Incomplete malware(zlob) removal

[Khan]

One hell of a time!
Yesterday I used the computer at noon and found it as normal as it could be. I had problems before last night that include:
1. Random erratic RAM behaviour, sometimes it is not detected. Power management issues, and the former are probably hardware problems.
2. Cannot open ANY help file. When I select, it displays something like "....cannot open....(.)chm file"
3. I had Norton Antivirus 2005, and after it failed to update for the hundredth time, I switched to AVG.
I logged on last night to find my computer devastated. I could not find C:\, D:\ drives(they don't show up in the My Computer, but can be accessed), no All Programs list, and three new icons which were links to to a website distributing antivirus product. My systray had a "Your computer is affected" icon and the clock had "VIRUS ALERT!" displayed. TaskManager and Display Properties were disabled, although I am the administrator. Every few minutes two copies each of the two type of pop-ups said I had a virus in my computer and asked to click "Yes" to download the same program. I clicked "No" every time, yet two instances of internet explorer opened often(which displayed, funnily enough, two of the same unknown toolbar) to harmful sites. Everything bogged down. I started cleaning with AVG Free Anti-virus, and opened Spybot too. I found a forum which suggested "SmitfraudFix", I downloaded it, but it wouldn't open! My applications kept switching automatically, and AVG detected two adwares(which I moved to the Virus Vault), I pissed off and started deleting processes using Novin Process Manager 2. I found nothing out of the ordinary, except more svchost.exe(which I stay away from interfering) than normal. I worked offline to avoid downloading crapware, only connecting when necessary. I killed crss.exe(just because I was desperate) and the system reboot. The on-going scan on AVG had nothing to show, but SB showed at least nine trojans and spyware including zlob and freeantivirus2009. I opened in safe mode, run SmitFraudFix(although a spybot entry suggested I had SmitFraud) and finally managed to get rid of them! At least that's what I thought :sad:.
I forced myself to install ZoneAlarm Firewall(the only time I installed a firewall other than Windows was a Comodo which failed to update and had to be manually removed), used CCleaner and Glary Utilities to clean up everything. Although Spybot did ask to reboot when scanning virtumonde.dll, I ignored it last time.
Now, on to the problem. I restarted to find a notification on the systray telling me Automatic Updates are turned off, and this doesn't show on the Security Center that I have Automatic Updates running. I didn't receive updates for quite a while, the update balloon only scanned for updates. Manually turning it on in Services is not possible, showing Error 1058. Firefox, my default browser, cannot download anythng, but can access sites. I submitted a HijackThis report to an automated site, which showed "nfbvxmxl.dll"(AVG found nothing, and Firefox cannot upload it) as a potential malware. I can't delete it from system32, its loaded as a process but I can't unload it. A Spybot scan found only five malware, including "zlob", after SmitFraudFix cleaned it up. AVG shows two entries as Generic Trojans, both in system32, geBrpNDS.dll and mlJDtttr.dll. I removed gerBrpNDS from the start-up with SpyBot. A new Spybot search found nothing until virtumonde.dll and asks me to reboot.
The HijackThis log file(current) is shown below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:02:21, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Software\Installs\AVG\avgui.exe
D:\Software\Installs\AVG\avgscanx.exe
D:\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Software\Installs\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Software\Installs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4402 bytes

 

[Khan]

