More Virtumonde and Smitfraud-C

[DJKDSN]

No change, still the little pop up balloon.


ComboFix 08-12-16.03 - KDSN 2008-12-18 4:55:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1605 [GMT -6:00]
Running from: c:\documents and settings\KDSN.MATBOX\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KDSN.MATBOX\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-14 04:04 . 2008-12-14 04:04 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 01:50 . 2008-12-14 02:16 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 01:50 . 2008-12-14 02:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 01:40 . 2008-12-18 04:52 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-14 01:40 . 2008-12-14 01:40 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-14 01:40 . 2008-12-14 01:40 <DIR> d-------- c:\documents and settings\KDSN.MATBOX\Application Data\PC Tools
2008-12-14 01:40 . 2008-12-14 01:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-12-14 01:40 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2008-12-14 01:40 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-14 01:40 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-14 01:40 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-14 01:40 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-13 23:49 . 2008-10-26 17:55 <DIR> d-------- c:\documents and settings\Administrator.MATBOX\Application Data\Symantec
2008-12-13 23:49 . 2008-10-26 17:55 <DIR> d-------- c:\documents and settings\Administrator.MATBOX\Application Data\Intuit
2008-12-13 23:49 . 2008-12-13 23:49 <DIR> d-------- c:\documents and settings\Administrator.MATBOX
2008-12-09 02:39 . 2008-12-09 02:39 <DIR> d-------- c:\program files\sandbox
2008-12-08 09:08 . 2004-08-03 23:08 26,496 --a------ c:\windows\system32\dllcache\usbstor.sys
2008-12-07 18:35 . 2008-12-07 18:35 <DIR> d-------- c:\documents and settings\KDSN.MATBOX\Application Data\Move Networks
2008-12-07 01:16 . 2006-08-21 03:14 128,896 --------- c:\windows\system32\dllcache\fltmgr.sys
2008-12-07 01:16 . 2006-08-21 03:14 23,040 --------- c:\windows\system32\dllcache\fltmc.exe
2008-12-07 01:16 . 2006-08-21 06:21 16,896 --------- c:\windows\system32\dllcache\fltlib.dll
2008-12-07 00:44 . 2007-07-09 07:09 584,192 --------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-07 00:35 . 2008-06-13 07:10 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2008-12-07 00:35 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-07 00:34 . 2008-08-28 04:04 333,056 --------- c:\windows\system32\dllcache\srv.sys
2008-12-07 00:32 . 2008-08-14 03:57 2,185,984 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-07 00:32 . 2008-08-14 03:55 2,142,720 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-07 00:32 . 2008-08-14 03:18 2,062,976 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-07 00:32 . 2008-08-14 03:18 2,020,864 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-07 00:22 . 2008-05-08 06:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-07 00:18 . 2008-05-01 08:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-07 00:16 . 2008-09-04 10:42 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-07 00:14 . 2008-10-15 10:57 332,800 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-07 00:03 . 2008-12-11 00:09 1,393 --a------ c:\windows\imsins.BAK
2008-12-01 23:28 . 2008-12-01 23:28 210 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 10:58 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\.purple
2008-12-18 10:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-17 10:50 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-16 05:23 --------- d-----w c:\program files\World of Warcraft
2008-12-14 09:26 --------- d-----w c:\program files\Lavasoft
2008-12-14 09:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 07:28 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\AVGTOOLBAR
2008-12-14 05:48 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\wsInspector
2008-12-10 09:17 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\gtk-2.0
2008-12-02 05:28 --------- d-----w c:\program files\Ventrilo
2008-12-02 05:28 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Ventrilo
2008-11-21 01:12 --------- d-----w c:\program files\Startup Inspector for Windows
2008-11-18 00:03 --------- d-----w c:\program files\QuickTime
2008-11-18 00:03 --------- d-----w c:\program files\Common Files\Apple
2008-11-18 00:02 --------- d-----w c:\program files\Apple Software Update
2008-11-14 04:23 --------- d-----w c:\program files\GIMP-2.0
2008-11-13 07:15 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-02 02:29 --------- d-----w c:\program files\ffdshow
2008-11-01 10:23 --------- d-----w c:\program files\Trillian
2008-10-31 19:33 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-31 08:47 --------- d-----w c:\program files\FreeRIP3
2008-10-31 08:47 --------- d-----w c:\documents and settings\All Users\Application Data\FreeRIP
2008-10-31 08:44 --------- d-----w c:\program files\Winamp
2008-10-30 03:14 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Acreon
2008-10-28 21:38 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\AdobeUM
2008-10-27 10:20 --------- d-----w c:\program files\Network Stumbler
2008-10-27 06:19 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-27 06:19 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-27 06:18 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-27 06:15 --------- d-----w c:\documents and settings\KDSN\Application Data\Lavasoft
2008-10-27 06:14 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-27 05:38 --------- d-----w c:\program files\Pidgin
2008-10-27 02:08 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Mount&Blade
2008-10-27 02:06 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\GTek
2008-10-27 02:01 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Lavasoft
2008-10-27 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-10-27 01:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-27 01:23 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Symantec
2008-10-27 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-27 01:06 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Screaming Bee
2008-10-27 01:06 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\OpenOffice.org2
2008-10-27 01:06 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\muvee Technologies
2008-10-27 00:53 --------- d--h--r c:\documents and settings\KDSN.MATBOX\Application Data\SecuROM
2008-10-27 00:53 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Turbine
2008-10-27 00:53 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Template
2008-10-27 00:53 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\teamspeak2
2008-10-27 00:53 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\SystemRequirementsLab
2008-10-27 00:53 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\SecondLife
2008-10-27 00:37 1,715 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Presario C300 (RL177UA#ABA)_YN_0Pres_QCND6440QV9_E433358001_46_I30C6_SHP_V78.08_BF.05_T060814_WXH2_L409_M2039_J80_7Intel_8Celeron M 420_91.6_#081026_N10EC8139_(RL177UA#ABA)_XMOBILE_CN10_Z_2F.05.MRK
2008-10-27 00:09 --------- d-----w c:\program files\NetWaiting
2008-10-27 00:07 --------- d-----w c:\program files\Microsoft Money 2006
2008-10-27 00:00 --------- d-----w c:\program files\DivX
2008-10-27 00:00 --------- d-----w c:\program files\CONEXANT
2008-10-27 00:00 --------- d-----w c:\program files\Common Files\TiVo Shared
2008-10-27 00:00 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-10-27 00:00 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-26 23:55 --------- d-----w c:\documents and settings\KDSN.MATBOX\Application Data\Intuit
2008-10-26 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-10-26 21:52 --------- d-----w c:\documents and settings\KDSN\Application Data\.purple
2008-10-26 09:53 --------- d-----w c:\documents and settings\KDSN\Application Data\wsInspector
2008-10-26 08:29 --------- d-----w c:\program files\Common Files\Download Manager
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-20 16:27 --------- d-----w c:\documents and settings\KDSN\Application Data\dyyno-vlc
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 09:45 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-01 01:51 0 ----a-w c:\program files\temp01
2006-11-28 22:28 138 -c--a-w c:\documents and settings\KDSN\Application Data\wklnhst.dat
2006-11-28 22:28 138 ----a-w c:\documents and settings\KDSN.MATBOX\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-17_ 4.38.18.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-17 10:21:55 53,166 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-18 10:55:54 53,166 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-17 10:21:55 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-18 10:55:54 380,918 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-31 1234712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2008-10-19 45603]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-27 97928]
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-12-14 160792]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-27 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-31 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-27 76040]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-14 356920]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5B335E7C-B613-4074-ACDA-5D810AC23505} - (no file)
BHO-{67f731b4-3369-455e-8a8d-57bd320a5115} - (no file)
BHO-{7BCB320B-F291-4EDC-A8B3-7BCDC3CFC8E3} - (no file)
BHO-{F225C118-1253-4FC9-AC61-10CE554496AB} - (no file)
Notify-opnkJbCv - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.special-toolbar-first-run-tlbrf
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\KDSN.MATBOX\Application Data\Mozilla\Firefox\Profiles\h07v5jdv.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\KDSN.MATBOX\Application Data\Mozilla\Firefox\Profiles\h07v5jdv.default\extensions\{190b412f-3273-4922-9954-56e8bcb5e113}\plugins\NPnsv.dll
FF - plugin: c:\documents and settings\KDSN.MATBOX\Application Data\Mozilla\Firefox\Profiles\h07v5jdv.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 04:58:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???????????`?@?????L?@

