Author Topic: PowerKord 's vundo  (Read 53387 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
PowerKord 's vundo
« on: January 11, 2008, 02:56:27 AM »
Hi

Do you have a desktop image that you don't want, or do you have one you placed there?

Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp



Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {19ED8902-29FA-4C2E-944D-945198BA0EEA} - C:\Program Files\Common Files\nipyC:\WINDOWS\System32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\rqrpmmn.dll
O20 - Winlogon Notify: rqrpmmn - C:\WINDOWS\SYSTEM32\rqrpmmn.dll
 


Close all other browsers/windows, click fix, close HJT.




Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.



PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #1 on: January 11, 2008, 03:05:34 AM »
Hi, oldman,

Thanks so much for your help! If you'd be so kind, please respond to each point, below, as necessary:

1. Below is my newest HJT scan.

2. Below in two separate posts are the results of my newest ComboFix scan.

3. I'm not sure why or what you're asking regarding a desktop image. Are you asking this based on having examined my HJT log? Please be more specific, though I can tell you that presently I have no desktop image set--assuming you mean a standard image like a .jpg or wallpaper. Is this what you refer to?

4. Why do you suggest I run Cleanup? Just to protect my personal privacy, in view of the fact that I'm posting potentially intimate computing information online here?

5. The only one of your instructions I have not followed is your recommendation that I run CleanUp.

6. Why did Avast! Home Edition allow these viruses to enter my system? Does it reveal a weakness in Avast!? Is there a different or competing program that would have detected them, AND prevented them from infecting my system?

7. BTW, while I'm writing you, would you kindly answer a related question? Why does this line appear in my log:

O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe

Is Ardamax running silently on my system?

Thanks so much, and I await your further instruction. Bear in mind, as well, that as I wrote in my initial posting, my system is apparently also infected with SmitFraud-C.CoreService. I have included that posting for your convenience at the end of this posting; it contains add'l detail regarding my initial efforts to rid myself of both these viruses.

Regards,

vince

----------------------------------------------
ORIGINAL POSTING IN THIS FORUM

View Profile Email
   
   
Re: Win32:TratBHO Wont go away!...help
« Reply #15 on: Yesterday at 10:27:59 PM »
   Reply with quoteQuote Modify messageModify
Hello, oldman,

I also have a problem with WIN32:TratBHO (as well as SmitFraud-C.CoreService).

Upon detection by Avast!, I tried to delete the .dll file from within Avast!; the file name was awvvu.dll. I next got a series of Windows error messages indicating cannot find file, so apparently the file was deleted, though that did not solve the problem.

I ran SpyBot S & D, which did not seem to pick up the virus, but did flag SmitFraud-C.CoreService. Are the two related? I authorized SSD to scan upon boot to remove SmitFraud, but the boot scan took a long time and eventually stopped responding, so I killed it. I still have the SmitFraud.

I then looked for the .dll file itself in System32 but it was not there. What was there, however, was awvvu.exe, which I manually deleted. However, the virus appears to have created a new .dll, because Avast! is now detecting the virus in a different .dll file: iiigd.dll.

(About an hour later Avast! has just flagged another infected file in System32:  geefd.dll, and after removing it to the Avast! virus chest, yet another file was flagged: khhgh.dll. These last two files had not yet been flagged, and perhaps did not yet exist, at the time I created my HJT log, below.)
« Last Edit: January 11, 2008, 06:02:13 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #2 on: January 11, 2008, 03:06:49 AM »
admin - pls delete this post
« Last Edit: January 11, 2008, 04:11:16 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #3 on: January 11, 2008, 03:07:56 AM »
admin - pls delete this post
« Last Edit: January 11, 2008, 04:11:40 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #4 on: January 11, 2008, 03:09:20 AM »
admin - pls delete this post
« Last Edit: January 11, 2008, 04:12:04 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #5 on: January 11, 2008, 03:10:40 AM »
admin - pls delete this post
« Last Edit: January 11, 2008, 04:12:27 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #6 on: January 11, 2008, 04:07:59 AM »
NEWEST HJT LOG

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {19ED8902-29FA-4C2E-944D-945198BA0EEA} - C:\Program Files\Common Files\nipyC:\WINDOWS\System32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\rqrpmmn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 205.208.227.13 205.208.227.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: rqrpmmn - C:\WINDOWS\SYSTEM32\rqrpmmn.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 5736 bytes
« Last Edit: January 11, 2008, 05:10:25 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #7 on: January 11, 2008, 05:08:12 AM »
NEWEST COMBOFIX LOG - PART I


ComboFix 08-01-10.2 - Vincent Christopher 2008-01-10 22:14:23.2 - NTFSx86
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-11 to 2008-01-11  )))))))))))))))))))))))))))))))
.

