Firefox hijacked, Avast reports "Win32:Trojan-gen {Other}"

Sir.MadHatter · 12-06-2008, 03:33 PM

This is a little emabarrasing. You woud have thought I'd have learned my lesson after the last time, but apparently I need a refresher course in not being an idiot.
Once again, browsing for stupid s**t, I allowed an app that looked legit on the face of it. It wasn't.

Only Firefox appears to have been affected by the highjacker. I can provide links to some of the sites it tries to access if required.

DDS (Version 1.0) - NTFSx86
Run by Sir.MadHatter at 23:21:01.18 on 2008-12-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1002 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast\Avast4\aswUpdSv.exe
C:\Program Files\Avast\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Avast\Avast4\ashMaiSv.exe
C:\Program Files\Avast\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Avast\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Sir.MadHatter\Desktop\dds.com
C:\WINDOWS\system32\rundll32.exe

============== Pseudo HJT Report ===============

BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {63009631-7c5c-41b4-b73f-4b5e026d04db} - c:\windows\system32\tevuwoja.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [avast!] c:\progra~1\avast\avast4\ashDisp.exe
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [vinutifuye] Rundll32.exe "c:\windows\system32\rihafebu.dll",s
mRun: [f89ffbd7] rundll32.exe "c:\windows\system32\bozilajo.dll",b
mRun: [CPMfbacc84b] Rundll32.exe "c:\windows\system32\vohetufa.dll",a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {212338C5-6A4A-492F-8561-2870907F0D51} = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\votisete.dll c:\windows\system32\mitihuho.dll c:\windows\system32\vohetufa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vohetufa.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vohetufa.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\qualcomm\eudora\EuShlExt.dll
LSA: Notification Packages = scecli c:\windows\system32\mitihuho.dll

============= SERVICES / DRIVERS ===============

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [2006-6-14 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [2006-6-14 5248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-12 28544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-6-14 394192]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\avast\avast4\ashServ.exe" [2006-6-13 140664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\avast\avast4\ashMaiSv.exe" /service [2006-6-13 247160]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\avast\avast4\ashWebSv.exe" /service [2006-6-13 345464]
S3 cmudau;C-Media USB Sound Interface;c:\windows\system32\drivers\cmudau.sys [2007-5-26 809536]

=============== Created Last 30 ================

2008-12-06 23:20 120 ---sh--- c:\windows\system32\ojalizob.ini
2008-12-06 18:29 250 a------- c:\windows\gmer.ini
2008-12-06 11:20 120 ---sh--- c:\windows\system32\ujewibin.ini
2008-12-05 23:20 120 ---sh--- c:\windows\system32\omibivup.ini
2008-12-05 11:20 120 ---sh--- c:\windows\system32\ezajinab.ini
2008-12-05 07:49 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-05 07:49 1,409 a------- c:\windows\QTFont.for
2008-12-04 23:20 120 ---sh--- c:\windows\system32\erejelus.ini
2008-12-04 11:19 120 ---sh--- c:\windows\system32\enutidim.ini
2008-12-03 23:19 120 ---sh--- c:\windows\system32\ihusenig.ini
2008-12-03 11:19 120 ---sh--- c:\windows\system32\abehedoh.ini
2008-12-02 23:19 120 ---sh--- c:\windows\system32\ofakeban.ini
2008-12-02 11:19 120 ---sh--- c:\windows\system32\ifirihay.ini
2008-12-01 23:19 120 ---sh--- c:\windows\system32\ayapopoj.ini
2008-12-01 18:27 120 ---sh--- c:\windows\system32\afizomek.ini
2008-11-30 23:19 120 ---sh--- c:\windows\system32\uwuyetis.ini
2008-11-30 11:18 120 ---sh--- c:\windows\system32\okekimaz.ini
2008-11-29 12:18 120 ---sh--- c:\windows\system32\efigubit.ini
2008-11-13 03:06 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 03:03 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-06 23:20 93,467 a--sh--- c:\windows\system32\vohetufa.dll
2008-12-06 23:20 87,218 a--sh--- c:\windows\system32\bozilajo.dll
2008-12-06 20:14 12,712 a------- c:\windows\system32\tablet.dat
2008-12-06 18:19 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Azureus
2008-12-06 11:20 64,233 a--sh--- c:\windows\system32\bijapeka.dll
2008-12-06 11:20 96,025 a--sh--- c:\windows\system32\lomuduje.dll
2008-12-06 11:20 87,793 -------- c:\windows\system32\nibiweju.dll
2008-12-05 23:20 93,363 a--sh--- c:\windows\system32\rijedatu.dll
2008-12-05 23:20 86,624 -------- c:\windows\system32\puvibimo.dll
2008-12-05 11:20 63,029 a--sh--- c:\windows\system32\vaseyure.dll
2008-12-05 11:20 93,237 a--sh--- c:\windows\system32\werudoze.dll
2008-12-05 11:20 86,581 -------- c:\windows\system32\banijaze.dll
2008-12-04 23:20 92,725 a--sh--- c:\windows\system32\jaguvonu.dll
2008-12-04 23:20 87,605 -------- c:\windows\system32\sulejere.dll
2008-12-04 11:20 64,565 a--sh--- c:\windows\system32\vasutadu.dll
2008-12-04 11:19 94,261 a--sh--- c:\windows\system32\sikemeva.dll
2008-12-04 11:19 85,557 -------- c:\windows\system32\miditune.dll
2008-12-03 23:19 94,261 a--sh--- c:\windows\system32\bowilihi.dll
2008-12-03 23:19 85,557 -------- c:\windows\system32\ginesuhi.dll
2008-12-02 23:19 86,581 -------- c:\windows\system32\nabekafo.dll
2008-12-02 11:19 65,076 a--sh--- c:\windows\system32\leridamu.dll
2008-12-01 23:19 95,796 a--sh--- c:\windows\system32\jehavomu.dll
2008-12-01 23:19 91,188 -------- c:\windows\system32\jopopaya.dll
2008-11-30 23:18 88,116 -------- c:\windows\system32\siteyuwu.dll
2008-11-29 23:18 88,116 a--sh--- c:\windows\system32\metigime.dll
2008-11-22 08:29 <DIR> --d----- c:\program files\Azureus
2008-11-09 13:54 <DIR> --d----- c:\program files\eMule
2008-11-03 20:29 <DIR> --d----- c:\program files\Aida32
2008-11-01 21:22 <DIR> --d----- c:\program files\OLYMPUS
2008-10-27 07:16 <DIR> --d----- c:\program files\Messenger
2008-10-27 07:15 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-27 07:10 <DIR> --d----- c:\program files\Windows NT
2008-10-25 07:26 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\2DBoy
2008-10-21 18:37 <DIR> --d----- c:\program files\A43
2008-10-17 15:15 388,608 a------- c:\windows\system32\CF9948.exe
2008-10-17 14:41 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-14 06:03 <DIR> --d----- c:\program files\QuicktimeKiller
2008-10-12 14:43 <DIR> --d----- c:\program files\SpywareBlaster
2008-10-12 12:55 <DIR> --d----- c:\program files\Panda Security
2008-10-12 09:12 <DIR> --d----- c:\program files\Lavasoft
2008-10-12 09:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-10-10 19:54 <DIR> --d----- c:\program files\ATI Technologies
2008-10-10 19:33 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\PC Drivers HeadQuarters
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-07 10:37 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\SPORE
2008-06-14 21:25 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\HamachiBORKED
2008-06-07 13:50 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\elefundesktops
2008-06-07 13:28 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Dealio
2008-05-23 19:57 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\My Games
2007-08-26 08:20 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Trymedia
2007-08-25 21:57 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\iWin Games
2007-03-12 19:17 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Ambient Design
2006-11-05 02:34 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Visicom Media
2006-10-01 07:48 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Lionhead Studios
2006-06-25 18:19 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Qualcomm
2006-06-14 17:53 <DIR> --d----- c:\docume~1\sir~1.mad\applic~1\Miranda
2008-09-06 11:20 64,233 a--sh--- c:\windows\system32\mitihuho.dll
2008-09-06 11:20 64,233 a--sh--- c:\windows\system32\rihafebu.dll
2008-09-06 11:20 64,233 a--sh--- c:\windows\system32\tevuwoja.dll

============= FINISH: 23:22:39.98 ===============

Attached Files:
DDS.txt
Attach.txt
GMER.txt
KAS.txt - Kaspersky Online Scan report

Please advise.

sUBs · 12-06-2008, 07:54 PM

Shouldnt have done the Kaspersky online scan yet. We wont require one till later

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

Sir.MadHatter · 12-07-2008, 01:42 AM

Yeah, I ran Kaspersky in the hopes that it might help me remove the intrusion(s). When it didn't, I figured I may as well save the log in case it was useful.

ComboFix log Attached.

ComboFix 08-12-06.06 - Sir.MadHatter 2008-12-07 19

49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1333 [GMT -8:00]
Running from: c:\documents and settings\Sir.MadHatter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sir.MadHatter\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\abehedoh.ini
c:\windows\system32\afizomek.ini
c:\windows\system32\ayapopoj.ini
c:\windows\system32\banijaze.dll
c:\windows\system32\bijapeka.dll
c:\windows\system32\bowilihi.dll
c:\windows\system32\bozilajo.dll
c:\windows\system32\efigubit.ini
c:\windows\system32\enutidim.ini
c:\windows\system32\erejelus.ini
c:\windows\system32\ezajinab.ini
c:\windows\system32\funotaku.dll
c:\windows\system32\ginesuhi.dll
c:\windows\system32\ifirihay.ini
c:\windows\system32\ihusenig.ini
c:\windows\system32\izuregat.ini
c:\windows\system32\jaguvonu.dll
c:\windows\system32\jehavomu.dll
c:\windows\system32\jopopaya.dll
c:\windows\system32\leridamu.dll
c:\windows\system32\lomuduje.dll
c:\windows\system32\metigime.dll
c:\windows\system32\miditune.dll
c:\windows\system32\mitihuho.dll
c:\windows\system32\nabekafo.dll
c:\windows\system32\nibiweju.dll
c:\windows\system32\ofakeban.ini
c:\windows\system32\ojalizob.ini
c:\windows\system32\okekimaz.ini
c:\windows\system32\omibivup.ini
c:\windows\system32\puvibimo.dll
c:\windows\system32\rihafebu.dll
c:\windows\system32\rijedatu.dll
c:\windows\system32\sikemeva.dll
c:\windows\system32\siteyuwu.dll
c:\windows\system32\sulejere.dll
c:\windows\system32\tageruzi.dll
c:\windows\system32\tevuwoja.dll
c:\windows\system32\ujewibin.ini
c:\windows\system32\uwuyetis.ini
c:\windows\system32\vaseyure.dll
c:\windows\system32\vasutadu.dll
c:\windows\system32\vohetufa.dll
c:\windows\system32\werudoze.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 19:01 . 2008-12-07 19:13 4,958,588 --a------ c:\windows\{00000000-00000000-0000000A-00001102-00000008-10211102}.BAK
2008-12-07 15:11 . 2008-12-07 15:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-12-07 12:24 . 2008-12-07 12:24 <DIR> d-------- c:\program files\Yahoo!
2008-12-06 18:29 . 2008-12-06 22:46 250 --a------ c:\windows\gmer.ini
2008-12-05 07:49 . 2008-12-05 07:49 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-05 07:49 . 2008-12-05 07:49 1,409 --a------ c:\windows\QTFont.for
2008-11-13 03:06 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 03:03 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 03:14 --------- d-----w c:\documents and settings\Sir.MadHatter\Application Data\Skype
2008-12-08 02:58 --------- d-----w c:\documents and settings\Sir.MadHatter\Application Data\Azureus
2008-12-07 02:13 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-11-22 16:29 --------- d-----w c:\program files\Azureus
2008-11-09 21:54 --------- d-----w c:\program files\eMule
2008-11-07 23:48 17,317,416 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-05 02:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-05 02:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Fallout3
2008-11-05 02:31 --------- d-----w c:\program files\MSBuild
2008-11-05 02:28 --------- d-----w c:\program files\Reference Assemblies
2008-11-04 04:29 --------- d-----w c:\program files\Aida32
2008-11-02 21:03 --------- d-----w c:\program files\Winamp
2008-11-02 05:22 --------- d-----w c:\program files\OLYMPUS
2008-10-25 15:26 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\2DBoy
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 02:37 --------- d-----w c:\program files\A43
2008-10-17 22:41 --------- d-----w c:\program files\Java
2008-10-14 14:03 --------- d-----w c:\program files\QuicktimeKiller
2008-10-12 22:43 --------- d-----w c:\program files\SpywareBlaster
2008-10-12 20:55 --------- d-----w c:\program files\Panda Security
2008-10-12 17:14 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2008-10-12 17:12 --------- d-----w c:\program files\Lavasoft
2008-10-12 17:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-11 04:05 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ATI
2008-10-11 04:02 --------- d-----w c:\documents and settings\Sir.MadHatter\Application Data\Hamachi
2008-10-11 03:54 --------- d-----w c:\program files\ATI Technologies
2008-10-11 03:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\PC Drivers HeadQuarters
2008-05-24 21:40 8,236 ----a-w c:\program files\darwin_dbg.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-12-18 25365032]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-15 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"avast!"="c:\progra~1\Avast\Avast4\ashDisp.exe" [2007-12-04 79224]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2003-12-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-25 180269]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-17 136600]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-05-15 54576]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2005-06-17 c:\windows\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-17 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-09-17 106496]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2006-01-21 585728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll
"vidc.vp31"= vp31vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d344bus;d344bus;c:\windows\system32\DRIVERS\d344bus.sys [2006-06-14 137216]
R0 d344prt;d344prt;c:\windows\system32\Drivers\d344prt.sys [2006-06-14 5248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-12 28544]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{63009631-7c5c-41b4-b73f-4b5e026d04db} - c:\windows\system32\tevuwoja.dll

