PDA

View Full Version : Virtumonde infection


strobo43
2008-09-12, 15:33
Hello,

I have run Spybot numerous times in Safe Mode on my desktop PC and continue to get same results. Unable to browse to spybot forums, so downloaded HJT on my laptop and via flash drive copy/pasted and ran HJT on desktop PC and have results below.

Please help. Thank you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:21: VIRUS ALERT!, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spare Backup\SpareBackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {9F342F63-3E27-4BB6-8A01-D7C2C6FEB055} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [d0db61e9] rundll32.exe "C:\WINDOWS\system32\wsynmpxe.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: http://www.spybot.info
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215875512828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215876703187
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll pbubrt.dll
O21 - SSODL: mgxfebsq - {030E5389-42C7-4244-B515-4C7C0FD6DE96} - (no file)
O21 - SSODL: dtseqrxk - {0F094C4A-F86E-40D5-B3B7-FE85A267CD5D} - (no file)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 5496 bytes
pskelley
2008-09-13, 21:54
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.


so downloaded HJT on my laptop and via flash drive
Are you positive the flash drive is not infected? For some reson folks seem to think you can stick it anywhere and not get infected?
Pen drive/USB stick
http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
strobo43
2008-09-15, 15:08
The flash drive was never used on the infected PC. Nontheless I reformated my flash drive before uploading the downloaded files from the laptop to the PC.

Then the flash drive was scanned each time with AVG and Spybot S&D before opened on each machine. The laptop has been rescanned to ensure non-infection.

FYI - Before I realized the need to install the recovery console, I did a false start of Combo Fix......

Your time, patience and efforts are fully appreciated!

Combofix and HJT logs below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
ComboFix 08-09-13.05 - Owner 2008-09-15 8:27:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\sc.html
C:\WINDOWS\erkn.exe
C:\WINDOWS\system32\expmnysw.ini
C:\WINDOWS\system32\jkkIxyYR.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pbubrt.dll
C:\WINDOWS\system32\RYyxIkkj.ini
C:\WINDOWS\system32\RYyxIkkj.ini2
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup1.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\xnwpueol.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-12 08:21 . 2008-09-12 08:21 <DIR> d-------- C:\Program Files\Safer Networking
2008-09-12 07:55 . 2008-09-12 07:55 103,552 --a------ C:\WINDOWS\system32\wsynmpxe.dll
2008-09-11 18:21 . 2008-09-11 18:21 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-10 18:14 . 2006-07-01 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\WINDOWS
2008-09-10 18:14 . 2007-11-10 00:13 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Symantec
2008-09-10 18:14 . 2007-11-20 18:50 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Spare Backup
2008-09-10 18:14 . 2007-11-10 00:11 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\SampleView
2008-09-10 18:14 . 2008-09-10 18:14 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1
2008-09-10 10:14 . 2008-09-11 09:43 351 --a------ C:\WINDOWS\wininit.ini
2008-09-10 08:44 . 2008-09-15 08:29 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-10 08:43 . 2008-09-14 13:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-10 08:43 . 2008-09-10 03:20 364,544 --a------ C:\WINDOWS\vmgspntbter.dll
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino3.ico
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino2.ico
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino1.ico
2008-09-06 15:05 . 2008-09-06 15:18 24,277 --ah----- C:\WINDOWS\system32\LMPDP.GID
2008-09-06 14:41 . 2008-09-12 07:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-06 14:41 . 2008-09-06 14:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-06 14:41 . 2008-09-06 14:41 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-06 14:41 . 2008-09-06 14:41 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-06 14:34 . 2008-09-10 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-02 14:45 . 2008-09-02 14:45 <DIR> d-------- C:\Program Files\Glary Utilities
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\QuickTime
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-15 12:30 . 2008-04-11 15:04 691,712 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 12:30 . 2008-05-01 10:33 331,776 --a--c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 12:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spare Backup
2008-09-11 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 21:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 19:26 3,932 ----a-w C:\Documents and Settings\Owner\Application Data\LMLayout.dat
2008-09-06 19:26 268 ----a-w C:\Documents and Settings\Owner\Application Data\LMCPaper.dat
2008-09-02 18:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-19 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 19:31 --------- d-----w C:\Program Files\Lexmark X125
2007-11-10 04:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 7634944]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-06 1235736]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 86016]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-07-13 5252936]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"d0db61e9"="C:\WINDOWS\system32\wsynmpxe.dll" [2008-09-12 103552]
"nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 C:\WINDOWS\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll pbubrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\NVGTS.SYS [2007-08-08 102400]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-06 76040]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]
S3 GameConsoleService;GameConsoleService;C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe [2007-08-29 181800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1293b619-cd08-11dc-b202-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{524b0a3a-dde2-4879-9b35-84ae5a83046b} - C:\WINDOWS\system32\pbubrt.dll
BHO-{6AFB6F98-289C-442E-B577-5E5125C742E2} - C:\WINDOWS\system32\nnnnMddc.dll
BHO-{E1C090D8-F380-425F-9609-A33E15D5FDA8} - C:\WINDOWS\system32\jkkIxyYR.dll
Toolbar-{9F342F63-3E27-4BB6-8A01-D7C2C6FEB055} - (no file)
ShellExecuteHooks-{6AFB6F98-289C-442E-B577-5E5125C742E2} - C:\WINDOWS\system32\nnnnMddc.dll
SSODL-mgxfebsq-{030E5389-42C7-4244-B515-4C7C0FD6DE96} - (no file)
SSODL-dtseqrxk-{0F094C4A-F86E-40D5-B3B7-FE85A267CD5D} - (no file)
Notify-nnnnMddc - nnnnMddc.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 08:30:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-15 8:33:17 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-15 12:33:13

Pre-Run: 144,474,144,768 bytes free
Post-Run: 144,404,291,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

167 --- E O F --- 2008-09-11 22:21:39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:40, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spare Backup\SpareBackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [d0db61e9] rundll32.exe "C:\WINDOWS\system32\wsynmpxe.dll",b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: http://www.spybot.info
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215875512828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215876703187
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll pbubrt.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 4997 bytes
pskelley
2008-09-15, 15:54
Thanks for returning your information and the feedback. Read and follow the directions carefully and in the numbered order.

1) HJT is unsafely located, follow these directions to correct that:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until we need it later.

2) C:\Program Files\Java\jre1.6.0_01\ <<< Java is out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\wsynmpxe.dll
C:\WINDOWS\vmgspntbter.dll
C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\LMPDP.GID

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"

Folder::
C:\Program Files\PCHealthCenter

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [d0db61e9] rundll32.exe "C:\WINDOWS\system32\wsynmpxe.dll",b

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks
strobo43
2008-09-16, 01:47
Hello pskelly,

I followed all your proceedures as best I could by transfering the files from my laptop to the infected PC as I did not have a dsl conection at first.

Combofix did not work at first with the script, so I did a restart and things kicked in. Java removed and updated. Ran ATF aok.

After the initial mbam scan and removals, my PC was almost back to normal and DSL worked. (update did not work without internet working at this point)

Then AVG popped up and put this in it's Virus Vault:
Trojan horse Dropper.Bravix.A in C:\System Volume Information\_restore{39C...}... .dll

I then decided to turn off System Restore and updated/reran mbam and it found 3 more to remove. After a restart and DSL login, I am typing this to you online on the hopefully "formerly infected" PC!! (System restore is still off till you tell me what to do next ...)

I posted both logs below with the CFScript and a final HJT logs you requested.

I hope I did not overstep my bounds on the extras and you can still continue to help me .....

Thanks for getting me this far!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
ComboFix 08-09-13.05 - Owner 2008-09-15 11:53:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter

.
((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-15 11:29 . 2008-09-15 11:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 11:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 11:25 . 2008-09-15 11:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 08:31 . 2008-09-15 11:54 474 ---hs---- C:\WINDOWS\system32\expmnysw.ini
2008-09-12 08:21 . 2008-09-12 08:21 <DIR> d-------- C:\Program Files\Safer Networking
2008-09-12 07:55 . 2008-09-12 07:55 103,552 --a------ C:\WINDOWS\system32\wsynmpxe.dll
2008-09-11 18:21 . 2008-09-11 18:21 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-10 18:14 . 2006-07-01 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\WINDOWS
2008-09-10 18:14 . 2007-11-10 00:13 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Symantec
2008-09-10 18:14 . 2007-11-20 18:50 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Spare Backup
2008-09-10 18:14 . 2007-11-10 00:11 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\SampleView
2008-09-10 18:14 . 2008-09-10 18:14 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1
2008-09-10 10:14 . 2008-09-11 09:43 351 --a------ C:\WINDOWS\wininit.ini
2008-09-10 08:43 . 2008-09-14 13:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-10 08:43 . 2008-09-10 03:20 364,544 --a------ C:\WINDOWS\vmgspntbter.dll
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino3.ico
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino2.ico
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino1.ico
2008-09-06 15:05 . 2008-09-06 15:18 24,277 --ah----- C:\WINDOWS\system32\LMPDP.GID
2008-09-06 14:41 . 2008-09-12 07:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-06 14:41 . 2008-09-06 14:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-06 14:41 . 2008-09-06 14:41 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-06 14:41 . 2008-09-06 14:41 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-06 14:34 . 2008-09-10 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-02 14:45 . 2008-09-02 14:45 <DIR> d-------- C:\Program Files\Glary Utilities
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\QuickTime
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-15 12:30 . 2008-04-11 15:04 691,712 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 12:30 . 2008-05-01 10:33 331,776 --a--c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 15:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spare Backup
2008-09-15 15:29 --------- d-----w C:\Program Files\Java
2008-09-11 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 21:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 19:26 3,932 ----a-w C:\Documents and Settings\Owner\Application Data\LMLayout.dat
2008-09-06 19:26 268 ----a-w C:\Documents and Settings\Owner\Application Data\LMCPaper.dat
2008-09-02 18:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-19 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 19:31 --------- d-----w C:\Program Files\Lexmark X125
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-11-10 04:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-15_ 8.32.50.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 08:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 08:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 10:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 7634944]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-06 1235736]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 86016]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-07-13 5252936]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"d0db61e9"="C:\WINDOWS\system32\wsynmpxe.dll" [2008-09-12 103552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 C:\WINDOWS\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll pbubrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\NVGTS.SYS [2007-08-08 102400]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-06 76040]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]
S3 GameConsoleService;GameConsoleService;C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe [2007-08-29 181800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1293b619-cd08-11dc-b202-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 11:55:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-15 11:56:09
ComboFix-quarantined-files.txt 2008-09-15 15:56:06
ComboFix2.txt 2008-09-15 12:33:21

Pre-Run: 144,316,653,568 bytes free
Post-Run: 144,303,157,248 bytes free

148 --- E O F --- 2008-09-11 22:21:39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MBAM1
ComboFix 08-09-13.05 - Owner 2008-09-15 11:53:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter

.
((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-15 11:29 . 2008-09-15 11:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 11:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 11:25 . 2008-09-15 11:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 08:31 . 2008-09-15 11:54 474 ---hs---- C:\WINDOWS\system32\expmnysw.ini
2008-09-12 08:21 . 2008-09-12 08:21 <DIR> d-------- C:\Program Files\Safer Networking
2008-09-12 07:55 . 2008-09-12 07:55 103,552 --a------ C:\WINDOWS\system32\wsynmpxe.dll
2008-09-11 18:21 . 2008-09-11 18:21 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-10 18:14 . 2006-07-01 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\WINDOWS
2008-09-10 18:14 . 2007-11-10 00:13 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Symantec
2008-09-10 18:14 . 2007-11-20 18:50 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Spare Backup
2008-09-10 18:14 . 2007-11-10 00:11 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\SampleView
2008-09-10 18:14 . 2008-09-10 18:14 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1
2008-09-10 10:14 . 2008-09-11 09:43 351 --a------ C:\WINDOWS\wininit.ini
2008-09-10 08:43 . 2008-09-14 13:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-10 08:43 . 2008-09-10 03:20 364,544 --a------ C:\WINDOWS\vmgspntbter.dll
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino3.ico
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino2.ico
2008-09-10 08:43 . 2008-09-10 08:43 88,878 --a------ C:\WINDOWS\system32\casino1.ico
2008-09-06 15:05 . 2008-09-06 15:18 24,277 --ah----- C:\WINDOWS\system32\LMPDP.GID
2008-09-06 14:41 . 2008-09-12 07:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-06 14:41 . 2008-09-06 14:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-06 14:41 . 2008-09-06 14:41 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-06 14:41 . 2008-09-06 14:41 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-06 14:34 . 2008-09-10 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-02 14:45 . 2008-09-02 14:45 <DIR> d-------- C:\Program Files\Glary Utilities
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\QuickTime
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-15 12:30 . 2008-04-11 15:04 691,712 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-15 12:30 . 2008-05-01 10:33 331,776 --a--c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 15:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spare Backup
2008-09-15 15:29 --------- d-----w C:\Program Files\Java
2008-09-11 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 21:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 19:26 3,932 ----a-w C:\Documents and Settings\Owner\Application Data\LMLayout.dat
2008-09-06 19:26 268 ----a-w C:\Documents and Settings\Owner\Application Data\LMCPaper.dat
2008-09-02 18:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-19 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 19:31 --------- d-----w C:\Program Files\Lexmark X125
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-11-10 04:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-15_ 8.32.50.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 08:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 08:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 10:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 7634944]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-06 1235736]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 86016]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-07-13 5252936]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"d0db61e9"="C:\WINDOWS\system32\wsynmpxe.dll" [2008-09-12 103552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 C:\WINDOWS\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll pbubrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\NVGTS.SYS [2007-08-08 102400]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-06 76040]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]
S3 GameConsoleService;GameConsoleService;C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe [2007-08-29 181800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1293b619-cd08-11dc-b202-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 11:55:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-15 11:56:09
ComboFix-quarantined-files.txt 2008-09-15 15:56:06
ComboFix2.txt 2008-09-15 12:33:21

Pre-Run: 144,316,653,568 bytes free
Post-Run: 144,303,157,248 bytes free

148 --- E O F --- 2008-09-11 22:21:39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
MBAM2
Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 3

9/15/2008 1:45:46 PM
mbam-log-2008-09-15 (13-45-46).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 100561
Time elapsed: 18 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\casino1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino3.ico (Malware.Trace) -> Quarantined and deleted successfully.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: http://www.spybot.info
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215875512828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215876703187
O17 - HKLM\System\CCS\Services\Tcpip\..\{C52E7B9D-9B54-4C8A-A552-1BF1382AE4AF}: NameServer = 68.94.156.1 68.94.157.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 4984 bytes
pskelley
2008-09-16, 03:20
Thanks for returning your information and the feedback, let me mention this first: C:\System Volume Information\_restore <<< this is a protected System Restore files, programs may try to remove them and your AV may see them but Windows protects those and there is only one way to clean those, which we will do soon.

