Zlob.Downloader.vcd Settings

**trvlr3** · 2008-03-31, 21:54

ComboFix 08-03-30.4 - Sara 2008-03-31 13:20:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.242 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\ktyhybch.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\ktyhybch.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-31 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:41 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_10.24.20.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-31 19:22:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 13:22:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-31 13:26:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 19:26:50
ComboFix2.txt 2008-03-31 16:24:55
ComboFix3.txt 2008-03-30 03:46:08
ComboFix4.txt 2008-03-28 22:53:19
ComboFix5.txt 2008-03-27 20:53:45
Pre-Run: 4,136,407,040 bytes free
Post-Run: 4,130,152,448 bytes free
.
2008-03-22 07:44:35 --- E O F ---

**trvlr3** · 2008-03-31, 21:56

There were no programs in the control panel add/remove programs that were on the list. I unplug the cable from the computer so no one can go on line

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:16 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4198 bytes

**km2357** · 2008-04-01, 01:01

Your latest HJT and ComboFix Logs look good.

I want you to run Kaspersky one more time and post the results from the scan, so can we see if anything else is hiding on your computer and get rid of it. And also let me know how your computer is doing now.

Step # 1: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

**trvlr3** · 2008-04-01, 05:26

comuter is better since the last combofix. The link hasnt come back to my desktop and the other programs havent downloaded themselves anymore thank you

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 9:27:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 675122
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 201720
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:32:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF7542.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF754D.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sara\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log.lck Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{10AD9FA4-2A21-4945-A21A-C9D84DEB75A0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SYSTEM\EGDHTML_1020.dll Object is locked skipped
D:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP12\change.log Object is locked skipped

Scan process completed.

**km2357** · 2008-04-01, 08:41

The Kaspersky Log came back clean and you mention that your computer is running fine, it looks like you are good to go.

You can delete the following files off your Desktop (if found):

Kav.txt
daft.exe
NoLop.exe
Fix-Protocol-zones-ranges.reg

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK

Empty your Recyle Bin.

A Firewall is an essential part of computer security and you do not appear to have one running on your system. There are several firewalls that provide better protection than the Windows SP2 firewall.Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.

There are a few firewalls available for free that appear to be good and easy to use:

Please download and install only one!

Once the firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, check to see if Off (not recommended) is checkmarked/ticked, if it is not, then checkmark/tick the box and click OK

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point:
- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
- This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub frames across different domains to Prompt
5. When all these settings have been made, click on the OK button.
6. If it asks you if you want to save the settings, press the Yes button.
7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
- If unchecked please checkHide protected operating system files (Recommended)
- If necessary check "Display content of system folders"
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware
Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place
Please read Understanding Spyware, Browser Hijackers, and Dialers
Please read Simple and easy ways to keep your computer safe and secure on the Internet
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
Opera.
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/m...revention.html

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

**trvlr3** · 2008-04-01, 16:56

I have done all that is posted for me to do just have to read thru the posts that are there. All is good now thank you so much for your help.

**km2357** · 2008-04-01, 19:59

You're welcome. Glad I was able to help.

Thread: Zlob.Downloader.vcd Settings

Thread Tools

Display

Posting Permissions