Analysis of nfbvxmxl.dll,gebRpNDS.dll

File Name : nfbvxmxl.dll
File Size : 80512 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 1b67c585dba9369d4d440d7297a012f9
SHA1 : 2783841a27e3e3c80559b08c441371fe60aa2e95
Scanner results
Scanner results : 14% Scanner(5/37) found malware!
Time : 2008/10/03 09:28:27 (BDT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.14 2008.10.02 2008-10-02 - 1.663
AhnLab V3 2008.10.02.01 2008.10.02 2008-10-02 - 1.041
AntiVir 7.8.1.34 7.0.6.241 2008-10-02 - 2.319
Arcavir 1.0.5 200810021817 2008-10-02 - 1.421
Authentium 5.1.1 200810012118 2008-10-01 - 0.008
AVAST! 3.0.1 081002-0 2008-10-02 - 0.008
AVG 7.5.52.442 270.7.5/1704 2008-10-02 - 1.623
BitDefender 7.60825.1831294 7.21145 2008-10-03 - 3.125
CA (VET) 9.0.0.143 31.6.6126 2008-10-03 - 4.884
ClamAV 0.94 8372 2008-10-02 - 0.024
Comodo 2.11 2.0.0.664 2008-10-02 - 0.432
CP Secure 1.1.0.715 2008.10.02 2008-10-02 - 6.016
Dr.Web 4.44.0.9170 2008.10.02 2008-10-02 - 3.252
ewido 4.0.0.2 2008.10.02 2008-10-02 - 4.618
F-Prot 4.4.4.56 20081002 2008-10-02 - 1.040
F-Secure 5.51.6100 2008.10.03.01 2008-10-03 - 0.040
Fortinet 2.81-3.113 9.610 2008-10-02 Suspicious 0.193
Ikarus T3.1.01.34 2008.10.02.71570 2008-10-02 - 3.535
JiangMin 11.0.706 2008.10.02 2008-10-02 - 1.249
Kaspersky 5.5.10 2008.10.03 2008-10-03 - 0.033
KingSoft 2008.9.8.18 2008.10.2.18 2008-10-02 - 0.670
McAfee 5.3.00 5397 2008-10-02 - 1.995
Microsoft 1.4005 2008.10.02 2008-10-02 Trojan:Win32/Vundo.gen!T 5.838
mks_vir 2.01 2008.10.03 2008-10-03 - 2.884
Norman 5.93.01 5.93.00 2008-10-02 - 5.011
nProtect 2008-10-02.00 2194932 2008-10-02 - 4.265
Panda 9.05.01 2008.10.02 2008-10-02 - 1.989
Quick Heal 9.50 2008.10.01 2008-10-01 - 1.836
Rising 20.0 20.63.62.00 2008-09-28 Suspicious.Trojan.Win32.Agent.b 0.851
Sophos 2.79.0 4.34 2008-10-03 Troj/Virtum-Gen 1.720
Sunbelt 3.1.1675.1 2261 2008-09-26 VIPRE.Suspicious 0.441
Symantec 1.3.0.24 20081002.004 2008-10-02 - 0.050
The Hacker 6.3.1.0 v00099 2008-10-02 - 0.456
Trend Micro 8.700-1004 5.578.02 2008-10-02 - 0.025
VBA32 3.12.8.6 20081001.2041 2008-10-01 - 1.337
ViRobot 20081002 2008.10.02 2008-10-02 - 0.401
VirusBuster 4.5.11.10 10.89.5/633834 2008-10-02 - 0.862

File Name : geBrpNDS.dll
File Size : 38272 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 33979fff18982b4523c90f07f1f806e1
SHA1 : 7f3f408ccecbafd7bb99400c2e0aeac3238eb7d2
Scanner results
Scanner results : 19% Scanner(7/37) found malware!
Time : 2008/10/03 09:33:56 (BDT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.14 2008.10.02 2008-10-02 - 1.558
AhnLab V3 2008.10.02.01 2008.10.02 2008-10-02 - 1.038
AntiVir 7.8.1.34 7.0.6.241 2008-10-02 - 2.328
Arcavir 1.0.5 200810021817 2008-10-02 - 1.340
Authentium 5.1.1 200810012118 2008-10-01 - 0.009
AVAST! 3.0.1 081002-0 2008-10-02 - 0.690
AVG 7.5.52.442 270.7.5/1704 2008-10-02 Generic11.ANIN 1.606
BitDefender 7.60825.1831294 7.21145 2008-10-03 - 3.100
CA (VET) 9.0.0.143 31.6.6126 2008-10-03 - 5.208
ClamAV 0.94 8372 2008-10-02 - 0.017
Comodo 2.11 2.0.0.664 2008-10-02 - 0.423
CP Secure 1.1.0.715 2008.10.02 2008-10-02 - 5.989
Dr.Web 4.44.0.9170 2008.10.02 2008-10-02 - 3.250
ewido 4.0.0.2 2008.10.02 2008-10-02 - 2.802
F-Prot 4.4.4.56 20081002 2008-10-02 - 1.062
F-Secure 5.51.6100 2008.10.03.01 2008-10-03 - 3.488
Fortinet 2.81-3.113 9.610 2008-10-02 Suspicious 0.203
Ikarus T3.1.01.34 2008.10.02.71570 2008-10-02 Trojan.Vundo.FKM 3.433
JiangMin 11.0.706 2008.10.02 2008-10-02 - 1.225
Kaspersky 5.5.10 2008.10.03 2008-10-03 - 0.032
KingSoft 2008.9.8.18 2008.10.2.18 2008-10-02 - 0.646
McAfee 5.3.00 5397 2008-10-02 - 1.996
Microsoft 1.4005 2008.10.02 2008-10-02 Trojan:Win32/Vundo.gen!T 4.485
mks_vir 2.01 2008.10.03 2008-10-03 - 2.839
Norman 5.93.01 5.93.00 2008-10-02 Vundo.gen253 4.984
nProtect 2008-10-02.00 2194932 2008-10-02 - 4.141
Panda 9.05.01 2008.10.02 2008-10-02 - 2.125
Quick Heal 9.50 2008.10.03 2008-10-03 - 1.791
Rising 20.0 20.63.62.00 2008-09-28 Suspicious.Trojan.Win32.Agent.b 0.983
Sophos 2.79.0 4.34 2008-10-03 - 1.730
Sunbelt 3.1.1675.1 2261 2008-09-26 VIPRE.Suspicious 0.485
Symantec 1.3.0.24 20081002.004 2008-10-02 - 0.048
The Hacker 6.3.1.0 v00099 2008-10-02 - 0.447
Trend Micro 8.700-1004 5.578.02 2008-10-02 - 0.024
VBA32 3.12.8.6 20081001.2041 2008-10-01 - 1.327
ViRobot 20081002 2008.10.02 2008-10-02 - 0.406
VirusBuster 4.5.11.10 10.89.5/633834 2008-10-02 - 0.826

I used Internet Explorer.

