Hey Dave, I appreciate your help. I ran the combofix and before doing so I would just like to let you know that I checked tavo.exe and kavo.exe after running a hijackthis scan and clicked fix checked. They were O4 items in my startup. Also, while this malware was still present in my computer, I have logged into gmail and ebay. Is it possible that it stole my passwords and personal information?
And finally, I have an idea of how I got this piece of malware. My professor at school said that when one of his students was loading his powerpoint from his ipod onto his laptop, he thinks the malware copied itself onto his laptop and infected it. I plugged in my flash drive to load my powerpoint after him and I believe the infection spread to my flash drive because when I scanned with kaspersky with my flash drive attached to my computer, it removed f.exe, the malware, on my flash drive. How can I be sure that the malware doesn't infect my computer again and other computers when I plug my flash drive in?
Here is my combofix log:
ComboFix 08-04-01.2 - Harry 2008-04-01 18:09:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1719 [GMT -7:00]
Running from: C:\Documents and Settings\Harry\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo1.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.
2008-03-31 21:10 . 2008-03-31 21:10 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-31 21:10 . 2008-03-31 21:10 <DIR> d-------- C:\kav
2008-03-31 21:10 . 2008-04-01 18:13 1,516,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-31 21:10 . 2008-03-31 21:10 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-31 21:10 . 2008-03-31 21:10 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-31 21:10 . 2008-04-01 07:25 21,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-31 21:10 . 2008-04-01 18:13 3,104 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-31 21:10 . 2008-04-01 07:25 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-31 20:57 . 2008-03-31 20:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-31 20:57 . 2008-04-01 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-31 20:44 . 2008-03-31 20:43 118,703 -r-hs---- C:\rjiybg.exe
2008-03-31 20:43 . 2008-03-31 20:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 20:34 . 2008-03-30 20:34 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-29 10:05 . 2008-03-30 10:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-29 10:05 . 2008-03-29 10:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-17 17:24 . 2008-03-17 17:24 <DIR> d-------- C:\WINDOWS\Samsung
2008-03-17 17:24 . 2006-03-23 09:18 454,656 --a------ C:\WINDOWS\ssndii.exe
2008-03-17 17:24 . 2003-04-18 00:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-03-17 17:24 . 2000-08-03 09:52 21,776 --a------ C:\WINDOWS\system32\msxml2a.dll
2008-03-17 17:23 . 2008-03-17 17:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Samsung
2008-03-17 17:23 . 2008-03-17 17:23 <DIR> d-------- C:\Program Files\Samsung
2008-03-17 17:23 . 2005-03-02 21:32 151,552 --a------ C:\WINDOWS\system32\SUGO3CI.exe
2008-03-17 17:23 . 2005-03-03 03:09 57,344 --a------ C:\WINDOWS\system32\SUGO3CI.dll
2008-03-17 17:23 . 2004-08-10 23:39 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-03-17 17:23 . 2006-01-01 23:42 22,663 --a------ C:\WINDOWS\system32\sugo3LMK.DLL
2008-03-17 17:23 . 2005-07-08 13:54 11,502 --------- C:\WINDOWS\Dr. Printer Icon.ico
2008-03-17 17:23 . 2005-12-13 00:03 555 --a------ C:\WINDOWS\system32\sugo3LMK.SMT
2008-03-17 17:19 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-17 17:19 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 04:29 --------- d-----w C:\Documents and Settings\Harry\Application Data\U3
2008-04-01 03:35 --------- d-----w C:\Program Files\Steam
2008-03-18 00:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-17 03:10 --------- d-----w C:\Program Files\mIRC
2008-03-08 18:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-08 18:41 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-11 22:42 --------- d-----w C:\Program Files\myFairTunes
2008-02-10 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 01:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2008-02-09 01:35 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-02-06 01:02 --------- d-----w C:\Program Files\Ventrilo
2008-02-06 01:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 13:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 02:32 507904]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-06-03 21:51 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-01-23 11:19 223232 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
--a------ 2006-02-14 02:32 507904 C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
C:\WINDOWS\system32\tavo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Steam\\steamapps\\n0odl3b0wl\\counter-strike\\hl.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25606:TCP"= 25606:TCP:BitComet 25606 TCP
"25606:UDP"= 25606:UDP:BitComet 25606 UDP
"54165:TCP"= 54165:TCP:BitComet 54165 TCP
"54165:UDP"= 54165:UDP:BitComet 54165 UDP
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"C:\Program Files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service []
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-03-28 03:21:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-04-01 18:13:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SM_sugo3_FUService]
"ImagePath"="\"C:\Program Files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
.
Completion time: 2008-04-01 18:14:28
ComboFix-quarantined-files.txt 2008-04-02 01:14:25
Pre-Run: 290,202,202,112 bytes free
Post-Run: 290,193,952,768 bytes free
Here is my hijackthis log after running combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:18 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) -
http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {48989C74-D5FC-4F17-BA40-3D825C716836} (clMultiDownLoader Control) -
http://mgn.musicgian...ndownloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1194715911671
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 5769 bytes
Edited by HumpATree123, 01 April 2008 - 07:42 PM.