Net Worm Kido t?

[billermo]

I keep getting strange behavior on my laptop -- this all began a few weeks back when I took it to a cafe with wifi, and as soon as I connected to that wifi I got a message from Nod32 that it had blocked a virus from infecting me.

In the following weeks there has been more followup strange behavior, usually when Spyware Terminator blocks some action.

I have just ran the DDS and Gmer scans, and am posting the logs here. I am also attaching a screenshot of the alert from Spyware Terminator (containing the names of the potential viruses, etc.), which includes all but the first incident of strange behavior. THANKS for any help!

ps: can you read that Spyware Terminator screenshot? The one today describes it as an action by Zango, but I do not have that program installed. An earlier one mentioned Flash_Disinifector.exe in My Documents, but I don't have that file in that folder.

DDS:
---------------------------

DDS (Ver_09-07-30.01) - NTFSx86
Run by Bill at 11:52:57.54 on Sat 08/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.638 [GMT 7:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webshots\webshots.scr
C:\Documents and Settings\Bill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://nicehouse.com.vn:2082/frontend/x3/index.html
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: GetRight IE Download Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [Windows Live Sync] "c:\program files\windows live\sync\WindowsLiveSync.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SpywareTerminator] "c:\progra~1\spywar~2\SpywareTerminatorShield.exe"
mRun: [BVRPLiveUpdate] c:\program files\avanquest update\engine\setup.exe -s /patch,/srcupdatec:\docume~1\alluse~1\applic~1\sonyer~1\sonyer~1\liveup~1\LISTOF~1.DAT
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
StartupFolder: c:\docume~1\bill\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} - hxxp://mail.lycos.com/hanmail-ax/AttachMail.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\WINDOW

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bill\applic~1\mozilla\firefox\profiles\rlzudt8g.default\
FF - prefs.js: browser.startup.homepage - hxxp://scores.espn.go.com/mlb/scoreboard|http://www.slate.com/|http://www.bos...ice.com/movies
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\bill\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\bill\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-3-8 142592]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-2-6 727720]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-7 210216]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-3-28 29744]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-3-29 9024]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-3-29 19392]
S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [2009-3-19 83496]
S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\drivers\s916mdfl.sys [2009-3-19 15016]
S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\drivers\s916mdm.sys [2009-3-19 109992]
S3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s916mgmt.sys [2009-3-19 103976]
S3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;c:\windows\system32\drivers\s916obex.sys [2009-3-19 100008]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2005-6-16 22528]
S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys --> c:\windows\system32\drivers\vvftav211.sys [?]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\zs211.sys --> c:\windows\system32\drivers\ZS211.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-07-22 16:27 91,460 a------- c:\windows\system32\nvModes.dat
2007-08-09 06:46 1,252 ac------ c:\program files\INSTALL.LOG
1998-02-10 18:34 128,000 a------- c:\program files\UNWISE.EXE
2006-03-19 01:21 56 ---shr-- c:\windows\system32\D33E28693D.sys
2006-03-19 01:21 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-07 12:18 32,768 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-03-07 12:18 16,384 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-03-07 12:18 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 11:53:49.48 ===============

[billermo]

bump it

[Ried]

Hello billermo,

Net Worm Kido is another name for what's more popularly known as Conficker. It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================


Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[billermo]

Attaching combofix.txt here.

Before starting the scan, I shut down Eset Smart Security and disabled Spyware Terminator. But when the Combofix scan was finishing, somehow Spyware Terminator had popped up and was asking for confirmations of Allow/Deny -- I assumed they were related to Combofix and allowed them all. I caught the name of one as NirCmd or something like this. I guess I could look in Spyware Terminator and see what they all were if need be. Hoping very much that this was unimportant.

ComboFix 09-08-07.09 - Bill 08/09/2009 0:05.14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.590 [GMT 7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.

2009-07-11 09:14 . 2009-08-06 06:12 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 16:54 . 2009-03-08 13:35 -------- d-----w- c:\documents and settings\Bill\Application Data\Spyware Terminator
2009-08-08 05:42 . 2007-09-30 05:58 -------- d-----w- c:\documents and settings\Bill\Application Data\Skype
2009-08-08 05:04 . 2008-12-02 05:49 -------- d-----w- c:\documents and settings\Bill\Application Data\skypePM
2009-08-06 09:42 . 2007-06-03 12:27 -------- d-----w- c:\documents and settings\Bill\Application Data\uTorrent
2009-08-02 06:06 . 2009-03-08 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-07-22 09:28 . 2008-09-30 15:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-22 09:27 . 2005-12-23 18:18 91460 ----a-w- c:\windows\system32\nvModes.dat
2009-07-11 09:11 . 2007-07-29 14:51 -------- d-----w- c:\program files\VideoLAN
2009-07-08 05:45 . 2008-06-25 04:06 -------- d-----w- c:\documents and settings\Bill\Application Data\dvdcss
2009-07-02 18:00 . 2009-03-08 13:35 -------- d-----w- c:\program files\Spyware Terminator
2009-06-23 08:32 . 2006-03-07 09:16 41 -c--a-w- c:\windows\popcinfo.dat
2009-06-22 08:23 . 2009-06-22 08:23 239088 ----a-w- c:\documents and settings\Bill\Application Data\Mozilla\plugins\npgoogletalk.dll
1998-02-10 11:34 . 2007-08-08 23:46 128000 ----a-w- c:\program files\UNWISE.EXE
2008-09-11 13:40 . 2007-03-28 07:36 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-07-25 02:41 . 2007-08-13 23:26 12592 ----a-w- c:\program files\mozilla firefox\plugins\libcomm.dll
2007-07-25 02:41 . 2007-08-13 23:26 37256 ----a-w- c:\program files\mozilla firefox\plugins\NanoInst.dll
2007-07-25 02:41 . 2007-08-13 23:26 43824 ----a-w- c:\program files\mozilla firefox\plugins\PSComm.dll
2007-07-25 02:41 . 2007-08-13 23:26 113456 ----a-w- c:\program files\mozilla firefox\plugins\PSNAdBrk.dll
2006-03-18 18:21 . 2006-01-27 01:42 56 --sh--r- c:\windows\system32\D33E28693D.sys
2006-03-18 18:21 . 2006-01-27 01:42 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-18 393216]
"Windows Live Sync"="c:\program files\Windows Live\Sync\WindowsLiveSync.exe" [2009-02-06 1170272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-09 7118848]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-09-01 684032]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-11 29744]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"SpywareTerminator"="c:\progra~1\SPYWAR~2\SpywareTerminatorShield.exe" [2009-03-08 2233856]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

c:\documents and settings\Bill\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-3-15 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-24 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-03-08 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-08 08:29 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 55024]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/8/2009 8:35 PM 142592]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/7/2009 3:33 PM 210216]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [1/5/2009 9:39 PM 103936]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/28/2007 2:36 PM 29744]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [3/29/2009 7:39 PM 9024]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [3/29/2009 7:39 PM 19392]
S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [3/19/2009 12:12 PM 83496]
S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\drivers\s916mdfl.sys [3/19/2009 12:12 PM 15016]
S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\drivers\s916mdm.sys [3/19/2009 12:12 PM 109992]
S3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s916mgmt.sys [3/19/2009 12:12 PM 103976]
S3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;c:\windows\system32\drivers\s916obex.sys [3/19/2009 12:12 PM 100008]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [6/16/2005 2:52 PM 22528]
S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys --> c:\windows\system32\drivers\vvftav211.sys [?]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\Drivers\ZS211.sys --> c:\windows\system32\Drivers\ZS211.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:57]

2009-07-01 c:\windows\Tasks\Calculator.job
- c:\windows\system32\calc.exe [2005-08-16 11:00]

2009-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-680051865-1257116479-2218443935-1005Core.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 05:00]

2009-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-680051865-1257116479-2218443935-1005UA.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 05:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BVRPLiveUpdate - c:\program files\Avanquest update\Engine\Setup.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://nicehouse.com.vn:2082/frontend/x3/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\rlzudt8g.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://scores.espn.go.com/mlb/scoreboard|http://www.slate.com/|http://www.bos...ice.com/movies
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 00:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1472)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2592)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Webshots\webshots.scr
.
**************************************************************************
.
Completion time: 2009-08-08 0:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-08 17:18

Pre-Run: 15,386,652,672 bytes free
Post-Run: 15,411,720,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2008-09-18 06:10

[Ried]

Quote:

But when the Combofix scan was finishing, somehow Spyware Terminator had popped up and was asking for confirmations of Allow/Deny -- I assumed they were related to Combofix and allowed them all.

Your actions were correct in allowing those changes.

Do you recognize this scheduled task as something you created?

2009-07-01 c:\windows\Tasks\Calculator.job
- c:\windows\system32\calc.exe [2005-08-16 11:00]


How is the system behaving since running ComboFix?

[billermo]

I didn't create any task like that, not knowingly anyway. I don't even know what "Tasks" are.

I did get a blue screen with memory dump not long after Combofix. Rebooted and all seemed normal.

The behavior before was the occassional strange action that I noticed was stopped, usually by Spyware Terminator. So I just got back on here and haven't had a chance to notice more -- but they occur once in awhile, not often. I was concerned they might all be related, the virus's way of slowly taking hold.

[Ried]

Since you know nothing of that scheduled task, let's go ahead and delete it.

Click Start>Run and type the following bolded text into the Run box and click OK:

tasks

The Scheduled Tasks should now be open for you. Look for that task, right click and select delete

===============================

Let's get an online scan and see if anything is lurking about. Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[billermo]

The Kapersky scan has failed.

I ran it in IE7, which has java installed already. It took hours to download the database, and then once it did I got a fail message due to some error -- it was saying I needed to be connected online, which I was already. I"m sure because I refreshed the page, which worked, went back to previous page, refreshed that and tried again all over. But it just stops dead at that error message. Can not go further.

I remember having trouble with Kapersky's online scanner before, on a different machine.

Thanks for all your help on this one.

[Ried]

Let's try Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[billermo]

Sorry it took so long to do this one. I ran the Panda scan overnight last night.

[billermo]

By the way, there is no Flash_Disinfector.exe in C:/Cleaning. The one on E was there but I just deleted it.

Actually when I went to see it in C:/Cleaning, Spyware Terminator shot up an alert message saying it had just blocked a threat, and when I looked at the details, it was that same file again, Flash_disinfector.exe in C:/Cleaning. My opening that folder seemed to activate it.

[Ried]

Hi billermo,

The Flash_Disinfector was a false detection. That is the tool I gave you a while back, to disinfect the flash drives.

The only entry of concern in the Panda results is this one. Please delete it:

C:\Torrents\WhiteSmoke 2008\WhiteSmoke_Enrichment.exe

Other than that, the logs are clean. How is the system behaving?

[billermo]

It's behaving fine.

OK, excellent, thanks for the quick reply.

I don't understand why Spyware Terminator popped up an alert message when I opened the C:/Cleaning folder, and why there is no Flash_disinfector.exe inside there when both ST and Panda report that it is there. Did ST delete it, do you think?

[Ried]

That's my thinking on it. It is not a hidden file, so one of your onboard tools must have deleted it.

Since all seems to be in order here, you can go ahead and uninstall ComboFix. Please do not skip this step as it will also implement some cleanup procedures. Additonally, it will reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.

[billermo]

Hm, when I do that uninstall, I'm getting the message: Windows cannot find Combofix.exe

It is there -- I moved it into a folder named Virus 08-09-09. I tried to put it back on the desktop where it was before, but still get the same Windows message again even after doing that.

-------------------

OK I figured out the problem: when I downloaded Combofix, I ran it from a folder on my desktop named Virus only, but without the date. When I put that folder back on the desktop and named it the same as before, that worked -- it was able to uninstall.

Once again, thanks very much for your help!

[Ried]

Okay, good. I knew you'd figure it out.

It's been a pleasure, billermo. Take care.