 

[Khan]

Update:Still no luck

Since my last post, I have continually scoured for all sorts of malware. I looked up about error 1058 with no luck. Meanwhile I managed to heal/delete/quarantine possible sources. It seems that I might as well reinstall windows, or abandon the ship(and all its precious cargo:sad. The previously mentioned files are, AVG says, sent to the virus vault. Meanwhile, a full spybot scan found virtumonde.dll(also called, wikipedia says, vundo) and asked me to restart, which I did. AVG seems to be bent on proving its the worst, whatever malwarebytes discovers, it opens an annoying pop-up to claim it first. I healed them all. The computer slowed down again. What I found shocking is that an IP that starts with 10.25.variable.variable is contacting my computer, and one of my programs is allowing it internet access-zonealarm cut them all. An IP address look-up yielded nothing. The whole thing is getting even more complicated, with attacks on Firefox, the Holy Grail of n00bd3fence. It tried to open sites which contained, in its URL, the name of my social network. I immediately changed the password, and again it returned the same empty page URL. The site is hosted by a company from the Netherlands. Once a page with the weirdest of gTLDs was stopped by Firefox/google/siteadvisor/linkscanner. I am counting on someone who has grey matter instead of closed-source algorithm, so please do suggest what to do.
I installed Malwarebytes' Anti-Malware, and it found 26 infections:

LOGFILE:MALWAREBYTES' ANTI_MALWARE
Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2

10/3/2008 2:25:42 PM
mbam-log-2008-10-03 (14-25-42).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 161352
Time elapsed: 1 hour(s), 21 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nmcgxppy.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6fb13dd6-4650-4556-ae18-27142f0b5c9f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrpnds (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fb13dd6-4650-4556-ae18-27142f0b5c9f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202410d3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6586 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd707 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga7764 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc8017 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvumjgy -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBrpNDS.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nfbvxmxl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lxmxvbfn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nmcgxppy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yppxgcmn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvUmjGy.dll_old (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yGjmUvut.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yGjmUvut.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\MAHBOOB\Local Settings\Temporary Internet Files\Content.IE5\0JT3DWO7\file[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\MANSIB\Local Settings\Temporary Internet Files\Content.IE5\KH83C4X3\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP179\A0091984.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP179\A0091985.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP180\A0092156.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP180\A0092175.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\evmd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\evqb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\MANSIB\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\MANSIB\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\MANSIB\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.

I renamed HijackThis to HighackThat and ran it:

LOGFILE:HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:45:48, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgtray.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
D:\Mozilla Firefox\firefox.exe
D:\Software\Installs\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Software\Installs\HijackThis\HighackThat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Software\Installs\AVG\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F41D9B53-00C1-43AD-BFAE-0FD33AEE23B1} - C:\WINDOWS\system32\tuvUmjGy.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Software\Installs\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Software\Installs\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5065 bytes

And about opening help files: error:
Cannot open the file: mkMSITStore:<apppath>\Help\<helpfile>.chm
I have other anti-virus installers, including Avira Anti-virus Free Edition and Avast! Home Edition, and an excellent anti-spyware called Ad Adware SE, but none are installed.
I last scanned AVG and SB only 3 days ago. I defrag frequently using Defraggler. I have CCleaner, and after I have read the dangers of registry cleaners, I will stop using its and Glary-Utilities scanner. However I used them earlier and have back-ups 3 weeks old. I frequently monitor my start-up entries. I have BitTorrent just for the sake of it. I removed its background software ages ago. If you insist, I will remove it immediately. I suppose it's extremely rude to keep posting, and I apologize.
Incidentally, all these happened the day I received my Ubuntu CD! I wonder why?

 

[Khan]

Kaspersky Anti-virus logfile, SmitFraudFix logfile.

I found rapport.txt and posting it. I just can't update windows xp sp2! Error 1058? I scanned with Kaspersky on-line scanner. Here's the log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 118729
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:36:03


File name / Threat name / Threats count
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP179\A0091980.dll Infected: Trojan.Win32.Vapsup.lzl 1
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP179\A0091982.dll Infected: Trojan.Win32.Vapsup.lzm 1
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP179\A0092026.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\System Volume Information\_restore{340C6BDC-917D-416B-B44F-0E88BA84FAB5}\RP179\A0092047.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Infected: Backdoor.Win32.Prosti.tz 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Infected: Backdoor.Win32.Prosti.tz 1
D:\Software\Utilities\Anti-virus, spyware and adware\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

SMITFRAUDFIX: LOGFILE

SmitFraudFix v2.356

Scan done at 1:09:34.43, Fri 10/03/2008
Run from C:\Documents and Settings\MANSIB\desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MANSIB


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MANSIB\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MANSIB\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL,avgrsstx.dll C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I would be grateful if you reply.
Should I reinstall windows? Should I switch to Ubuntu? Would my programs work in it? Error 1058: Windows suggests I have been affected with Vundo, but I removed it, right? Can I post this in another forum, if you do not reply at all?
Thank you.

