko]

ComboFix 08-01-07.5 - Korisnik 2008-01-07 23:48:06.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1250.1.1033.18.1634 [GMT 1:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Korisnik\Desktop\CFscript.txt
 * Created a new restore point
.
The following files were disabled during the run:
D:\Program Files\T-Com Antidialer\KillD_dll.dll


(((((((((((((((((((((((((   Files Created from 2007-12-07 to 2008-01-07  )))))))))))))))))))))))))))))))
.

2008-01-07 17:46 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-07 16:29 . 2008-01-07 18:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-07 11:22 . 2008-01-07 11:38   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2007-12-16 11:03 . 2007-12-16 11:03   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ATI
2007-12-16 10:59 . 2007-12-16 11:00   <DIR>   d--------   C:\Program Files\ATI Technologies
2007-12-16 10:59 . 2007-09-28 21:05   593,920   --a------   C:\WINDOWS\system32\ati2sgag.exe
2007-12-11 17:49 . 2007-12-11 17:49   <DIR>   d--------   C:\Documents and Settings\Korisnik\Application Data\atitray

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 22:48   ---------   d-----w   C:\Program Files\QuickTime
2008-01-07 22:48   ---------   d-----w   C:\Program Files\Picasa2
2008-01-07 22:48   ---------   d-----w   C:\Program Files\iTunes
2007-12-11 16:16   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-11-27 18:17   ---------   d-----w   C:\Program Files\VID_0E8F&PID_0012
2007-11-24 09:15   ---------   d-----w   C:\Program Files\Java
2007-11-23 20:08   139,264   ----a-w   C:\WINDOWS\War3Unin.exe
2007-11-22 16:13   ---------   d-----w   C:\Documents and Settings\Korisnik\Application Data\ATI
2007-11-22 15:14   ---------   d-----w   C:\Documents and Settings\Korisnik\Application Data\Leadertech
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 16:56   107,888   ----a-w   C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 16:56   ---------   d--h--r   C:\Documents and Settings\Korisnik\Application Data\SecuROM
2007-11-07 10:35   ---------   d--h--w   C:\Program Files\Zero G Registry
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40   227,328   ----a-w   C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-07_17.53.47.76   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-07 19:02:40   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Pinnacle Game Profiler"="D:\pin\pinnacle.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 01:22 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"tcomantidialerrun"="D:\Program Files\T-Com Antidialer\T-Com Antidialer.exe" [2005-01-19 14:28 526120]
"DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2003-12-13 01:50 33792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 13:46]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 13:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-12-06 20:20:55 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 23:48:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> D:\Program Files\T-Com Antidialer\KillD_dll.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> D:\Program Files\T-Com Antidialer\KillD_dll.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> D:\Program Files\T-Com Antidialer\KillD_dll.dll
.
Completion time: 2008-01-07 23:49:05
ComboFix-quarantined-files.txt  2008-01-07 22:49:03
ComboFix2.txt  2008-01-07 16:53:59
.
2008-01-07 10:36:33   --- E O F --- 

[kiko]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:55:23, on 7.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask .exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\T-Com Antidialer\T-Com Antidialer.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pravos.hr/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [tcomantidialerrun] D:\Program Files\T-Com Antidialer\T-Com Antidialer.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "D:\pin\pinnacle.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{42F09AF7-2B9A-4E6D-9D66-138858E71579}: NameServer = 161.53.114.135 161.53.114.145
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5131 bytes

[oldman]

hi kiko

At a glance, it looks good, but please check back in a few hours. I'll have time to really log it over.

[kiko]

Can you please tell me is there anything else I need to do?

[oldman]

1. Click start button, click run, copy and paste the following line in the box, click ok

combofix /u


2.Open Hijackthis, click the misc tools button, click uninstall



3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

4.Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.



5. Download and run this clean up utility from the link below. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

http://www.stevengould.org/downloads/cleanup/




6. It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0


You can also delete any logs,notepads,etc that you may have left that where created during this.

Take care and keep safe.