Hit with Virtumonde & Smitfraud - Help PLZ [Archive]

View Full Version : Hit with Virtumonde & Smitfraud - Help PLZ

sp33dy

2008-12-06, 01:35

Here's my hijackthis & combofix logs - Help....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:28:05, on 05/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\k9nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202233270171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204580073953
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll fqnlzg.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith Ltd. - C:\WINDOWS\system32\k9nt.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: wampapache - Apache Software Foundation - c:\sw_wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\sw_wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5670 bytes

ComboFix 08-12-05.02 - Administrator 2008-12-05 23:11:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1448 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\NI.GSCNS
c:\documents and settings\Administrator\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Administrator\Application Data\NI.GSCNS\settings.ini
c:\windows\system32\eupgskjv.dll
c:\windows\system32\fqnlzg.dll
c:\windows\system32\hmcinajc.dll
c:\windows\system32\mlJYoOFV.dll
c:\windows\system32\VFOoYJlm.ini
c:\windows\system32\VFOoYJlm.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 21:04 . 2008-12-05 23:21 528,416 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-05 21:04 . 2008-12-05 23:17 7,076 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-05 20:46 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-12-05 20:45 . 2008-12-05 20:45 <DIR> d-------- c:\program files\Zone Labs
2008-12-05 20:45 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-05 20:45 . 2008-12-05 23:18 352,918 --a------ c:\windows\system32\vsconfig.xml
2008-12-05 20:27 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-12-05 20:27 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-12-05 20:27 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-12-05 20:27 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-12-05 20:27 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-12-05 20:27 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-12-05 20:27 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-12-05 20:27 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-12-05 20:27 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-12-05 20:27 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-12-03 23:18 . 2008-12-03 23:18 <DIR> d-------- C:\VundoFix Backups
2008-12-03 22:54 . 2008-12-05 22:18 2,672 --a------ c:\windows\system32\tmp.reg
2008-12-03 20:47 . 2008-12-05 20:49 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-03 20:24 . 2008-12-05 23:20 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-03 19:35 . 2008-12-03 20:18 317 --a------ c:\windows\wininit.ini
2008-12-03 16:45 . 2008-12-03 16:45 120 --ahs---- c:\windows\system32\vjksgpue.ini
2008-12-02 21:19 . 2008-12-02 23:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 21:19 . 2008-12-05 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 21:00 . 2008-12-05 22:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 21:29 . 2008-12-03 19:26 15,360 --ahs---- c:\windows\Thumbs.db
2008-11-13 15:03 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 15:02 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:02 . 2008-12-05 23:21 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-12 20:02 . 2008-11-12 20:02 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-12 20:02 . 2008-11-12 20:02 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-12 20:01 . 2008-11-12 20:01 <DIR> d-------- c:\program files\AVG
2008-11-12 20:01 . 2008-11-12 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:35 79,386 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_27_35_small.dmp.zip
2008-12-03 22:27 80,892 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_01_small.dmp.zip
2008-12-03 22:27 80,761 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_05_small.dmp.zip
2008-12-03 22:27 80,643 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_17_small.dmp.zip
2008-12-03 22:27 80,622 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_13_small.dmp.zip
2008-12-03 22:27 80,235 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_21_small.dmp.zip
2008-12-03 22:27 79,964 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_08_small.dmp.zip
2008-12-03 22:27 79,787 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_25_small.dmp.zip
2008-12-03 22:27 79,499 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_38_small.dmp.zip
2008-12-03 22:27 16,687,893 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_29_full.dmp.zip
2008-12-03 19:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 20:13 --------- d-----w c:\program files\FreeUndelete
2008-10-24 21:30 --------- d-----w c:\program files\Yawcam
2008-10-24 20:57 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-10-24 20:57 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-24 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2008-10-24 20:46 --------- d-----w c:\program files\VideoLAN
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 16:15 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-12 09:29 --------- d-----w c:\documents and settings\All Users\Application Data\MSN6
2008-10-12 09:29 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6
2008-10-10 08:22 2,917,256 ----a-w c:\windows\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2006-09-15 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoShutDown"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll fqnlzg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [2008-02-05 73728]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2008-02-05 88192]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\DRIVERS\nipalusb.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\Bginfo.job
- c:\windows\IP Viewer & Desktop Info\Bginfo.exe [2004-09-22 15:46]
.
- - - - ORPHANS REMOVED - - - -