 

[Khan]

HijackThis: Uninstall log

ACDSee
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop CS
Adobe Reader 9
Adobe Shockwave Player 11
AVG Free 8.0
Avro Keyboard 4.5.1
CCleaner (remove only)
Cheatbook Database 2008
Defraggler (remove only)
DivX Codec 3.1
FIFA 08
FoxyTunes for Firefox
Free Mp3 Wma Converter V 1.7.3
Glary Utilities 2.6.1
Google Desktop
Google Earth
GTA San Andreas
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
jv16 PowerTools 1.3
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Need For Speed Most Wanted (Black Edition 1.3) Mega Trainer
Nero Suite
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia PC Suite
Nokia PC Suite
ObjectDock
PC Connectivity Solution
Plus! MP3 Audio Converter LE
RealPlayer
Realtek High Definition Audio Driver
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
The Godfather™ The Game
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Bonus Pack for Windows XP
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WordWeb
Yahoo! Messenger
ZoneAlarm

 

[Khan]

Still looking....

StartupList report, 10/4/2008, 9:43:51 AM
StartupList version: 1.52.2
Started from : D:\Software\Installs\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Software\Installs\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RTHDCPL = RTHDCPL.EXE
Persistence = C:\WINDOWS\system32\igfxpers.exe
Alcmtr = ALCMTR.EXE
AVG8_TRAY = D:\Software\Installs\AVG\avgtray.exe
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
ZoneAlarm Client = "D:\Software\Installs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
WormRadar.com IESiteBlocker.NavFilter - D:\Software\Installs\AVG\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\WINDOWS\system32\tuvUmjGy.dll (file missing) - {F41D9B53-00C1-43AD-BFAE-0FD33AEE23B1}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GlaryInitialize.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/pcpitstop.cab

[SpinTop DRM Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\stg_drm.ocx
CODEBASE = file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

[UnoCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll
CODEBASE = http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

[ArmHelper Control]
InProcServer32 = ./Images/armhelper.ocx
CODEBASE = file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 7,281 bytes
Report generated in 0.047 seconds

 

[Blade81]

Hi

Could you post a fresh hjt log so that I can see current status of the system, please?

 

[Khan]

HJT Log!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:43 AM, on 10/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Mozilla Firefox\firefox.exe
D:\Software\Installs\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Software\Installs\AVG\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F41D9B53-00C1-43AD-BFAE-0FD33AEE23B1} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5100 bytes

 

[Blade81]

Hi

Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {F41D9B53-00C1-43AD-BFAE-0FD33AEE23B1} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Close browsers and fix checked.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & a fresh hjt log.

 

[Khan]

Ah! Bugs everywhere!

Sorry for the late reply! I didn't know you would reply so quickly!:red:
Logfile: HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:50 PM, on 10/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Software\Installs\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Software\ATF-Cleaner.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Software\Installs\AVG\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4898 bytes

I downloaded and run ATF cleaner, selected those options, and removed 22.6MB. But my Firefox option was grayed out, and I had Firefox running at that time. I closed it and restarted ATF cleaner with no success. I have the 'Clear Private Data on Exit'(except passwords) option enabled. I use Ccleaner and Glary Utilities for the cleaning stuff, so I moved on.
Incidentally, I restarted System Restore to delete previously infected files. The Firewall problem is fixed. I clicked it and Windows finally found ZoneAlarm. While Kaspersky scans, I think I can mention problems that still exist:
1. No Help & Support in any sort of program.
2. This guy/gal/bot 10.25.variable.variable is killing me: ZoneAlarm shows me that this IP has been blocked everytime I am connected to the Internet.
3. Many applications, especially those heavy on memory crashes and shows 'This program has to be closed' box. The AnalyzeThis button in HijackThis does the same.

Well on to the Kaspersky log report. I had another problem, which is that the scan was completed, but when I clicked on the 'Save Report As' button, it grayed out and I can't see the Save File box coming. However, the Scan Report button showed me the problems, so I copied them into the previous Kaspersky Logfile format.
Logfile: Kaspersky Online Scanner
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 110398
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:28:41


File name / Threat name / Threats count
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe not-a-virus:RiskTool.Win32.Reboot.f> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Backdoor.Win32.Prosti.tz> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Backdoor.Win32.Prosti.tz> 1

 

[Khan]

Oops!

Me and my formatting:
Logfile: Kaspersky Online Scanner--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 110398
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:28:41


File name / Threat name / Threats count
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe not-a-virus:RiskTool.Win32.Reboot.f> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Backdoor.Win32.Prosti.tz> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Backdoor.Win32.Prosti.tz> 1
Logfile: Kaspersky Online Scanner
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 110398
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:28:41


File name / Threat name / Threats count
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe not-a-virus:RiskTool.Win32.Reboot.f> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Backdoor.Win32.Prosti.tz> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Backdoor.Win32.Prosti.tz> 1
Logfile: Kaspersky Online Scanner
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 110398
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:28:41


File name / Threat name / Threats count
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe not-a-virus:RiskTool.Win32.Reboot.f> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Backdoor.Win32.Prosti.tz> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Backdoor.Win32.Prosti.tz> 1
Logfile: Kaspersky Online Scanner
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 110398
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:28:41


File name / Threat name / Threats count
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe not-a-virus:RiskTool.Win32.Reboot.f> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Backdoor.Win32.Prosti.tz> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Backdoor.Win32.Prosti.tz> 1
D:\Software\Utilities\Anti-virus, spyware and adware\SmitfraudFix.exe not-a-virus:RiskTool.Win32.Reboot.f> 1

 

[Khan]

I hate myself....and Internet Explorer!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 03, 2008 23:20:06
Records in database: 1287308
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 110398
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:28:41


File name / Threat name / Threats count
D:\Mozilla Firefox\SmitfraudFix\Reboot.exe not-a-virus:RiskTool.Win32.Reboot.f 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2cmd.zip Backdoor.Win32.Prosti.tz 1
D:\Software\Utilities\Anti-virus, spyware and adware\SDFix\a2framework.dll Backdoor.Win32.Prosti.tz 1
D:\Software\Utilities\Anti-virus, spyware and adware\SmitfraudFix.exe not-a-virus:RiskTool.Win32.Reboot.f 1

 

[Blade81]

Hi

Those memory crashes might indicate hardware problems. Let's see what ComboFix finds.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[Khan]

Sorry for the delay. I looked up to find this Recovery Console thing. Well, from a SP3 CD, I couldn't install Recovery Console, pressing 'R' doesn't work,(there are no folders!) and my floppy drives are more dead than obsolete. So I finally made up my mind to do without it.

LOGFILE: COMBOFIX
ComboFix 08-10-09.06 - MANSIB 2008-10-12 19:35:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.677 [GMT 6:00]
Running from: C:\Documents and Settings\MANSIB\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 )))))))))))))))))))))))))))))))
.

2008-10-10 22:52 . 2008-10-10 22:59 <DIR> d-------- C:\Documents and Settings\MANSIB\dwhelper
2008-10-07 15:18 . 2008-03-09 02:16 3,053,431 --a------ C:\WINDOWS\StyleXPTour.exe
2008-10-07 11:23 . 2008-10-07 11:23 0 --a------ C:\WINDOWS\PowerReg.dat
2008-10-05 06:23 . 2008-06-30 21:30 188,547 --a------ C:\wubildr
2008-10-05 06:23 . 2008-06-30 21:30 8,192 --a------ C:\wubildr.mbr
2008-10-03 18:41 . 2008-10-03 18:41 <DIR> d-------- C:\Documents and Settings\Fariha Tasnim\Application Data\Malwarebytes
2008-10-03 12:55 . 2008-10-03 12:55 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Malwarebytes
2008-10-03 12:55 . 2008-10-03 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-03 12:55 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-03 12:55 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 04:26 . 2008-10-12 19:41 11,103,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-03 04:26 . 2008-10-12 19:38 157,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-03 03:27 . 2008-10-03 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-03 03:26 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-10-03 03:26 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-10-03 03:26 . 2008-10-03 03:29 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-10-03 01:03 . 2008-10-03 01:09 2,374 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-02 21:55 . 2008-10-02 21:55 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\TmpRecentIcons
2008-10-02 21:07 . 2008-10-04 03:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vyfyjwla
2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\WINDOWS\Logs
2008-09-29 22:05 . 2008-10-01 21:31 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\DNA
2008-09-27 04:59 . 2008-09-27 04:59 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\MSNInstaller
2008-09-26 06:23 . 2008-09-26 06:23 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-25 01:13 . 2008-09-25 01:13 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Samsung
2008-09-24 13:31 . 2008-09-24 13:31 <DIR> d-------- C:\Documents and Settings\Fariha Tasnim\Application Data\Samsung
2008-09-23 01:57 . 2000-11-29 04:07 307,200 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-09-23 01:57 . 2003-08-07 17:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-09-23 01:52 . 2008-09-23 01:54 164 --a------ C:\WINDOWS\CDPLAYER.UNI
2008-09-23 01:51 . 2008-09-23 01:51 <DIR> d-------- C:\WINDOWS\Free CD Music Converter
2008-09-22 21:55 . 2008-09-22 21:55 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Seven Zip
2008-09-18 21:25 . 2008-09-18 21:25 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Media Player Classic
2008-09-18 21:19 . 2001-11-30 19:05 131,072 --a------ C:\WINDOWS\system32\dzip32.dll
2008-09-18 21:19 . 2001-11-30 19:05 110,592 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-18 21:18 . 2008-10-05 01:16 <DIR> d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 13:19 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\SiteAdvisor
2008-10-11 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-09 06:26 --------- d-----w C:\Documents and Settings\Fariha Tasnim\Application Data\SiteAdvisor
2008-10-07 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-04 19:15 --------- d-----w C:\Program Files\Java
2008-10-02 23:09 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\BitTorrent
2008-10-01 14:51 --------- d-----w C:\Program Files\DNA
2008-09-29 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-28 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-26 10:55 5,632 ----a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2008-09-26 00:23 --------- d-----w C:\Program Files\Common Files\Real
2008-09-24 17:23 --------- d-----w C:\Program Files\CyberLink
2008-09-24 07:23 --------- d-----w C:\Program Files\Samsung
2008-09-22 21:09 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\Nokia Multimedia Player
2008-09-22 16:44 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\GlarySoft
2008-09-22 16:03 286,720 ------w C:\WINDOWS\Setup1.exe
2008-09-17 10:47 --------- d-----w C:\Program Files\McAfee
2008-09-17 10:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-16 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-09-10 06:37 --------- d-----w C:\Documents and Settings\Fariha Tasnim\Application Data\Nokia
2008-09-09 06:22 203,776 ----a-w C:\WINDOWS\system32\clrviddc.dll
2008-09-07 20:08 --------- d-----w C:\Program Files\Common Files\Stardock
2008-09-07 08:04 --------- d-----w C:\Program Files\Nokia
2008-09-07 08:04 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-07 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-06 23:36 --------- d-----w C:\Program Files\SiteAdvisor
2008-09-06 23:36 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-09-06 23:13 --------- d-----w C:\Program Files\WordWeb
2008-09-06 22:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SACore
2008-09-06 20:49 --------- d-----w C:\Program Files\Google
2008-09-04 09:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-03 16:55 --------- d-----w C:\Program Files\AGEIA Technologies
2008-09-03 13:42 --------- d-----w C:\Program Files\Kuma Games
2008-08-30 06:52 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-21 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-17 03:26 1,049,784 ----a-w C:\WINDOWS\system32\wweb32.dll
2008-08-13 16:41 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\Apple Computer
2008-08-12 06:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-12 06:11 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-09 11:35 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-08-06 19:27 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-07-31 04:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 04:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 04:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-18 16:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-12 02:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 02:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 02:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-05-25 16:33 107,976 ----a-w C:\Documents and Settings\MANSIB\Application Data\GDIPFONTCACHEV1.DAT
2008-04-06 14:19 678,595 ----a-w C:\Documents and Settings\MANSIB\!secwad.exe
2008-04-06 14:19 4,234 ----a-w C:\Documents and Settings\MANSIB\!versions.dat
2007-08-30 18:07 284 ----a-w C:\Documents and Settings\Fariha Tasnim\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="D:\Software\Installs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-13 98304]
"AVG8_TRAY"="D:\Software\Installs\AVG\avgtray.exe" [2008-09-30 1234712]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-03 29744]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"aywkaa1auvoa"=2 (0x2)
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\My Games\\FIFA08\\FIFA08.exe"=
"F:\\Half-life 2\\HALF LIFE 2\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"D:\\Software\\Installs\\BitTorrent\\bittorrent.exe"=
"D:\\Software\\Installs\\AVG\\avgemc.exe"=
"D:\\Software\\Installs\\AVG\\avgupd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai Network Manager
"5000:UDP"= 5000:UDP:Akamai Network Manager

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;D:\Software\Installs\AVG\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG Free8 WatchDog;D:\Software\Installs\AVG\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-09 76040]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-03 29744]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae87a73-3f0a-11d8-9fa8-cba3c42e394a}]
\Shell\AutoRun\command - H:\ntde1ect.com
\Shell\explore\Command - H:\ntde1ect.com
\Shell\open\Command - H:\ntde1ect.com
.
Contents of the 'Scheduled Tasks' folder

2008-10-12 C:\WINDOWS\Tasks\GlaryInitialize.job
- D:\Software\Installs\Glary Utilities\initialize.exe [2008-07-18 11:08]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{6FB13DD6-4650-4556-AE18-27142F0B5C9F} - (no file)
Notify-NavLogon - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\MANSIB\Application Data\Mozilla\Firefox\Profiles\xs9iopk7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - D:\Mozilla Firefox\plugins\np32dsw.dll
FF -: plugin - D:\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - D:\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
FF -: plugin - D:\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - D:\Mozilla Firefox\plugins\nppdf32.dll
FF -: plugin - D:\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - D:\Mozilla Firefox\plugins\nprjplug.dll
FF -: plugin - D:\Mozilla Firefox\plugins\nprpjplug.dll
FF -: plugin - D:\Software\Installs\Adobe Reader 9\Reader\browser\nppdf32.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-12 19:40:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
D:\Software\Installs\AVG\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-12 19:43:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-12 13:43:14

Pre-Run: 7,194,333,184 bytes free
Post-Run: 7,143,600,128 bytes free

228 --- E O F --- 2008-09-10 20:26:13

LOGFILE: HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:11 PM, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Software\Installs\ZoneAlarm\zlclient.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Mozilla Firefox\firefox.exe
D:\Software\Installs\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Software\Installs\AVG\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4737 bytes

Thank you, Blade, for your patience.

 

[Khan]

Help files still don't work. And this IP just doesn't leave me alone. Aside from that, my icons and start menu items are default again, but I won't further customize them until this gets fixed.

 

[Blade81]

Hi

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent DNA
BitTorrent


I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Documents and Settings\MANSIB\Application Data\DNA
C:\Documents and Settings\MANSIB\Application Data\BitTorrent
C:\Program Files\DNA
D:\Software\Installs\BitTorrent

Empty Recycle Bin.

After that:


Open notepad and copy/paste the text in the quotebox below into it:

File::
H:\ntde1ect.com

Folder::
C:\Documents and Settings\All Users\Application Data\vyfyjwla
C:\Documents and Settings\MANSIB\Application Data\DNA
C:\Documents and Settings\MANSIB\Application Data\BitTorrent
C:\Program Files\DNA
D:\Software\Installs\BitTorrent

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aywkaa1auvoa"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\DNA\\btdna.exe"=-
"D:\\Software\\Installs\\BitTorrent\\bittorrent.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae87a73-3f0a-11d8-9fa8-cba3c42e394a}]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Help files still don't work.

Do you get some specific error message or something?

And this IP just doesn't leave me alone.

What was that IP again?

 

[Khan]

Done, but the problem persists.

Hello Blade! You sure are working hard for me! I can't thank you enough.
Anyway, I removed BitTorrent-DNA, and the folders were automatically deleted.
About the help file error, the error is, for example, in Spybot S&D:
Cannot open the file: mk: @MSITStore:\Software\Installs\Spybot - Search & Destroy\Help\English.chm
However, I can open html help files, for example, in RealPlayer, or Mozilla Firefox.
This IP address starts with 10.25.x.x, the last two changing often. For example, I looked up on 10.25.192.132 and 10.25.193.125 with no success. The signal is blocked is both incoming and outgoing. Less common IPs are blocked too, but are much rarer. I get one of these messages like every 15 minutes.
When I opened up Combofix, ZoneAlarm asked me to allow TCP/IP ping an IP(with additional information that it has asked before). Is this normal? I allowed it, but during the Disclaimer turned off AVG, Google Desktop, ZoneAlarm - and the LAN card too.
Logfile: Combofix/CFScript.txt
ComboFix 08-10-09.06 - MANSIB 2008-10-12 21:38:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT 6:00]
Running from: C:\Documents and Settings\MANSIB\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MANSIB\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
H:\ntde1ect.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\vyfyjwla

.
((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 )))))))))))))))))))))))))))))))
.

2008-10-10 22:52 . 2008-10-10 22:59 <DIR> d-------- C:\Documents and Settings\MANSIB\dwhelper
2008-10-07 15:18 . 2008-03-09 02:16 3,053,431 --a------ C:\WINDOWS\StyleXPTour.exe
2008-10-07 11:23 . 2008-10-07 11:23 0 --a------ C:\WINDOWS\PowerReg.dat
2008-10-05 06:23 . 2008-06-30 21:30 188,547 --a------ C:\wubildr
2008-10-05 06:23 . 2008-06-30 21:30 8,192 --a------ C:\wubildr.mbr
2008-10-03 18:41 . 2008-10-03 18:41 <DIR> d-------- C:\Documents and Settings\Fariha Tasnim\Application Data\Malwarebytes
2008-10-03 12:55 . 2008-10-03 12:55 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Malwarebytes
2008-10-03 12:55 . 2008-10-03 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-03 12:55 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-03 12:55 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 04:26 . 2008-10-12 21:41 11,221,536 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-03 04:26 . 2008-10-12 19:38 157,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-03 03:27 . 2008-10-03 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-03 03:26 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-10-03 03:26 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-10-03 03:26 . 2008-10-03 03:29 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-10-03 01:03 . 2008-10-03 01:09 2,374 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-02 21:55 . 2008-10-02 21:55 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\TmpRecentIcons
2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\WINDOWS\Logs
2008-09-27 04:59 . 2008-09-27 04:59 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\MSNInstaller
2008-09-26 06:23 . 2008-09-26 06:23 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-25 01:13 . 2008-09-25 01:13 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Samsung
2008-09-24 13:31 . 2008-09-24 13:31 <DIR> d-------- C:\Documents and Settings\Fariha Tasnim\Application Data\Samsung
2008-09-23 01:57 . 2000-11-29 04:07 307,200 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-09-23 01:57 . 2003-08-07 17:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-09-23 01:52 . 2008-09-23 01:54 164 --a------ C:\WINDOWS\CDPLAYER.UNI
2008-09-23 01:51 . 2008-09-23 01:51 <DIR> d-------- C:\WINDOWS\Free CD Music Converter
2008-09-22 21:55 . 2008-09-22 21:55 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Seven Zip
2008-09-18 21:25 . 2008-09-18 21:25 <DIR> d-------- C:\Documents and Settings\MANSIB\Application Data\Media Player Classic
2008-09-18 21:19 . 2001-11-30 19:05 131,072 --a------ C:\WINDOWS\system32\dzip32.dll
2008-09-18 21:19 . 2001-11-30 19:05 110,592 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-18 21:18 . 2008-10-05 01:16 <DIR> d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 15:36 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\SiteAdvisor
2008-10-12 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-09 06:26 --------- d-----w C:\Documents and Settings\Fariha Tasnim\Application Data\SiteAdvisor
2008-10-07 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-04 19:15 --------- d-----w C:\Program Files\Java
2008-09-29 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-28 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-26 10:55 5,632 ----a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2008-09-26 00:23 --------- d-----w C:\Program Files\Common Files\Real
2008-09-24 17:23 --------- d-----w C:\Program Files\CyberLink
2008-09-24 07:23 --------- d-----w C:\Program Files\Samsung
2008-09-22 21:09 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\Nokia Multimedia Player
2008-09-22 16:44 --------- d-----w C:\Documents and Settings\MANSIB\Application Data\GlarySoft
2008-09-22 16:03 286,720 ------w C:\WINDOWS\Setup1.exe
2008-09-17 10:47 --------- d-----w C:\Program Files\McAfee
2008-09-17 10:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-16 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-09-10 06:37 --------- d-----w C:\Documents and Settings\Fariha Tasnim\Application Data\Nokia
2008-09-09 06:22 203,776 ----a-w C:\WINDOWS\system32\clrviddc.dll
2008-09-07 20:08 --------- d-----w C:\Program Files\Common Files\Stardock
2008-09-07 08:04 --------- d-----w C:\Program Files\Nokia
2008-09-07 08:04 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-07 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-06 23:36 --------- d-----w C:\Program Files\SiteAdvisor
2008-09-06 23:36 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-09-06 23:13 --------- d-----w C:\Program Files\WordWeb
2008-09-06 22:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SACore
2008-09-06 20:49 --------- d-----w C:\Program Files\Google
2008-09-04 09:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-03 16:55 --------- d-----w C:\Program Files\AGEIA Technologies
2008-09-03 13:42 --------- d-----w C:\Program Files\Kuma Games
2008-08-30 06:52 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-21 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-17 03:26 1,049,784 ----a-w C:\WINDOWS\system32\wweb32.dll
2008-08-12 06:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-12 06:11 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-09 11:35 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-08-06 19:27 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-07-31 04:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 04:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 04:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-18 16:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-12 02:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 02:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 02:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-05-25 16:33 107,976 ----a-w C:\Documents and Settings\MANSIB\Application Data\GDIPFONTCACHEV1.DAT
2008-04-06 14:19 678,595 ----a-w C:\Documents and Settings\MANSIB\!secwad.exe
2008-04-06 14:19 4,234 ----a-w C:\Documents and Settings\MANSIB\!versions.dat
2007-08-30 18:07 284 ----a-w C:\Documents and Settings\Fariha Tasnim\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="D:\Software\Installs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-13 98304]
"AVG8_TRAY"="D:\Software\Installs\AVG\avgtray.exe" [2008-09-30 1234712]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-03 29744]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\My Games\\FIFA08\\FIFA08.exe"=
"F:\\Half-life 2\\HALF LIFE 2\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Software\\Installs\\AVG\\avgemc.exe"=
"D:\\Software\\Installs\\AVG\\avgupd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai Network Manager
"5000:UDP"= 5000:UDP:Akamai Network Manager

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;D:\Software\Installs\AVG\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG Free8 WatchDog;D:\Software\Installs\AVG\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-09 76040]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-03 29744]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [ ]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-10-12 C:\WINDOWS\Tasks\GlaryInitialize.job
- D:\Software\Installs\Glary Utilities\initialize.exe [2008-07-18 11:08]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-12 21:41:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-12 21:42:53
ComboFix-quarantined-files.txt 2008-10-12 15:42:48
ComboFix2.txt 2008-10-12 13:43:25

Pre-Run: 7,422,599,168 bytes free
Post-Run: 7,405,117,440 bytes free

185 --- E O F --- 2008-09-10 20:26:13

Logfile: HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:00 PM, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Software\Installs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Software\Installs\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Software\Installs\AVG\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4589 bytes

 

[Khan]

Change to

Change to (you know, the :,D)

 

[Khan]

Ah, its me and my formatting!

Cannot open the file: mk: @MSITStore\Software\Installs\Spybot - Search & Destroy\Help\English.chm

 

[Khan]

Just out of curiosity

Ah, my removable drives are usually labelled H:\. About this file, H:\ntde1ect.com
, has the virus spread to my pen drives, cellphones, or music players? Oh, shit!