CFScript did not work, please follow those directions again, they must be followed exactly as posted.
Start here:
4) Open notepad and copy/paste the text in the codebox below into it:

This is what you posted:
ComboFix 08-09-13.05 - Owner 2008-09-15 11:53:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

when you execute CFScript as described in the instructions the log will look look this:

Command switches used :: C:\Documents and Settings\Peter\Desktop\CFScript.txt

Post the correct log from CFscript when you finish.
strobo43
2008-09-16, 14:11
Ahh, now I understand how CFScript is supposed to work..
FYI - I allowed ComboFix to update ...
Thanks for your patience.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-09-15.02 - Owner 2008-09-16 8:01:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\LMPDP.GID

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-16 08:01 . 2008-09-16 08:01 <DIR> d-------- C:\32788R22FWJFW
2008-09-15 12:04 . 2008-09-15 13:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-15 12:04 . 2008-09-15 12:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-15 12:04 . 2008-09-15 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-15 12:04 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-15 12:04 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-15 11:29 . 2008-09-15 11:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 11:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 11:25 . 2008-09-15 11:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 08:21 . 2008-09-12 08:21 <DIR> d-------- C:\Program Files\Safer Networking
2008-09-11 18:21 . 2008-09-11 18:21 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-10 18:14 . 2006-07-01 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\WINDOWS
2008-09-10 18:14 . 2007-11-10 00:13 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Symantec
2008-09-10 18:14 . 2007-11-20 18:50 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\Spare Backup
2008-09-10 18:14 . 2007-11-10 00:11 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1\Application Data\SampleView
2008-09-10 18:14 . 2008-09-10 18:14 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-BC185A12A1
2008-09-10 10:14 . 2008-09-11 09:43 351 --a------ C:\WINDOWS\wininit.ini
2008-09-10 08:43 . 2008-09-15 13:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-06 14:41 . 2008-09-16 07:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-06 14:41 . 2008-09-06 14:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-06 14:41 . 2008-09-06 14:41 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-06 14:41 . 2008-09-06 14:41 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-06 14:34 . 2008-09-10 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-02 14:45 . 2008-09-02 14:45 <DIR> d-------- C:\Program Files\Glary Utilities
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\QuickTime
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-02 13:03 . 2008-09-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 11:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spare Backup
2008-09-15 15:29 --------- d-----w C:\Program Files\Java
2008-09-11 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 21:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 19:26 3,932 ----a-w C:\Documents and Settings\Owner\Application Data\LMLayout.dat
2008-09-06 19:26 268 ----a-w C:\Documents and Settings\Owner\Application Data\LMCPaper.dat
2008-09-02 18:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-19 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 19:31 --------- d-----w C:\Program Files\Lexmark X125
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-11-10 04:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-15_ 8.32.50.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 08:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 08:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 10:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 7634944]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-06 1235736]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 86016]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-07-13 5252936]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 C:\WINDOWS\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\NVGTS.SYS [2007-08-08 102400]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-06 76040]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]
S3 GameConsoleService;GameConsoleService;C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe [2007-08-29 181800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1293b619-cd08-11dc-b202-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 08:03:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-16 8:04:18
ComboFix-quarantined-files.txt 2008-09-16 12:04:16
ComboFix2.txt 2008-09-15 15:56:10
ComboFix3.txt 2008-09-15 12:33:21

Pre-Run: 144,430,182,400 bytes free
Post-Run: 144,418,103,296 bytes free

141 --- E O F --- 2008-09-11 22:21:39
pskelley
2008-09-16, 14:54
Thanks, that looks much better:bigthumb: I see this:
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
http://www.bleepingcomputer.com/startups/Remind_XP.exe-4501.html
If you no longer need the reminder, you may use HJT to remove it.

This is optional, if you can use the information, great:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

If the computer is again running as it should be, then proceed like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

To be sure, clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run MBAM again to make sure we missed none of the junk, no need to post a clean scan result.

Update AVG 8 and scan the system to make sure it is running right and scanning clean. If all is well at that point, let me know and I will close your topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
strobo43
2008-09-16, 16:04
Dear PSKelly,

All new scans are clean.

You are definatly to be commended for this work you do.

Restoring my infected PC back normal was painless and easy to do.

Your instructions were clear and you show grace and respect in and for your work.

I have read all the links and will use the knowledge provided to keep my PCs clean and safe.

I believe we are done.

Thanks again for all you do.