viewtopic.php?f=12&p=252984
Following the same instructions given by Trogan in that post, I downloaded and ran Combo Fix with similar success- blackbo.dll has been removed! I was wondering if you could analyze the Combo Fix log to determine whether anything else should be removed through a subsequent running of the program?
Below is the HijackThis log from from 3 days ago, followed by the Combo Fix log from this evening.
Also, I have uninstalled the Combo Fix program, but 1) the clock in the lower right corner of the screen is still on military time- is it supposed to be?, how do I get it back to normal? And, 2) there is now something in local disk C called "kmd.exe" windows command processor- is that supposed to be there?
Thank you in advance for you help/advice! OK, here are the logs. First, HijackThis from 3 days ago:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:31 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\virus software\HiJackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {FC19EB43-1ACD-46DB-9261-B1E324BCEA7A} - C:\WINDOWS\system32\blackbo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 3758 bytes
Now, here is the Combo Fix log from tonight:
ComboFix 08-02.05.3 - user 2008-02-05 21:54:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.69 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\blackbo.dll
C:\WINDOWS\system32\drivers\sjsfugff.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_KNFCOWJI
-------\knfcowji
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.
2008-02-02 02:17 . 2008-02-02 02:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 02:17 . 2008-02-02 02:17 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-02-02 02:17 . 2008-02-02 02:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 02:15 . 2008-02-02 02:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 01:57 . 2008-02-02 01:57 <DIR> d-------- C:\Program Files\CCleaner
2008-02-01 18:43 . 2008-02-01 18:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-01 18:43 . 2005-02-24 22:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-30 10:57 . 2008-01-30 10:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-29 17:08 . 2008-02-05 20:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-29 17:01 . 2008-02-05 20:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-01-29 17:01 . 2008-01-29 17:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-29 17:00 . 2008-01-30 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 17:00 . 2008-01-29 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-14 07:58 . 2003-08-21 20:48 27,519 -ra------ C:\WINDOWS\system32\drivers\RTL8150.SYS
2008-01-08 22:48 . 2008-01-08 22:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 05:05 --------- d-----w C:\Program Files\Real
2007-12-22 05:05 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-22 05:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-22 05:03 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-22 05:03 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-19 03:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-19 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-19 02:52 --------- d-----w C:\Program Files\Yahoo!
2007-12-19 02:52 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2007-12-19 00:13 --------- d-----w C:\Documents and Settings\user\Application Data\Corel
2007-12-19 00:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 00:09 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-12-19 00:08 --------- d-----w C:\Program Files\WordPerfect Office 12
2007-12-19 00:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-19 00:07 --------- d-----w C:\Program Files\Common Files\Corel
2007-11-15 19:39 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 04:06 1667584]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-16 09:43 1458176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2001-09-13 04:16 245760 C:\WINDOWS\system32\atiptaxx.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 22:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-22 00:03 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 17:00 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 17:00 219136]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbaffa02-cf5c-11dc-9dd2-00e04c003d01}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 22:07:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-02-05 22:09:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 03:09:29
.
2008-02-01 23:45:19 --- E O F ---