BHO-{087B8D34-AC09-4BE4-B750-42F41DE4C385} - (no file)
BHO-{2F39DD44-B0A3-491A-B684-1A07D0DFCA81} - (no file)
BHO-{5B7197DD-D339-4D89-908C-50ADD41AB41E} - c:\windows\system32\mlJYoOFV.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{a402d1c9-a449-4287-bb63-4b1db30170f2} - (no file)
BHO-{A5EAE89F-667C-4162-BB09-0D0E1FA80C4F} - (no file)
Notify-khfDtRJD - khfDtRJD.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8n0ch07m.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://uk.yahoo.com/
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 23:18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-05 23:24:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 23:23:59

Pre-Run: 28,190,056,448 bytes free
Post-Run: 28,096,348,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

177 --- E O F --- 2008-11-13 15:28:48

Thanks
Speedy :-(

pskelley

2008-12-09, 00:25

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Posted above and pinned (sticky) to the top of this forum are the directions. If you read them you will see this:

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision

Follow the directions carefully and in the numbered order:

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) http://downloads.subratam.org/ResetTeaTimer.bat <<< right click the link and choose "Save target as...
Download ResetTeaTimer.bat to the Desktop
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\vjksgpue.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"

Folder::
C:\VundoFix Backups

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: avgrsstx.dll fqnlzg.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAB and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

8) Post also an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

How is the computer running?

Thanks

sp33dy

2008-12-10, 02:44

ok, sorry about that....

here's the logs... thanks for your help with this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:41:05, on 10/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\k9nt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202233270171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204580073953
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: khfDtRJD - C:\WINDOWS\
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith Ltd. - C:\WINDOWS\system32\k9nt.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: wampapache - Apache Software Foundation - c:\sw_wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\sw_wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5894 bytes

Malwarebytes' Anti-Malware 1.31
Database version: 1479
Windows 5.1.2600 Service Pack 3

10/12/2008 00:39:00
mbam-log-2008-12-10 (00-39-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144615
Time elapsed: 54 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eupgskjv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fqnlzg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJYoOFV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E44FEEC-AB6D-4C92-B48A-2D95A1881FB6}\RP211\A0032077.old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E44FEEC-AB6D-4C92-B48A-2D95A1881FB6}\RP213\A0032257.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E44FEEC-AB6D-4C92-B48A-2D95A1881FB6}\RP214\A0032304.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E44FEEC-AB6D-4C92-B48A-2D95A1881FB6}\RP214\A0032305.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E44FEEC-AB6D-4C92-B48A-2D95A1881FB6}\RP214\A0032307.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 6.0
Adobe Reader 8.1.2
Adobe SVG Viewer
AVG Free 8.0
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
C-Major Audio
Conexant D110 MDC V.92 Modem
Dell Support 3.2.1
Dell Wireless WLAN Card
DivX Codec
FreeUndelete
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Intel(R) Graphics Media Accelerator Driver for Mobile
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Logitech Audio Echo Cancellation Component
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Mozilla Firefox (3.0.4)
MSDN Library for Microsoft Visual Studio 2008 Express Editions
MSXML 6.0 Parser (KB933579)
MVision
Password Agent 2.5.1
PL-2303 USB-to-Serial
PSPad editor
QuickSet
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB923789)
SimCity 3000
SimCity 3000 Building Architect
Spybot - Search & Destroy
Texas Instruments PCIxx21/x515/xx12 drivers.
VC 9.0 Runtime
VLC media player 0.9.4
WampServer 2.0
WebCyberCoach 3.2 Dell
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yawcam v0.3.0
ZoneAlarm