2008-01-10 22:22 . 2008-01-10 22:22   <DIR>   d--------   C:\TEMP\tn3
2008-01-10 22:21 . 2008-01-10 22:21   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:09 . 2008-01-09 22:09   493,170   --a------   C:\TEMP\liHco0109.exe
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\TEMP\Ryuan1
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-27 06:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-11 03:21:48   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
« Last Edit: January 11, 2008, 05:11:10 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #8 on: January 11, 2008, 05:09:12 AM »
NEWEST COMBOFIX LOG - PART II


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 22:22:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-10 22:27:31 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-11 03:27:24
ComboFix2.txt  2008-01-11 01:42:07
« Last Edit: January 11, 2008, 05:12:06 AM by PowerKord »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #9 on: January 11, 2008, 06:29:16 AM »
1. Below is my newest HJT scan.

Did you fix the lines as requested? The log looks the same. Did you run it after you ran combofix?

2. Below in two separate posts are the results of my newest ComboFix scan.

I need the results from the first run also. You can find it at C:\combofix under ComboFix-quarantined-files.txt  It will be Combofix1.txt

3. I'm not sure why or what you're asking regarding a desktop image. Are you asking this based on having examined my HJT log? Please be more specific, though I can tell you that presently I have no desktop image set--assuming you mean a standard image like a .jpg or wallpaper. Is this what you refer to?

It's the 024 line in your HJT. Some people have images as a desktop component that they put there themselves, so I ask before removing it.

4. Why do you suggest I run Cleanup? Just to protect my personal privacy, in view of the fact that I'm posting potentially intimate computing information online here?

To clean out the temp folder, places this crude likes to hide.

5. The only one of your instructions I have not followed is your recommendation that I run CleanUp.

6. Why did Avast! Home Edition allow these viruses to enter my system? Does it reveal a weakness in Avast!? Is there a different or competing program that would have detected them, AND prevented them from infecting my system?

No av will catch it all. Some have better detection than others. Right now I'm looking at threads with norton, mcafee some with the same problem.


Thanks so much, and I await your further instruction. Bear in mind, as well, that as I wrote in my initial posting, my system is apparently also infected with SmitFraud-C.CoreService. I have included that posting for your convenience at the end of this posting; it contains add'l detail regarding my initial efforts to rid myself of both these viruses.

Yes I saw that and want to be certain we need smitfraudfix.




Please submit the following files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\System32\DRIVERS\MADFU804.sys
C:\WINDOWS\System32\drivers\mrxsmbb.sys
C:\Documents and Settings\Vincent Christopher\us145info.exe
C:\WINDOWS\crmtemp1.dat
 


scroll down a bit and click "send file", wait for the results and post then in your next reply.

Rerun HJT and post the log. The files referenced in HJT are not in the combofix log.

Thanks

siyete

  • Guest
Re: PowerKord 's vundo
« Reply #10 on: January 11, 2008, 02:26:01 PM »
hello old man,
can u help me resolve my wind32 bhd kd prob?.. my forum topic is:
http://forum.avast.com/index.php?topic=32589.0

i would really appreciate uyour help thx...

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #11 on: January 12, 2008, 02:11:31 AM »
Hi,

1. My Avast! icon no longer appears in my system tray! I can't really tell if the program is running or not. What happened, and what should I do? The program is still listed in Add/Remove Programs.

2. I don't seem to be getting the symptom of the infection I was getting before: my browser/Windows kept trying to log on, but that's not happening anymore with SeaMonkey or FireFox, though I haven't brought IE up in about 24 hours. Still, the logon attempts were occurring before, even when IE was not open.

Should I launch IE to see what happens?

3. Re a desktop image, I have none set now, though I have in the past. I don't know what that clip image refers to.

4. Re the files to scan with virustotal:

C:\WINDOWS\System32\DRIVERS\MADFU804.sys - this file is apparently no longer present on my system.

mrxsmbb.sys - virustotal reports 0 bytes rec'd. Did not scan.

C:\Documents and Settings\Vincent Christopher\us145info.exe - also reports 0 bytes rec'd. Did not scan.

C:\WINDOWS\crmtemp1.dat - Scanned. No problems reported by any scanner.

5. I did another ComboFix scan, then another HJT scan, in that order. Results below.

You indicated you needed to see my first CF scan. However, there is no path on my system C:\combofix. There is C:\QooBox, and contained there is a .txt file called ComboFix-quarantined-files.txt, printed below. There is no folder with that name, nor is there any document combofix1.txt, only combofix2.txt.

ComboFix-quarantined-files.txt:

2004-08-15 03:12      1074    --a------    C:\Qoobox\Quarantine\C\WINDOWS\inf\ultra.inf.vir
2004-08-15 03:12      143    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Vincent Christopher\Application Data\ultra\uninstall.bat.vir
2007-04-16 09:39      1100654    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Vincent Christopher\Application Data\Install.dat.vir
2007-09-23 20:05      279600    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2008-01-09 00:44      28747    --a------    C:\Qoobox\Quarantine\C\TEMP\1cb\syscheck.log.vir
2008-01-09 22:01      41472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrpmmn.dll.vir
2008-01-09 22:06      41472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkkjif.dll.vir
2008-01-10 01:33      340480    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\RCX18.tmp.vir
2008-01-10 05:34      410112    --a------    C:\Qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe.vir
2008-01-10 05:34      456192    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd.exe.vir
2008-01-10 05:34      497152    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray.exe.vir
2008-01-10 05:35      13312    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon .exe.vir
2008-01-10 05:35      340480    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\RCX19.tmp.vir
2008-01-10 05:35      373248    --a------    C:\Qoobox\Quarantine\C\Program Files\Java\j2re1.4.2_01\bin\jusched.exe.vir
2008-01-10 05:35      373248    --a------    C:\Qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\TpKmapMn.exe.vir
2008-01-10 05:35      446464    --a------    C:\Qoobox\Quarantine\C\Program Files\Alwil Software\Avast4\ashDisp.exe.vir
2008-01-10 07:17      7323    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uvvwa.ini.vir
2008-01-10 07:17      7323    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uvvwa.ini2.vir
2008-01-10 07:26      69632    --a------    C:\Qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe.vir
2008-01-10 07:27      79224    --a------    C:\Qoobox\Quarantine\C\Program Files\Alwil Software\Avast4\ashDisp .exe.vir
2008-01-10 20:33      197182    --a------    C:\Qoobox\Quarantine\catchme2008-01-10_203650.86.zip
2008-01-10 20:35      932    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2008-01-10 22:19      188    --a------    C:\Qoobox\Quarantine\catchme2008-01-10_222211.94.zip
2008-01-10 22:19      2012    --a------    C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir
2008-01-10 22:19      656    --a------    C:\Qoobox\Quarantine\catchme.log

6. Before doing any of the above, I performed a CleanUp scan.

Thanks, again. I await your further instruction. We also have yet to address my SmitFraud issue.

Best,

vince
« Last Edit: January 12, 2008, 02:21:16 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #12 on: January 12, 2008, 02:15:48 AM »

LATEST CF SCAN -- 01-11-08

ComboFix 08-01-10.2 - Vincent Christopher 2008-01-11 18:34:59.3 - NTFSx86
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-11 to 2008-01-11  )))))))))))))))))))))))))))))))
.

2008-01-11 18:44 . 2008-01-11 18:44   <DIR>   d--------   C:\TEMP\tn3
2008-01-11 18:42 . 2008-01-11 18:42   932   ---------   C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-10 20:23 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\vt8
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\ob3
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\nz0
2008-01-09 22:10 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\che9
2008-01-09 22:10 . 2008-01-09 22:10   86,016   --a------   C:\WINDOWS\system32\drivers\mrxsmbb.sys
2008-01-09 22:09 . 2008-01-09 22:10   <DIR>   d--------   C:\WINDOWS\system32\mp2
2008-01-09 22:01 . 2008-01-09 22:01   <DIR>   d--------   C:\WINDOWS\system32\edcA01
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 07:41   ---------   d-----w   C:\Program Files\NoteTab Pro
2007-12-27 06:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 08:58   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 17:21   ---------   d-----w   C:\Program Files\Viewpoint
2007-11-18 05:52   ---------   d-----w   C:\Program Files\AOD
2007-11-18 05:52   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 20:06   0   ----a-w   C:\Documents and Settings\Vincent Christopher\us145info.exe
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.

(((((((((((((((((((((((((((((   snapshot@2008-01-10_20.41.36.84   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-11 23:43:25   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"ACDSee"="C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-10 07:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-10 07:26 114688]
"LTSMMSG"="LTSMMSG.exe" [2001-08-02 10:28 45056 C:\WINDOWS\LTSMMSG.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"UC_SMB"="" []
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2008-01-10 07:26 32835]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 03:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2008-01-10 07:27 32873]
"Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-11-26 01:35 94208]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 18:59:29]
HyperSnap 6.lnk - C:\Program Files\HyperSnap 6\HprSnap6.exe [2007-08-13 04:18:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

R1 CSMBATT;CSMBATT;C:\WINDOWS\System32\drivers\CSMBATT.SYS [2003-02-10 11:39]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2001-07-30 04:05]
R1 mrxsmbb;mrxsmbb;C:\WINDOWS\System32\drivers\mrxsmbb.sys [2008-01-09 22:10]
R1 nbmkmd;nbmkmd;C:\WINDOWS\System32\drivers\nbmkmd.sys [1998-12-30 17:28]
R1 TDOEM;TDOEM;C:\WINDOWS\System32\Drivers\TDOEM.SYS [2003-11-26 01:35]
R2 Nakido;Nakido;C:\WINDOWS\System32\nakido.exe [2004-09-29 23:07]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\System32\drivers\Vch.sys [2002-07-31 09:12]
R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2002-03-06 13:20]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\System32\DRIVERS\tp4track.sys [2002-12-03 03:09]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-02 10:28]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\System32\drivers\MA763004.sys []
S3 MADFU804;MADFU804;C:\WINDOWS\System32\DRIVERS\MADFU804.sys []
S3 NUVision;Georgia USBVision (VD400);C:\WINDOWS\System32\DRIVERS\NUVision.sys [2001-09-16 11:32]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-12-09 08:29:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 18:44:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\Program Files\HyperSnap 6\dxsnap.dll
.
Completion time: 2008-01-11 18:49:34 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-11 23:49:27
ComboFix2.txt  2008-01-11 03:27:31
ComboFix3.txt  2008-01-11 01:42:07

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #13 on: January 12, 2008, 02:17:04 AM »
LATEST HJT SCAN -- 01-11-08


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:19 PM, on 1/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\nakido.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=l2test&key=8289fae155a967d95764045ed9e8ff96&ts=3e668bd9&A=0&B=1021273200000&C=1021273200000&D=0&I=6.0B4&L=&M=1021273200000&N=&O=A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 205.208.227.13 205.208.227.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\System32\nakido.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VINCEN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 4969 bytes

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #14 on: January 12, 2008, 02:35:33 AM »
Ok, that's what I was looking for. BYTW, you can attach logs by using the extra options button on the reply page.

According to the logs avast is running. For now make a short cut to your desktop, In windows explorer go to this folder

c:\program files\alwil software\avast4

in the right panel right click on ashdisp.exe, select send to, desktop(create shortcut). you will now have a icon on your desktop, double click it and the "a" icon should appear.

We'll do this first, then we will look closer at  service I don't like.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
Killall::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\TEMP\liHco0109.exe


Folder::
C:\TEMP\tn3
C:\TEMP\Ryuan1

Look::
C:\WINDOWS\system32\vt8



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply