• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Virtumonde Infected

Status
Not open for further replies.
H

Hazard

New member
Sorry about the double thread just thought the first one was in the abyss.

My current Infections are:

-Right Media 1 entry
-Smitfruad-C 1 entry
-Virtumonde
-Virtumonde.generic
-Virtumonde.prx

It'd be greatly appreciated if i can get some assistance. I have combofix installed also.

My HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:55 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\Hazard.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {3BAA75C7-C59D-4154-B55C-1347B6E66543} - C:\WINDOWS\system32\tuvTliHW.dll
O2 - BHO: {21fac938-7561-0c3a-0fa4-516b89f74fd3} - {3df47f98-b615-4af0-a3c0-1657839caf12} - C:\WINDOWS\system32\qhdjwf.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnoMdbX.dll
O2 - BHO: (no name) - {B1730A3B-399F-4A67-9ECC-0658F8B5282F} - C:\WINDOWS\system32\mlJYrPfG.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P43 "Auto EPSON Stylus CX6600 Series on BASEMENT" /O17 "\\BASEMENT\hazard" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P52 "Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)" /O23 "\\BASEMENT\EPSON_Stylus" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P67 "Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT" /O23 "\\BASEMENT\Auto_EPSON_S" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [2c03aae3] rundll32.exe "C:\WINDOWS\system32\wbvpfnnp.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll qhdjwf.dll
O20 - Winlogon Notify: pmnoMdbX - C:\WINDOWS\SYSTEM32\pmnoMdbX.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5502 bytes
Hazard is offline
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.
I have combofix installed also.
Click to expand...
combofix is updated almost daily, delete the copy you have and download it fresh from the links I provide.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
Ok thank you for your response.

ComboFix:

ComboFix 09-01-13.04 - Owner 2009-01-14 6:14:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1519.861 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\~.exe
c:\windows\system32\aujarxud.dll
c:\windows\system32\cvlzst.dll
c:\windows\system32\dhwejxsx.ini
c:\windows\system32\dsdjfcrr.ini
c:\windows\system32\duxrajua.ini
c:\windows\system32\fkdlwtjf.dll
c:\windows\system32\hbtocp.dll
c:\windows\system32\hhdnroev.dll
c:\windows\system32\ikxtbq.dll
c:\windows\system32\iwfooblo.ini
c:\windows\system32\jbomimwk.dll
c:\windows\system32\jwahjcqx.dll
c:\windows\system32\ngyxuacs.dll
c:\windows\system32\nsvmckrx.dll
c:\windows\system32\olboofwi.dll
c:\windows\system32\oxxlehbj.dll
c:\windows\system32\pvngtmpi.dll
c:\windows\system32\qhdjwf.dll
c:\windows\system32\raimqm.dll
c:\windows\system32\rqRLbaaA.dll
c:\windows\system32\swtjyqra.ini
c:\windows\system32\tuvTliHW.dll
c:\windows\system32\WHilTvut.ini
c:\windows\system32\WHilTvut.ini2
c:\windows\system32\wpv291231602518.cpx
c:\windows\system32\xfagbe.dll
c:\windows\system32\xsxjewhd.dll
c:\windows\system32\ydfffthd.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 17:16 . 2009-01-13 17:16 88 --a------ c:\windows\MSREGUSR.INI
2009-01-13 17:13 . 2009-01-13 17:13 <DIR> d-------- c:\program files\Mindscape
2009-01-13 17:13 . 1998-06-23 16:34 73,856 --a------ c:\windows\system\hlp256.dll
2009-01-13 17:13 . 1998-06-23 16:34 9,136 --a------ c:\windows\system\Inetwh16.dll
2009-01-04 14:14 . 2009-01-04 14:14 <DIR> d-------- c:\program files\Webtools
2009-01-01 13:54 . 2009-01-01 13:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Acreon
2008-12-31 02:30 . 2008-12-31 02:30 268 --ah----- C:\sqmdata11.sqm
2008-12-31 02:30 . 2008-12-31 02:30 244 --ah----- C:\sqmnoopt11.sqm
2008-12-24 19:16 . 2007-12-26 21:25 94,208 -ra------ c:\windows\system32\ZDCN50.dll
2008-12-24 19:16 . 2007-12-26 21:25 20,736 -ra------ c:\windows\system32\ZDCndis5.sys
2008-12-24 19:16 . 2004-12-02 21:32 17,744 -ra------ c:\windows\system32\PCANDIS4.SYS
2008-12-24 19:16 . 2007-12-26 21:25 15,941 -ra------ c:\windows\system32\ZDCNDIS3.VXD
2008-12-24 19:16 . 2008-12-25 15:02 40 --a------ c:\windows\system32\2Wire.ini
2008-12-24 19:16 . 2008-12-24 19:16 20 --a------ c:\windows\system32\NB-WGASW.ini
2008-12-16 20:01 . 2008-12-16 20:01 268 --ah----- C:\sqmdata10.sqm
2008-12-16 20:01 . 2008-12-16 20:01 244 --ah----- C:\sqmnoopt10.sqm
2008-12-14 19:18 . 2008-12-14 19:18 0 --a------ c:\windows\iPlayer.INI
2008-12-14 19:16 . 2008-12-14 19:16 <DIR> d-------- c:\program files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 23:07 --------- d-----w c:\program files\World of Warcraft
2009-01-07 20:22 --------- d-----w c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-12-08 20:15 --------- d-----w c:\program files\Incomplete
2008-12-07 04:55 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-07 04:55 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-07 04:54 --------- d-----w c:\program files\AVG
2008-12-07 04:54 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-29 05:21 --------- d-----w c:\program files\AIM Toolbar
2008-11-29 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 05:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 04:51 --------- d-----w c:\program files\Trend Micro
2008-11-27 20:35 --------- d-----w c:\program files\Xvid
2008-11-27 20:20 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-11-22 21:43 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-22 21:43 --------- d-----w c:\program files\AIM6
2008-11-22 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-22 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-22 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_20.13.54.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-03 09:57:49 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP2QFE\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3GDR\strmdll.dll
+ 2008-10-03 09:49:31 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3QFE\strmdll.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954600\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954600\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954600\update\spcustom.dll
+ 2007-11-30 11:18:51 755,576 ----a-w c:\windows\$hf_mig$\KB954600\update\update.exe
+ 2007-11-30 11:18:51 382,840 ----a-w c:\windows\$hf_mig$\KB954600\update\updspapi.dll
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
+ 2008-10-16 01:00:10 1,499,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\shdocvw.dll
+ 2008-10-16 01:00:11 619,520 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\urlmon.dll
+ 2008-10-16 01:00:11 666,112 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
+ 2008-10-16 11:34:08 3,067,904 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
+ 2008-10-16 01:04:06 1,499,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\shdocvw.dll
+ 2008-10-16 01:04:06 620,032 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\urlmon.dll
+ 2008-10-16 01:04:06 667,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB958215\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB958215\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB958215\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB958215\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958215\update\updspapi.dll
+ 2006-10-19 01:03:58 100,864 -c----w c:\windows\$NtUninstallKB952069_WM9$\logagent.exe
+ 2007-07-27 14:41:48 231,288 -c----w c:\windows\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe
+ 2007-07-27 14:41:48 382,840 -c----w c:\windows\$NtUninstallKB952069_WM9$\spuninst\updspapi.dll
+ 2006-10-19 02:47:20 937,984 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmnetmgr.dll
+ 2006-10-19 02:47:22 2,450,944 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmvcore.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB954600$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB954600$\spuninst\updspapi.dll
+ 2006-08-21 14:52:08 246,814 -c----w c:\windows\$NtUninstallKB954600$\strmdll.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB955839$\spuninst\spuninst.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB955839$\spuninst\updspapi.dll
+ 2008-07-14 11:09:18 62,976 -c----w c:\windows\$NtUninstallKB955839$\tzchange.exe
+ 2008-02-20 06:51:05 282,624 -c----w c:\windows\$NtUninstallKB956802$\gdi32.dll
+ 2008-07-08 13:02:02 231,288 -c----w c:\windows\$NtUninstallKB956802$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB956802$\spuninst\updspapi.dll
+ 2008-08-20 05:33:19 1,024,000 -c----w c:\windows\$NtUninstallKB958215$\browseui.dll
+ 2008-08-20 05:33:17 151,040 -c----w c:\windows\$NtUninstallKB958215$\cdfview.dll
+ 2008-08-20 05:33:18 1,054,208 -c----w c:\windows\$NtUninstallKB958215$\danim.dll
+ 2008-08-20 05:33:18 357,888 -c----w c:\windows\$NtUninstallKB958215$\dxtmsft.dll
+ 2008-08-20 05:33:18 205,312 -c----w c:\windows\$NtUninstallKB958215$\dxtrans.dll
+ 2008-08-20 05:33:18 55,808 -c----w c:\windows\$NtUninstallKB958215$\extmgr.dll
+ 2008-08-19 09:38:57 18,432 -c----w c:\windows\$NtUninstallKB958215$\iedw.exe
+ 2008-08-20 05:33:18 251,904 -c----w c:\windows\$NtUninstallKB958215$\iepeers.dll
+ 2008-08-20 05:33:18 96,256 -c----w c:\windows\$NtUninstallKB958215$\inseng.dll
+ 2008-08-20 05:33:19 16,384 -c----w c:\windows\$NtUninstallKB958215$\jsproxy.dll
+ 2008-08-20 05:33:20 3,067,392 -c----w c:\windows\$NtUninstallKB958215$\mshtml.dll
+ 2008-08-20 05:33:19 449,024 -c----w c:\windows\$NtUninstallKB958215$\mshtmled.dll
+ 2008-08-20 05:33:18 146,432 -c----w c:\windows\$NtUninstallKB958215$\msrating.dll
+ 2008-08-20 05:33:18 532,480 -c----w c:\windows\$NtUninstallKB958215$\mstime.dll
+ 2008-08-20 05:33:18 39,424 -c----w c:\windows\$NtUninstallKB958215$\pngfilt.dll
+ 2008-08-20 05:33:19 1,499,136 -c----w c:\windows\$NtUninstallKB958215$\shdocvw.dll
+ 2008-08-20 05:33:19 474,112 -c----w c:\windows\$NtUninstallKB958215$\shlwapi.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB958215$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB958215$\spuninst\updspapi.dll
+ 2008-08-20 05:33:19 619,008 -c----w c:\windows\$NtUninstallKB958215$\urlmon.dll
+ 2008-08-20 05:33:19 667,648 -c----w c:\windows\$NtUninstallKB958215$\wininet.dll
+ 2008-08-19 09:20:32 351,744 -c----w c:\windows\$NtUninstallKB958215$\xpsp3res.dll
- 2008-11-13 03:36:59 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-12-13 04:33:12 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-08-20 05:33:19 1,024,000 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\system32\browseui.dll
- 2008-08-20 05:33:17 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2008-08-20 05:33:19 1,024,000 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 -c--a-w c:\windows\system32\dllcache\browseui.dll
- 2008-08-20 05:33:17 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:20:42 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:20:45 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2008-08-20 05:33:18 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-20 05:33:18 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:20:46 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-02-20 06:51:05 282,624 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-19 09:38:57 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 14:18:21 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2008-08-20 05:33:18 251,904 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:20:46 251,904 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2008-08-20 05:33:18 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:20:46 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2008-08-20 05:33:19 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 01:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 06:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:33:20 3,067,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:33:19 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-20 05:33:18 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:20:46 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-20 05:33:18 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:20:46 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-20 05:33:18 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-20 05:33:19 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2006-08-21 14:52:08 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:33:19 619,008 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:20:53 619,008 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:33:19 667,648 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:20:49 667,648 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 02:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-20 05:33:18 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-20 05:33:18 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-02-20 06:51:05 282,624 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-20 05:33:18 251,904 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ----a-w c:\windows\system32\iepeers.dll
- 2008-08-20 05:33:18 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:20:46 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2001-07-13 19:09:44 279,552 ----a-w c:\windows\system32\itiimg3.dll
- 2008-08-20 05:33:19 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-19 01:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2006-01-21 21:01:22 25,088 ----a-w c:\windows\system32\Macromed\Flash\genuinst.exe
+ 2006-01-03 23:14:12 20,480 ----a-w c:\windows\system32\Macromed\Flash\UninstFl.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:33:20 3,067,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-20 05:33:19 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-20 05:33:18 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:20:46 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-08-20 05:33:18 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:20:46 532,480 ----a-w c:\windows\system32\mstime.dll
- 2008-08-20 05:33:18 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-08-20 05:33:19 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2006-09-25 22:58:48 14,640 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
- 2006-08-21 14:52:08 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-07-14 11:09:18 62,976 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-20 05:33:19 619,008 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:33:19 667,648 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 02:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2008-08-19 09:20:32 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Auto EPSON Stylus CX6600 Series on BASEMENT"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-06 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2007-11-23 1742384]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2007-11-23 729088]
Microsoft Broadband Networking.lnk - c:\windows\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2007-11-23 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll raimqm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\tuvTliHW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-06 97928]
R3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;c:\windows\system32\drivers\mn720-50.sys [2003-07-18 254208]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-06 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-06 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-06 76040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-09 24652]
R4 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-24 20736]
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{26b5dbb0-92f9-4e62-9e33-9a4ab870157d} - c:\windows\system32\raimqm.dll
BHO-{32B85999-BDC2-414D-AA7E-A5BA43EC4C1A} - c:\windows\system32\tuvTliHW.dll
HKCU-Run-GetModule33 - c:\program files\GetModule\GetModule33.exe
Notify-pmnoMdbX - pmnoMdbX.dll


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9bom4h6.default\
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 18:28:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Microsoft Broadband Networking\MSBNTray.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-14 18:33:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 23:33:23
ComboFix2.txt 2008-12-10 20:19:06
ComboFix3.txt 2008-12-10 01:14:56

Pre-Run: 28,845,666,304 bytes free
Post-Run: 28,825,505,792 bytes free

389 --- E O F --- 2008-12-18 08:00:59



HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:57 PM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Hazard.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P43 "Auto EPSON Stylus CX6600 Series on BASEMENT" /O17 "\\BASEMENT\hazard" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P52 "Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)" /O23 "\\BASEMENT\EPSON_Stylus" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P67 "Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT" /O23 "\\BASEMENT\Auto_EPSON_S" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll raimqm.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5120 bytes
 
I am going to ask that you read the directions very carefully, instruction #3 appears to have been missed completely? Post that uninstall list as soon as you have it.

Follow the directions carefully and in the numbered order.

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This may start ComboFix again. After reboot, (in case it asks to reboot)
I don't need to see that combofix log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(These may be gone, removed in other processes)
O20 - AppInit_DLLs: avgrsstx.dll raimqm.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks
 
Sorry, do you still want me to do everything in your last post?

ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player Plugin
Adobe Reader 7.0
AIM 6
AIM Toolbar
AOL Search
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
Audacity 1.2.6
AVG Free 8.0
BigFix
Compatibility Pack for the 2007 Office system
Digital Media Reader
DKP Profiler
DKP Profiler (C:\Program Files\DKP Profiler Uploader\)
DKP Profiler (C:\Program Files\DKP Profiler Uploader\) #3
Download Updater (AOL LLC)
EPSON CardMonitor
EPSON Copy Utility 3
EPSON CX6600 Reference Guide
EPSON PhotoStarter3.2
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 2
Mavis Beacon Teaches Typing 9.0.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Broadband Networking
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money 2005
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Microsoft Works
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Napster
Napster Burn Engine
PokeGlobal
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Ventrilo Client
Viewpoint Media Player
Windows Backup Utility
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
World of Warcraft
Xvid 1.1.3 final uninstall
Zune
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)
 
Yes...I'll look at the uninstall list and post a reponse to that after I see your next post.

Thanks
 
Ok i did everything.

The scan log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

1/14/2009 10:15:35 PM
mbam-log-2009-01-14 (22-15-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 107985
Time elapsed: 1 hour(s), 14 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{142cd6ef-e527-4a0e-8a35-283a09bf7afd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3baa75c7-c59d-4154-b55c-1347b6e66543} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.Search) -> Bad: (http://www.iesearch.com/) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\aujarxud.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cvlzst.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fkdlwtjf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hbtocp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hhdnroev.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ikxtbq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jbomimwk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jwahjcqx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ngyxuacs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\olboofwi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxxlehbj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pvngtmpi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qhdjwf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvTliHW.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xfagbe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ydfffthd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP355\A0075429.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP361\A0079466.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP362\A0082466.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP363\A0083490.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085516.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085522.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085523.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085524.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085525.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085527.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085528.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085529.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085531.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085532.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085533.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085534.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085538.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085539.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP366\A0085541.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\BitDownload\BitDownload Downloads.lnk (Trojan.Lop) -> Quarantined and deleted successfully.






My HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:32 PM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\Hazard.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P43 "Auto EPSON Stylus CX6600 Series on BASEMENT" /O17 "\\BASEMENT\hazard" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P52 "Auto EPSON Stylus CX6600 Series on BASEMENT (Copy 1)" /O23 "\\BASEMENT\EPSON_Stylus" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P67 "Auto Auto EPSON Stylus CX6600 Series on YOUR-28180281E2 on BASEMENT" /O23 "\\BASEMENT\Auto_EPSON_S" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5263 bytes
 
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.0 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

J2SE Runtime Environment 5.0 Update 2 <<< out of date:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

How is the computer running now?
Click to expand...

Let's see if we can wrap up like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean.
Some good AVG information: FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Status
Not open for further replies.
Back
Top