Zombie Computer

[saurkraut]

Yesterday I went to a site that supposedly advertised the current price for gold per gram. When I hit the site, my computer began to act very squirrelly. Assuming it was a virus, I did the usual hijack this (I've had something similar before which I could solve). This one I CAN'T solve.

For one thing, my computer software goes nuts trying to screen every email that's going out. Of course, *I* am not sending those emails out. But now that I've been hijacked, there's a happy spammer out there who is using my computer as a conduit.

I followed your steps but only got through step 1. I'm guessing that this trojan has hijacked some files in at least one of my anti-virus programs, too, which is why I can't eradicate it.

It's a nasty little bugger that won't allow me to do any online virus scans. And if I do Ad-Aware or Avast, they pinpoint the virus but then it promptly reasserts itself. HELP!!!

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:09:25 AM, on 12/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Drake\Desktop\HiJackThis_v2(2).exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus CX7000F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBKA.EXE /FU "C:\WINDOWS\TEMP\E_S8D.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179945243375
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/6...l/gtdownls.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\System32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\System32\IFXTCS.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5031 bytes

[saurkraut]

HELP!!! I'm still hoping that you can help me with this. Nothing's working so far...

[forhockey]

Hi saurkraut,

I've asked a moderator to delete your other threads, so that there are no duplicate threads for analysts to respond to.

Quote:

Hi! I posted yesterday but the post is being ignored, though it was viewed 17 times... I'm not sure why, but I thought perhaps some of you had viewed it and then forgotten about it (it looks as if that would be easy to do - wow, what a lot of posts!!!) so I'm reposting again. Please forgive me if I'm breaking any unwritten rules, but I'm desperate!

Your posts have not been ignored... First, those threads are not only viewed by the analysts, as other users who have the same issue can view your thread too. The fact that you notice there are a lot of posts, and on top of that decide to add onto it by creating another 2 threads for the same issue doesn't help... We are fairly busy and it makes it impossible us to help every thread.

Quote:

Posting Rules

1. Please do not start a new thread each time you reply. We need you to keep your logs in one thread only. It’s almost impossible to complete a fix by trying to follow more than one thread.

Please do not post your logs in any other Forum - logs should ONLY be posted in the HijackThis Forum.


2. Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. If no one has replied to your thread within 48hrs after you posted, please reply in your thread with the word BUMP to move it forward.

DO NOT Bump the thread unless 48 hours has passed. We work from oldest to newest posts so your wait will be longer if you bump it forward before the 48 hours is up.

Now if you still need assistance, and are not receiving help from another forum then please carry out the following instructions:

--------------------------------------------------------------

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please

[saurkraut]

For Hockey, I thank you for your response. Unfortunately, your system isn't very user friendly to the newbie, and it's hard to tell if anyone is going to bother to answer at all... since no one says "Oh, OK, hang on a couple days and we're definately going to get to you".

I gave up on this forum entirely and left my laptop alone, but I am encouraged now, and will try all this out tomorrow. Thank you! I'll keep you posted.

[saurkraut]

Hi! I'm sorry for the delay, but I was called out of town on business unexpectedly, and only now was able to get back to fixing this. I tried to attach the file (per instructions below) but it said the file attachment wasn't valid (sorry!) Again , thanks for any and all help!!! Here is the copy of the main.txt from the notepad after the Deckard scan:Deckard's System Scanner v20071014.68

Run by Drake on 2007-12-23 13:20:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Drake.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-23 13:23:41
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Drake\Local Settings\Temporary Internet Files\Content.IE5\Q5S3KPCJ\dss[2].exe
C:\Program Files\Trend Micro\HijackThis\Drake.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus CX7000F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBKA.EXE /FU "C:\WINDOWS\TEMP\E_S8D.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...0C/wmv9dmo.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179945243375
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/6...l/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 7637 bytes

-- Files created between 2007-11-23 and 2007-12-23 -----------------------------

2007-12-23 13:20:37 0 d-------- C:\Program Files\Trend Micro
2007-12-23 13:11:45 0 d-------- C:\WINDOWS\LastGood
2007-12-06 08:29:55 0 d-------- C:\Program Files\InterMute
2007-12-06 08:05:33 0 d-------- C:\WINDOWS\System32\bits
2007-12-06 08:04:11 0 d-------- C:\WINDOWS\System32\PreInstall
2007-12-06 08:04:05 0 d--h----- C:\WINDOWS\$hf_mig$
2007-12-06 08:00:30 0 d--h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Templates
2007-12-06 08:00:30 0 dr------- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Start Menu
2007-12-06 08:00:30 0 dr-h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\SendTo
2007-12-06 08:00:30 0 d--h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Recent
2007-12-06 08:00:30 0 d--h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\PrintHood
2007-12-06 08:00:30 524288 --ah----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\NTUSER.DAT
2007-12-06 08:00:30 0 d--h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\NetHood
2007-12-06 08:00:30 0 d-------- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\My Documents
2007-12-06 08:00:30 0 d--h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Local Settings
2007-12-06 08:00:30 0 d-------- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Favorites
2007-12-06 08:00:30 0 d-------- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Desktop
2007-12-06 08:00:30 0 d---s---- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Cookies
2007-12-06 08:00:30 0 dr-h----- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Application Data
2007-12-06 08:00:30 0 d---s---- C:\Documents and Settings\Administrator.BUSINESSLAPTOP\Application Data\Microsoft
2007-12-06 00:49:36 0 d-------- C:\WINDOWS\System32\SoftwareDistribution
2007-12-06 00:23:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-12-06 0013 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-06 0013 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-06 0013 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-06 0013 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-12-06 0013 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-06 0013 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-06 0013 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-06 0013 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-12-06 0013 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-06 0013 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-12-06 0013 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-06 0013 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-12-06 0013 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-06 0013 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-05 23:49:10 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-05 23:49:01 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-12-05 23:48:31 11264 --a------ C:\WINDOWS\System32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-12-05 23:47:37 0 d-------- C:\WINDOWS\System32\ZoneLabs
2007-12-05 23:46:31 0 d-------- C:\WINDOWS\Internet Logs
2007-12-05 23:08:35 0 d-------- C:\Program Files\Lavasoft
2007-12-05 23:08:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-05 23:08:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 22:45:51 0 d-------- C:\Program Files\Alwil Software
2007-12-05 21:41:32 0 --a------ C:\WINDOWS\System32\update276.exe
2007-12-05 21:37:50 10000 --a------ C:\WINDOWS\System32\d4ghggf4g.dll
2007-12-05 21:37:23 100 --a------ C:\WINDOWS\System32\1.bat
2007-12-05 21:37:14 0 --a------ C:\WINDOWS\System32\update278.exe
2007-12-05 21:37:13 0 --a------ C:\WINDOWS\6iejtdngdsfgmertje.dat
2007-12-05 21:37:09 10 --a------ C:\WINDOWS\System32\kr_done1
2007-12-05 21:37:06 47616 --a------ C:\WINDOWS\System32\update236.exe
2007-12-05 21:37:00 54218 --a------ C:\WINDOWS\System32\xpdx.sys
2007-12-05 21:36:59 0 --a------ C:\WINDOWS\System32\update227.exe
2007-12-05 21:36:52 0 --a------ C:\WINDOWS\System32\update266.exe
2007-12-05 21:36:43 142848 --a------ C:\WINDOWS\System32\update247.exe
2007-12-05 21:36:39 0 --a------ C:\WINDOWS\6erwerqwerrersfgmertje.dat
2007-12-05 21:36:27 14336 --a------ C:\WINDOWS\System32\update275.exe
2007-12-05 21:36:06 6144 --a------ C:\WINDOWS\System32\~.exe
2007-12-05 21:36:04 6144 --a------ C:\WINDOWS\System32\_svchost.exe
2007-12-05 21:36:03 6144 --a------ C:\Documents and Settings\Drake\ie_updates3r.exe


-- Find3M Report ---------------------------------------------------------------

2007-12-05 23:08:03 0 d-------- C:\Program Files\Common Files
2007-11-19 22:10:09 0 d-------- C:\Program Files\Xfire
2007-11-18 19:28:37 0 d-------- C:\Documents and Settings\Drake\Application Data\Xfire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IfxSecurePlatformIndication"="C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe" [03/11/2005 10:14 AM]
"PSDruntime"="C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE" [03/11/2005 09:41 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [08/03/2006 05:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/09/2007 07:12 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/11/2007 03:55 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 04:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 03:08 PM]
"EPSON Stylus CX7000F Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBKA.exe" [05/22/2006 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/23/2007 06:51 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [5/23/2007 1:41:43 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/23/2007 6:51:52 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll 03/11/2005 10:05 AM 360448 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSDNtfy]
C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll 03/11/2005 09:43 AM 45056 C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2007-12-23 13:24:48 ------------

[saurkraut]

Incidentally, my Avast is coming up with things that seem to point to this being the Enclag-A trojan. Do you agree and what does this mean? Did they get to my passwords? Can they get into my financial information?

[forhockey]

Hi saurkraut,

Your computer appears to be infected by a backdoor trojan. Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing other rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing what has been done to the computer.

1. If this computer has been used for sensitive transactions, then you should immediately change your online banking passwords and contact your bank.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

--------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

DO NOT run SDFix yet. We will shortly

--------------------------------------------------------------

Enter Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
3. Instead of Windows loading as normal, a menu should appear
4. Use the up arrow key to highlight Safe Mode and press Enter.
5. Login with your usual account
6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Run SDFix

• Open the extracted SDFix folder and double click RunThis.cmd to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Paste the contents of the Report.txt back on the forum

--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------

1. Download Combofix from Here or Alternate link
   
2. Disable your real time Anti Virus and Anti Spyware protection programs. Exit the program via the SystemTray icon.
3. Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan.
4. When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply.
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall
   
   --------------------------------------------------------------
   
5. Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it.
   
6. You are using an outdated version of HijackThis. Please delete your current version and download HijackThis. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
   
7. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
   
   --------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\report.txt
C:\ComboFix.txt
New HiJackThis Log

[saurkraut]

I am VERY grateful for your time and trouble over this. I also appreciate the diagnosis! Because of your statement (about how you can't guarantee a fix and it is possible they got my passwords) I've decided to wipe the whole thing clean and reinstall everything. Thanks so much!

[forhockey]

Thanks for getting back to me. I would still take the time to change all your passwords for your accounts on a clean computer.

Safe surfing