Please help - still have Vundu [Archive]

View Full Version : Please help - still have Vundu

jcutter

2008-05-29, 16:34

Please take a look and provide any help you can.

I followed some of the other threads and tried to clean up myself... and it seemed like most worked... - but there may still be something lingering. :oops:

The reason I feel like there is still a problem is because:

1) my licensed McAfee V8 won't run right even after clean remove and reinstall. It runs, but dies. (so I have now installed AVG free).
2) my windows update won't download SP3 and it crashes when trying to install the authentication manager (I am authentic).
3) I still get an IE phishing filter when some pages load, though it's been turned off.

Here are my logs. I won't try any more self fixes until I hear from an expert.

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:41 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cutter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - Unknown owner - C:\WINDOWS\system32\bgsvcgen.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Network Configuration Service (netcfgsvr) - AT&T - C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 3482 bytes

ComboFix:
ComboFix 08-05-26.2 - Jeff Cutter 2008-05-29 23:26:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.525 [GMT -5:00]
Running from: C:\spyware cleanup\jc2.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-29 21:07 . 2008-05-29 22:51 22,216,704 --a------ C:\dump_dvd.vob
2008-05-28 21:40 . 2008-05-28 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-28 20:37 . 2008-05-28 20:42 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 20:31 . 2008-05-29 21:02 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Program Files\AVG
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-28 20:31 . 2008-05-28 20:31 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-28 20:31 . 2008-05-28 20:31 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-27 22:47 . 2008-05-28 20:29 <DIR> d-------- C:\spyware cleanup
2008-05-27 21:48 . 2008-05-27 21:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 19:59 . 2008-05-27 19:59 <DIR> d-------- C:\Documents and Settings\Jeff Cutter\Application Data\Malwarebytes
2008-05-27 19:58 . 2008-05-27 19:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 19:58 . 2008-05-27 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-27 19:58 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 19:58 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 01:26 . 2008-05-27 01:27 140,288 --a------ C:\vc.abc.exe
2008-05-27 00:44 . 2008-05-27 00:44 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-26 23:44 . 2008-05-29 21:07 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-05-26 21:02 . 2008-05-26 21:02 <DIR> d-------- C:\temp\vtmp2
2008-05-24 21:16 . 2008-05-29 21:05 <DIR> d-------- C:\temp
2008-05-24 20:25 . 2008-05-24 20:25 <DIR> d-------- C:\Program Files\dvd43
2008-05-24 20:25 . 2008-05-24 20:25 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-05-17 08:59 . 2008-05-17 08:59 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-05-17 08:58 . 2008-05-17 08:58 <DIR> d-------- C:\Program Files\Microsoft Office 2
2008-05-17 08:58 . 2008-05-17 08:58 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-17 08:49 . 2008-05-17 08:49 <DIR> d-------- C:\msfrontpage
2008-05-17 08:21 . 2008-05-17 08:21 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-05-12 19:46 . 2008-05-12 19:46 724,984 --a------ C:\Documents and Settings\Jeff Cutter\gotomypc_437.exe
2008-05-08 21:59 . 2008-05-08 21:59 90,177 --a------ C:\IMG_7497.jpg
2008-05-04 08:46 . 2008-05-07 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-04 06:26 . 2008-05-04 06:26 1,946 --a------ C:\jump.php
2008-05-03 12:28 . 2007-05-10 10:23 4,952,064 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-05-03 12:28 . 2007-04-10 17:02 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2008-05-03 12:28 . 2007-05-10 10:22 405,504 --a------ C:\WINDOWS\stsystra.exe
2008-05-03 12:28 . 2007-05-10 10:23 270,336 --a------ C:\WINDOWS\system32\stacapi.dll
2008-05-03 12:23 . 2004-07-20 11:14 192,512 --------- C:\WINDOWS\system32\Stac97co.dll
2008-04-26 08:30 . 2008-04-26 08:31 <DIR> d-------- C:\Program Files\Citi Virtual Account Numbers
2008-04-25 20:54 . 2008-04-25 20:52 15,559 --a------ C:\grill.jpg
2008-04-22 21:31 . 2008-05-29 21:08 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-22 21:04 . 2008-04-22 21:04 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-04-22 20:49 . 2008-04-22 20:49 <DIR> d-------- C:\Program Files\PC-Diag
2008-04-22 20:38 . 2008-04-22 20:38 <DIR> d-------- C:\Program Files\Intel
2008-04-22 20:28 . 2008-04-22 20:28 <DIR> d-------- C:\Program Files\DIFX
2008-04-10 21:56 . 2008-04-10 21:56 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 00:52 86,016 ----a-w C:\Documents and Settings\Jeff Cutter\IDHWTSS1.dll
2008-05-29 00:52 81,920 ----a-w C:\Documents and Settings\Jeff Cutter\hobjni.dll
2008-05-29 00:50 --------- d-----w C:\Documents and Settings\Jeff Cutter\Application Data\rlalog
2008-05-28 03:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-28 03:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 03:20 --------- d-----w C:\Program Files\Picasa2
2008-05-28 03:20 --------- d-----w C:\Program Files\BearShare
2008-05-28 03:19 --------- d-----w C:\Documents and Settings\Jeff Cutter\Application Data\OfficeUpdate12
2008-05-28 03:19 --------- d-----w C:\Documents and Settings\Jeff Cutter\Application Data\Move Networks
2008-05-28 03:17 --------- d-----w C:\Program Files\SlySoft
2008-05-28 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-27 05:14 --------- d-----w C:\Program Files\Java
2008-05-25 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-24 18:12 --------- d-----w C:\Program Files\LeapFTP
2008-05-17 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 13:58 --------- d-----w C:\Program Files\Microsoft Works
2008-05-08 01:02 --------- d-----w C:\Documents and Settings\Jeff Cutter\Application Data\ZoomBrowser EX
2008-05-04 13:47 --------- d-----w C:\Program Files\Canon.old
2008-04-24 00:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 02:23 --------- d-----w C:\Program Files\Cell Phone Manager.old
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-14 16:21 59,488 ----a-w C:\WINDOWS\system32\GenSvcInst.exe
2008-03-13 15:03 2,368 ----a-w C:\WINDOWS\system32\SVKP.sys
2008-03-08 03:21 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-26 11:59 294,912 ------w C:\WINDOWS\system32\dllcache\msctf.dll
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-11-29 01:33 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-11-29 01:33 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2006-12-07 01:20 36,868 ----a-w C:\Documents and Settings\Jeff Cutter\PrtDLL.dll
2001-02-25 23:02 24,576 ----a-w C:\Program Files\PassUnleashHk.dll
2001-02-25 23:02 147,456 ----a-w C:\Program Files\PassUnleash.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-27_ 1.05.06.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-05-27 02:00:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-29 00:50:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-27 02:00:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-29 00:50:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-27 02:00:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-29 00:50:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-29 01:31:39 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-05-27 06:23:49 78,924 ----a-w C:\WINDOWS\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
+ 2008-05-30 04:26:13 606,208 --sha-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
+ 2006-12-02 05:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-28 20:31 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"DellAMBrokerService"=3 (0x3)
"CCALib8"=2 (0x2)
"btwdins"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"winlogon"=C:\WINDOWS\winlogon.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"SigmatelSysTrayApp"=%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
"<NO NAME>"=
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"CitiVAN"=C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"emMON"=emMON.exe
"PVR Agent"=C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SigmatelSysTrayApp"=%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
"Host Process"=C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LeapFTP\\LeapFTP.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intelore\\Excel Password Recovery\\ExcelPasswordRecovery.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-28 20:31]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2004-04-29 16:19]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 20:31]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2008-03-13 10:03]
R3 agnfilt;AGN Filter Interface;C:\WINDOWS\system32\DRIVERS\agnfilt.sys [2007-03-07 16:31]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2007-03-20 14:36]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-14 22:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-18 08:44]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-18 13:17]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2002-12-31 16:08]
S3 USB28xxBGA;USB 2861 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-04-25 03:34]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-04-05 21:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 05:28:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-05-30 04:30:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{DD8F44F5-43A8-4F71-8951-9EE990586EDC}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 23:29:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 23:31:05
ComboFix-quarantined-files.txt 2008-05-30 04:31:01
ComboFix2.txt 2008-05-30 04:04:57
ComboFix3.txt 2008-05-28 02:45:01
ComboFix4.txt 2008-05-27 06:43:19
ComboFix5.txt 2008-05-27 06:05:56

Pre-Run: 31,790,997,504 bytes free
Post-Run: 31,774,789,632 bytes free

281 --- E O F --- 2008-05-30 04:06:55

pskelley

2008-05-30, 16:23

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Do NOT run 'FIXES' before helpers have analyzed HJT/KAV scans
http://forums.spybot.info/showthread.php?t=16806

jcutter, I can make no promises since the crime scene has been contaminated, but I will do all I can. combofix may have failed to help because of where it was run from: C:\spyware cleanup\jc2.exe
I will see what I can do if you will:

1) Read the directions posted above and pinned (sticky) to the top of this forum. I suggest you read them all, they are there for you.

2) Delete combofix completely from your computer.

3) Tell me why you think you have the infection you mentioned in your header.

4) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it jcutter.exe that will work. The hackers hide their junk from HJT and we may be able to see it after a restart.

5) Run the online scan mentioned in the instructions:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with a new HijackThis log.

Thanks

jcutter

2008-05-31, 06:07

The reason I think I had virtumonde / vundu - I tried to install a downloaded program, and when I ran I immediatley noticed McAfee was killed and then a bunch of other files appeared. When running HJT I saw many DLLs that I couldn't verify, and that move-on-boot couldn't delete. Also, when rerunning and reinstalling McAfee the screens would come up but would be blank and would only have buttons that said "label" and didn't do anything.
Also, windows update wouldn't work.

I removed combofix as instructed.

I renamed and reran HJT.

New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:03 PM, on 5/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\jcutter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cutter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - Unknown owner - C:\WINDOWS\system32\bgsvcgen.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Network Configuration Service (netcfgsvr) - AT&T - C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 3520 bytes

Kapersky log:

KASPERSKY ONLINE SCANNER REPORT
Saturday, May 31, 2008 02:51:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 814870

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 143719
Number of viruses found 1
Number of infected objects 0
Number of suspicious objects 2
Duration of the scan process 01:54:47

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwdsvc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05302008-182500.log Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CFC209F5-2EBC-11DD-AD6F-0018F392D469}.dat Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D9AF94B8-2EBC-11DD-AD6F-0018F392D469}.dat Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{19C495DA-DA2B-490E-AA66-D5BFC657CD1D} Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Temp\~DF3934.tmp Object is locked skipped

C:\Documents and Settings\Jeff Cutter\Local Settings\Temp\~DFC71F.tmp Object is locked skipped

C:\Documents and Settings\Jeff Cutter\My Documents\exchange\Outlook.pst/Personal Folders/Inbox/11 Dec 2006 23:04 from eBay:FPA NOTICE: Suspicious Activity -Sec.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Jeff Cutter\My Documents\exchange\Outlook.pst MailMSMaill: suspicious - 1 skipped

C:\Documents and Settings\Jeff Cutter\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jeff Cutter\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP459\A0065826.exe Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP459\A0065828.dll Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP459\A0065830.dll Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0069380.exe Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0069817.dll Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0069819.dll Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0069827.dll Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP482\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\MEMORY.DMP Object is locked skipped

C:\WINDOWS\SBA2BCB78.tmp Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley

2008-05-31, 13:53

Thanks for returning that information and your feedback.

I am not seeing a whole lot in these logs, here is what I do see, Kaspersky (KOS) first:

(I would delete this junk asap, and it may be only one email?)
C:\Documents and Settings\Jeff Cutter\My Documents\exchange\Outlook.pst/Personal Folders/Inbox/11 Dec 2006 23:04 from eBay:FPA NOTICE: Suspicious Activity -Sec.html <------Trojan-Spy.HTML.Fraud.gen
C:\Documents and Settings\Jeff Cutter\My Documents\exchange\Outlook.pst MailMSMaill: suspicious - 1
http://www.castlecops.com/t94343-Trojan_Spy_HTML_Fraud_gen_url_spoofer_and_Paypal_FYI.html
http://www.viruslist.com/en/viruses/encyclopedia?virusid=66363

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:02:03 PM, on 5/31/2008

(You have a small HJT list, you have not whitelisted items, have you?)

(I would uncheck that scan, no need to run a scan everytime you start, just when one is needed or you wish to see a fresh scan, then do it manually)
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan

and there is nothing else? My suggestions:

1) McAfee issues: http://www.mcafee.com/us/support/
You would need to discuss McAfee issues with tech support. I recently dropped than and run the same version of AVG you are running.

2) I am personally holding off on SP3, but I see you have it installed. It is causing problems, more for some folks than others. Once the problems are worked out, then I will consider downlowing it. Having said that, Microsoft has made free help available for folks with SP3 issues:
Help and Support Microsoft Windows XP Service Pack 3 (All Languages)
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131

3) Let's have one more look for Vundo:

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks...Phil