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {212338C5-6A4A-492F-8561-2870907F0D51} = 192.168.1.254
FireFox -: Profile - c:\documents and settings\Sir.MadHatter\Application Data\Mozilla\Firefox\Profiles\hcqrn9vj.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 19:13:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WgaTray.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avast\Avast4\aswUpdSv.exe
c:\program files\Avast\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\Tablet.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Avast\Avast4\ashMaiSv.exe
c:\program files\Avast\Avast4\ashWebSv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-07 19:17:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 03:16:52

Pre-Run: 2,898,378,752 bytes free
Post-Run: 2,807,341,056 bytes free

221 --- E O F --- 2008-11-14 03:03:57

sUBs · 12-07-2008, 03:13 AM

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:

Double click on fix.reg & allow it to merge into the registry

---------------

Log looks good. Now is a good time for that Kaspersky scan

Sir.MadHatter · 12-07-2008, 12:52 PM

Done and done.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 03:56:00
Records in database: 1441542
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 107397
Threat name: 5
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:13:31

File name / Threat name / Threats count
C:\File Store\to be sorted\Utilities\radmin21.zip Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 2
C:\File Store\to be sorted\Utilities\radmin21.zip Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 2
C:\File Store\to be sorted\Utilities\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\File Store\to be sorted\Utilities\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\Avast\Avast4\DATA\moved\KEMOZIFA.DLL.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Program Files\Avast\Avast4\DATA\moved\TIBUGIFE.DLL.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Program Files\Avast\Avast4\DATA\moved\ZAMIKEKO.DLL.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 1
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\metigime.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\siteyuwu.dll.vir Infected: Trojan.Win32.Monder.aamw 1

The selected area was scanned.

sUBs · 12-07-2008, 03:09 PM

C:\Program Files\Avast\Avast4\DATA\moved\

This is Avast's quarantine folder. You should empty it

Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /u
ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

Sir.MadHatter · 12-08-2008, 12:07 AM

Thanks for the assist. Everything looks good here.
Keep up the good work!

12-06-2008, 07:54 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,465 OS: N/A	Re: Firefox hijacked, Avast reports "Win32:Trojan-gen {Other}" Shouldnt have done the Kaspersky online scan yet. We wont require one till later Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that.

12-07-2008, 03:13 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,465 OS: N/A	Re: Firefox hijacked, Avast reports "Win32:Trojan-gen {Other}" Open NOTEPAD.exe and copy/paste the text in the codebox below: (don't forget to copy and paste REGEDIT4) Code: REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000000 Save this as fix.reg Choose to "Save type as - All Files" It should look like this: Double click on fix.reg & allow it to merge into the registry --------------- Log looks good. Now is a good time for that Kaspersky scan

12-07-2008, 03:09 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,465 OS: N/A	Re: Firefox hijacked, Avast reports "Win32:Trojan-gen {Other}" C:\Program Files\Avast\Avast4\DATA\moved\ This is Avast's quarantine folder. You should empty it Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure: Uninstall ComboFix ... do not skip this step This process will perform some post cleanup measures. Do this by going to to Start > Run & typing in ComboFix /u ANTIVIRUS SOFTWARE It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Kindly respond to this thread once more so we can mark this thread as resolved.

12-08-2008, 12:07 AM	#7 (permalink)
Sir.MadHatter Registered User Join Date: Oct 2008 Posts: 10 OS: XP Professional	Re: Firefox hijacked, Avast reports "Win32:Trojan-gen {Other}" Thanks for the assist. Everything looks good here. Keep up the good work!