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\avgrsstx.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2008-12-18 5:00:45
ComboFix-quarantined-files.txt 2008-12-18 10:59:28
ComboFix2.txt 2008-12-17 10:39:57

Pre-Run: 6,720,696,320 bytes free
Post-Run: 6,705,156,096 bytes free

226 --- E O F --- 2008-12-11 06:10:23



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:08 AM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\DJKDSN.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avg.com/ww.special-toolbar-first-run-tlbrf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5169 bytes

[Shaba]

Log looks to be fine.

Let's run this next:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

[DJKDSN]

Still no change on the visual symptom side. Still the little popup. It did have me reset.

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 2

12/18/2008 6:22:30 AM
mbam-log-2008-12-18 (06-22-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150777
Time elapsed: 58 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\SecTaskMan\ddcDussr.dll.q_8049E04_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kqredj.dll.q_804F801_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\omahmy.dll.q_804F801_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\qoMeBtUk.dll.q_8049E04_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\glynycuk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkexpepw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lqytxtjo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJBTkIX.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnkJbCv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv951229210867.cpx.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP10\A0000165.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP11\A0000170.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP13\A0000425.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP13\A0000426.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP13\A0000428.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP13\A0000429.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP13\A0000430.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP7\A0000032.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP7\A0000029.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP7\A0000033.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP7\A0000034.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[Shaba]

MBAM found some and quarantined them as well.

Still same issues?

[DJKDSN]

Correct, it found several.

Most of the scans I have done have found stuff and removed them. The catch is when the scanners reset to do do delete the thing just pops right back up. Kinda like something is just reinstalling it.

After Combofix ran the first time, and reset, it was gone. When I shut it off and restarted the laptop it was back. Combofix did something, but i think it may have reinstalled. But, that's just my uneducated theory.

[Shaba]

Yes there might be a driver which installs it back or downloader which immediately downloads it back when internet connection is open.

Let's check first for first option:

A bootlog is a file where windows writes down which drivers are loaded and which not during startup.
Using Windows explorer, see if you find c:\windows\ntbtlog.txt - If it exists, delete the file.

• Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok
• Click on the boot.ini tab and check the box that says /BOOTLOG
• Click Apply & Ok and reboot the PC (may take a bit longer to boot)
• After it reboots, you will get a message that msconfig has been used to change your start settings.
• In msconfig, Check Normal Startup on the GENERAL tab, and on the BOOT.INI tab, Uncheck /BOOTLOG. Click Apply, OK.
• When a message asks if you want to Reboot now, Click Exit Without Reboot. You don't need to.
• Using Windows Explorer, locate c:\windows\ntbtlog.txt and post the content of the file.

[DJKDSN]

Ok this is weird.

Getting error "Windows cannot find 'msconfig'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I restored the bootlog just in case.

[Shaba]

If you search for msconfig, does it find something?

[DJKDSN]

yes, a couple of files, with msconfig.exe files in windows\pchealth\binaries and windows\SoftwareDistribution\Download\(long apha numeric code)

[Shaba]

If you type msconfig.exe with full path to start - run, does msconfig open?