ComboFix 08-12-05.02 - Administrator 2008-12-09 23:26:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1623 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\vjksgpue.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-06 23:22 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-12-05 23:27 . 2008-12-05 23:27 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 20:46 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-12-05 20:45 . 2008-12-05 20:45 <DIR> d-------- c:\program files\Zone Labs
2008-12-05 20:45 . 2008-12-09 23:21 348,370 --a------ c:\windows\system32\vsconfig.xml
2008-12-05 20:27 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-12-05 20:27 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-12-05 20:27 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-12-05 20:27 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-12-05 20:27 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-12-05 20:27 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-12-05 20:27 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-12-05 20:27 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-12-05 20:27 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-12-05 20:27 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-12-03 22:54 . 2008-12-05 22:18 2,672 --a------ c:\windows\system32\tmp.reg
2008-12-03 20:47 . 2008-12-06 23:23 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-03 20:24 . 2008-12-09 23:22 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-03 19:35 . 2008-12-03 20:18 317 --a------ c:\windows\wininit.ini
2008-12-02 21:19 . 2008-12-02 23:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 21:19 . 2008-12-05 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 21:00 . 2008-12-05 22:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 21:29 . 2008-12-03 19:26 15,360 --ahs---- c:\windows\Thumbs.db
2008-11-13 15:03 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 15:02 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:02 . 2008-12-09 20:42 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-12 20:02 . 2008-11-12 20:02 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-12 20:02 . 2008-11-12 20:02 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-12 20:01 . 2008-11-12 20:01 <DIR> d-------- c:\program files\AVG
2008-11-12 20:01 . 2008-11-12 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:35 79,386 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_27_35_small.dmp.zip
2008-12-03 22:27 80,892 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_01_small.dmp.zip
2008-12-03 22:27 80,761 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_05_small.dmp.zip
2008-12-03 22:27 80,643 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_17_small.dmp.zip
2008-12-03 22:27 80,622 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_13_small.dmp.zip
2008-12-03 22:27 80,235 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_21_small.dmp.zip
2008-12-03 22:27 79,964 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_08_small.dmp.zip
2008-12-03 22:27 79,787 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_25_small.dmp.zip
2008-12-03 22:27 79,499 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_38_small.dmp.zip
2008-12-03 22:27 16,687,893 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_03_22_18_29_full.dmp.zip
2008-12-03 19:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 20:13 --------- d-----w c:\program files\FreeUndelete
2008-10-24 21:30 --------- d-----w c:\program files\Yawcam
2008-10-24 20:57 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-10-24 20:57 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-24 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2008-10-24 20:46 --------- d-----w c:\program files\VideoLAN
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 16:15 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 09:29 --------- d-----w c:\documents and settings\All Users\Application Data\MSN6
2008-10-12 09:29 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6
2008-10-10 08:22 2,917,256 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_23.23.22.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-09 09:05:10 83,432 ----a-w c:\windows\system32\vsdata.dll
+ 2008-11-13 15:18:44 107,408 ----a-w c:\windows\system32\vsdata.dll
- 2008-07-09 09:05:22 394,952 ----a-w c:\windows\system32\vsdatant.sys
+ 2008-11-13 15:19:00 353,680 ----a-w c:\windows\system32\vsdatant.sys
- 2008-07-09 09:05:10 157,160 ----a-w c:\windows\system32\vsinit.dll
+ 2008-11-13 15:18:44 216,464 ----a-w c:\windows\system32\vsinit.dll
- 2008-07-09 09:05:10 103,912 ----a-w c:\windows\system32\vsmonapi.dll
+ 2008-11-13 15:18:44 107,408 ----a-w c:\windows\system32\vsmonapi.dll
- 2008-07-09 09:05:10 275,944 ----a-w c:\windows\system32\vspubapi.dll
+ 2008-11-13 15:18:44 310,160 ----a-w c:\windows\system32\vspubapi.dll
- 2008-07-09 09:05:10 71,144 ----a-w c:\windows\system32\vsregexp.dll
+ 2008-11-13 15:18:44 58,768 ----a-w c:\windows\system32\vsregexp.dll
- 2008-07-09 09:05:12 472,552 ----a-w c:\windows\system32\vsutil.dll
+ 2008-11-13 15:18:46 475,536 ----a-w c:\windows\system32\vsutil.dll
- 2008-07-09 09:05:12 46,568 ----a-w c:\windows\system32\vswmi.dll
+ 2008-11-13 15:18:46 30,096 ----a-w c:\windows\system32\vswmi.dll
- 2008-07-09 09:05:12 99,816 ----a-w c:\windows\system32\vsxml.dll
+ 2008-11-13 15:18:46 110,480 ----a-w c:\windows\system32\vsxml.dll
- 2008-07-09 09:05:12 83,432 ----a-w c:\windows\system32\zlcomm.dll
+ 2008-11-13 15:18:46 69,008 ----a-w c:\windows\system32\zlcomm.dll
- 2008-07-09 09:05:12 71,144 ----a-w c:\windows\system32\zlcommdb.dll
+ 2008-11-13 15:18:46 106,384 ----a-w c:\windows\system32\zlcommdb.dll
- 2008-07-09 09:05:06 99,816 ----a-w c:\windows\system32\ZoneLabs\camupd.dll
+ 2008-11-13 15:18:40 76,176 ----a-w c:\windows\system32\ZoneLabs\camupd.dll
- 2004-01-30 12:35:08 813,568 ----a-w c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2008-03-17 16:52:02 813,568 ----a-w c:\windows\system32\ZoneLabs\dbghelp.dll
- 2008-07-09 09:05:08 128,480 ----a-w c:\windows\system32\ZoneLabs\fbl.dll
+ 2008-11-13 15:18:42 98,192 ----a-w c:\windows\system32\ZoneLabs\fbl.dll
- 2008-07-09 09:05:08 38,376 ----a-w c:\windows\system32\ZoneLabs\featuremap.dll
+ 2008-11-13 15:18:42 38,288 ----a-w c:\windows\system32\ZoneLabs\featuremap.dll
+ 2008-11-13 15:18:42 159,120 ----a-w c:\windows\system32\ZoneLabs\httpblocker.dll
+ 2008-05-19 14:59:00 525,792 ----a-w c:\windows\system32\ZoneLabs\icslta.dll
+ 2008-11-13 15:19:02 28,048 ----a-w c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
- 2008-07-09 09:05:24 288,144 ----a-w c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-11-13 15:19:02 322,960 ----a-w c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-11-13 15:19:02 122,768 ----a-w c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
- 2008-07-09 09:05:24 152,976 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-11-13 15:19:02 331,664 ----a-w c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2008-11-13 15:19:02 10,128 ----a-w c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2008-11-13 15:19:04 18,320 ----a-w c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2008-11-13 15:19:04 110,992 ----a-w c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2008-11-13 15:19:04 238,992 ----a-w c:\windows\system32\ZoneLabs\lib\Sandbox.zip.dll
+ 2008-11-13 15:19:04 156,048 ----a-w c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2008-11-13 15:19:04 19,856 ----a-w c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2008-11-13 15:19:04 43,920 ----a-w c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2008-11-13 15:19:04 19,344 ----a-w c:\windows\system32\ZoneLabs\lib\zic.zip.dll
+ 2008-11-13 15:19:04 13,712 ----a-w c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2008-11-13 15:19:04 24,464 ----a-w c:\windows\system32\ZoneLabs\lib\zp4pc.zip.dll
+ 2008-11-13 15:19:04 30,608 ----a-w c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll
- 2008-07-09 09:05:24 1,361,296 ----a-w c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-11-13 15:19:04 1,536,400 ----a-w c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-11-13 15:19:04 18,832 ----a-w c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2008-11-13 15:19:04 70,032 ----a-w c:\windows\system32\ZoneLabs\lib\ztv.zip.dll
- 2008-07-09 09:05:24 71,056 ----a-w c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-11-13 15:19:04 114,064 ----a-w c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-11-13 15:19:06 59,792 ----a-w c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll
- 2008-02-27 03:10:26 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
+ 2008-04-21 07:19:42 718,272 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
- 2008-02-27 03:10:28 792,032 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2008-04-21 07:19:44 792,000 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
- 2008-07-09 09:05:08 173,544 ----a-w c:\windows\system32\ZoneLabs\scheduler.dll
+ 2008-11-13 15:18:42 132,496 ----a-w c:\windows\system32\ZoneLabs\scheduler.dll
- 2008-01-21 08:34:36 7,603,688 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2008-04-21 07:19:46 8,790,493 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
- 2008-02-27 03:10:32 1,504,736 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
+ 2008-04-21 07:19:52 1,516,992 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
- 2008-02-27 03:10:44 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
+ 2008-04-21 07:19:58 51,648 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
- 2008-07-09 09:05:10 456,168 ----a-w c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2008-11-13 15:18:44 443,280 ----a-w c:\windows\system32\ZoneLabs\ssleay32.dll
- 2007-10-11 16:50:32 832,984 ----a-w c:\windows\system32\ZoneLabs\updating.dll
+ 2007-10-11 16:51:34 832,984 ----a-w c:\windows\system32\ZoneLabs\updating.dll
- 2008-07-09 09:05:18 144,936 ----a-w c:\windows\system32\ZoneLabs\updclient.exe
+ 2008-11-13 15:18:54 176,016 ----a-w c:\windows\system32\ZoneLabs\updclient.exe
- 2008-07-09 09:05:10 83,432 ----a-w c:\windows\system32\ZoneLabs\vsdb.dll
+ 2008-11-13 15:18:44 106,896 ----a-w c:\windows\system32\ZoneLabs\vsdb.dll
- 2008-07-09 09:05:18 75,304 ----a-w c:\windows\system32\ZoneLabs\vsmon.exe
+ 2008-11-13 15:18:56 2,405,776 ----a-w c:\windows\system32\ZoneLabs\vsmon.exe
- 2008-07-09 09:05:12 1,361,384 ----a-w c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2008-11-13 15:18:46 1,655,184 ----a-w c:\windows\system32\ZoneLabs\vsruledb.dll
- 2008-07-09 09:05:12 239,080 ----a-w c:\windows\system32\ZoneLabs\vsvault.dll
+ 2008-11-13 15:18:46 172,432 ----a-w c:\windows\system32\ZoneLabs\vsvault.dll
- 2008-01-21 08:34:36 7,603,688 ----a-w c:\windows\system32\ZoneLabs\zlasdbup.dat
+ 2008-04-21 07:19:46 8,790,493 ----a-w c:\windows\system32\ZoneLabs\zlasdbup.dat
- 2008-07-09 09:05:12 177,640 ----a-w c:\windows\system32\ZoneLabs\zlparser.dll
+ 2008-11-13 15:18:46 178,576 ----a-w c:\windows\system32\ZoneLabs\zlparser.dll
- 2008-07-09 09:05:12 79,344 ----a-w c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2008-11-13 15:18:48 98,192 ----a-w c:\windows\system32\ZoneLabs\zlquarantine.dll
- 2008-07-09 09:05:14 382,440 ----a-w c:\windows\system32\ZoneLabs\zlsre.dll
+ 2008-11-13 15:18:48 311,696 ----a-w c:\windows\system32\ZoneLabs\zlsre.dll
- 2008-07-09 09:05:14 120,296 ----a-w c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2008-11-13 15:18:48 110,480 ----a-w c:\windows\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2006-09-15 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoShutDown"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDtRJD]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [2008-02-05 73728]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2008-02-05 88192]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\DRIVERS\nipalusb.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\Bginfo.job
- c:\windows\IP Viewer & Desktop Info\Bginfo.exe [2004-09-22 15:46]
.
- - - - ORPHANS REMOVED - - - -

BHO-{087B8D34-AC09-4BE4-B750-42F41DE4C385} - (no file)
BHO-{2F39DD44-B0A3-491A-B684-1A07D0DFCA81} - (no file)
BHO-{5B7197DD-D339-4D89-908C-50ADD41AB41E} - (no file)
BHO-{a402d1c9-a449-4287-bb63-4b1db30170f2} - (no file)
BHO-{A5EAE89F-667C-4162-BB09-0D0E1FA80C4F} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8n0ch07m.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://uk.yahoo.com/
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 23:31:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(988)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-09 23:32:56
ComboFix-quarantined-files.txt 2008-12-09 23:32:24
ComboFix2.txt 2008-12-06 12:41:37
ComboFix3.txt 2008-12-05 23:24:09

Pre-Run: 27,917,012,992 bytes free
Post-Run: 27,978,129,408 bytes free

264 --- E O F --- 2008-11-13 15:28:48

Thanks Again

pskelley

2008-12-10, 12:45

How is the computer running? <<< No answer to my bolded question that I can see?

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.2 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

If you are no longer having malware issues, wrapup like this:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update AVG 8 and scan the system, to be sure it is running right and scanning clean.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

sp33dy

2008-12-10, 22:28

Whoops sorry again....

I missing the how's it running now question.

It's running just fine now, spybot is only reporting the odd cookie issue if at all now.

I'm working my way through your posting re final stages and i must say i like the PSI program :-) Also I didn't realise that pdf's could have virus problems too. - wow.

Anyway, I'd like to say many many thanks pskelley for all you help and useful pointers.

pskelley

2008-12-10, 23:10

Here is information to help control those cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

Safe surfing and Happy Holidays:santa: