Virtumonde and others - can't download anything

R

roseelyse

New member
I've got a computer infected with Virtumonde and W32 and others. I know I need to post a HJT log but whatever I've got won't let me download anything online so I can't download that program. It's affecting Explorer and I tried downloading Firefox but I'm unable to. THe error message says the site cannot be accessed although I have my internet settings set to accept cookies and on medium secutiry settings.

Thanks!
 
HJT Log

I think I found a workaround and got HJT installed. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:54 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\avgas-setup-7.5.1.43.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O1 - Hosts: 194.54.90.238 google.com
O1 - Hosts: 194.54.90.238 www.google.com
O1 - Hosts: 194.54.90.238 search.yahoo.com
O1 - Hosts: 194.54.90.238 google.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {320d0dc8-1dd2-11b2-9a1b-ba91242c3248} - C:\WINDOWS\zolgdeho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D5EE9F65-9E90-41FB-9312-10EA9CA771A9} - C:\WINDOWS\system32\gebcc.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [mbgvotcb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mbgvotcb.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mozilla.com
O15 - Trusted Zone: http://spybot.safer-networking.de
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ljjifde - ljjifde.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

--
End of file - 6769 bytes
 
Unable to install Kaspersky scanner

I'm assuming this is part of whatever I've got. Even though I do have admin priv. and settings are set to medium the scanner and nothing else will download (I copied HJT onto a disk from clean computer and loaded from that - can I do this with Kaspersky?)

Anyway I can be helped without the Kaspersky log?

Thanks!
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Looks like the Ukrainians have gotten into your Hosts file: O1 - Hosts: 194.54.90.238 google.com
See this: http://whois.domaintools.com/194.54.90.238

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< Java is BADLY out of date and likely why you are infected. Dowload the newest version and uninstall all old versions in Add Remove programs.


(Instructions start here, it is important you read and follow the directions or the tools will not work)


1) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.


2) Download the HostsXpert 4.2 - Hosts File Manager.
http://www.funkytoad.com/download/HostsXpert.zip
Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


3) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)


4) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks
 
Java 6 won't download

I've tried but apparently there is a problem with this whole download process on Java's end. I've tried saving the file onto a CD and installing it on the sick computer but the error is on Java's end and I can't download anything directly to the sick computer. Can I go ahead with the other steps?

Please note, the instructions you linked to told me to uninstall the old Java version first, which I did. Do I need to figure out a way to get that old version back before completing these next steps?

Thank you.
 
I apologize, my instruction were to download the new version first, I have seen folks have trouble when they are running very old versions like that. Continue with the instructions, hopefully you can resolve that issue later. If you have to, contact Java for instructions. Here is another download you can try.
http://www.java.com/en/download/index.jsp
I am not sure how that will effect the tools we use, I know Vundofix uses Java, I quess we will find out.

Thanks
 
tried that. :)

Yeah - I tried downloading from there on the sick computer - didn't work. From a good computer to a CD and then onto the sick and got the same error message. Am working on the rest of the instructions now. Will post logs in a couple hours. Thank you so much!
 
VundoFix Can't Remove file

Wasn't sure how many times I should try running vundofix - tried 4 times and there's one file it can't remove. I'm going to continue with the steps and post logs - if that's really bad, let me know and I'll try vundofix again. Thanks.
 
argh

Combofix won't run. The first error message says it's corrupted and needs to restart then it says I need Admin privilges - which I have. Don't know what to do.

I'm at least posting the Vundo and HJT logs in hopes something can be helped. (I was able to reinstall the old version of Java - I know it's old but can't get the new one on yet!)

Please remember I am unable to run Kaspersky because I am unable to download anything directly to the sick computer and Kaspersky needs to do that directly unless someone can tell me how to save it to a disk on the healthy computer and transfer. Thanks again for all your help.

VundoFix Log


VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 5:01:06 PM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\efcayxv.dll
C:\WINDOWS\system32\evvaeyij.dll
C:\WINDOWS\system32\jiyeavve.ini
C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\xkcwaudc.dll
C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcayxv.dll
C:\WINDOWS\system32\efcayxv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\evvaeyij.dll
C:\WINDOWS\system32\evvaeyij.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jiyeavve.ini
C:\WINDOWS\system32\jiyeavve.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\rnituabg.exe Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xkcwaudc.dll
C:\WINDOWS\system32\xkcwaudc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efcayxv.dll
C:\WINDOWS\system32\efcayxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\rnituabg.exe Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:26:20 PM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\rnituabg.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\rnituabg.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\rnituabg.exe Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:05:17 PM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\rnituabg.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\rnituabg.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\rnituabg.exe Could not be deleted.

Performing Repairs to the registry.
Done!


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:14 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rnituabg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {3c4fb07f-fa73-f48b-5e44-c53180bc64a1} - {1a46cb08-135c-44e5-b84f-37aff70bf4c3} - C:\WINDOWS\system32\xkcwaudc.dll (file missing)
O2 - BHO: (no name) - {440EC62D-5187-4340-8ECF-C5AB50ACC040} - C:\WINDOWS\system32\ddccy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [mbgvotcb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mbgvotcb.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [0c430816] rundll32.exe "C:\WINDOWS\system32\evvaeyij.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mozilla.com
O15 - Trusted Zone: http://spybot.safer-networking.de
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\rnituabg.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

--
End of file - 6158 bytes
 
ComboFix Log Workaround - Part one

I think I found a workaround for ComboFix. I switched users on the computer and it ran fine. Then I switched back and was able to run it on the user where the problems have been. I'm posting both logs as they are different.

User Log that has NOT been the user the other logs are for:


ComboFix 07-12-31.4 - Randy 2007-12-30 22:55:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.230 [GMT -6:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.exe
C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Randy\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Sherry\Application Data\ICROSO~1.NET
C:\Documents and Settings\Sherry\Application Data\ICROSO~1.NET\m?hta.exe
C:\Documents and Settings\Sherry\Application Data\WNSXS~1
C:\Documents and Settings\Sherry\err.log
C:\Documents and Settings\Sherry\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Sherry\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Sherry\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\asembl~1
C:\Program Files\asembl~1\a?sembly\
C:\Program Files\ISM2
C:\Program Files\ISM2\adhydraupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\targets.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trffyupd.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QdrPack\zhydupd.exe
C:\Program Files\Temporary
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1187053590.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\svhost.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\tskmgr.exe
C:\WINDOWS\1.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\PerfInfo
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\dkmynmof.ini
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rnituabg.exe
C:\WINDOWS\system32\syslodr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_GENERAL_SOCKET_SERVICE
-------\DomainService
-------\General Socket Service


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 22:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 17:01 . 2007-12-30 21:35 <DIR> d-------- C:\VundoFix Backups
2007-12-30 16:47 . 2007-12-30 16:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-30 15:49 . 2007-12-30 16:27 16,384 --a------ C:\Program Files\NTDLL.dll
2007-12-30 15:15 . 2007-12-30 15:15 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Grisoft
2007-12-28 16:53 . 2007-12-28 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 16:51 . 2007-12-28 16:51 <DIR> d-------- C:\Documents and Settings\Sherry\Application Data\Grisoft
2007-12-28 16:51 . 2007-12-28 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-28 16:51 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-28 13:23 . 2007-12-28 13:23 4,096 --ahs---- C:\WINDOWS\system32\5558.dat
2007-12-28 12:35 . 2007-12-28 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 13:10 . 2007-12-27 13:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-26 15:12 . 2007-12-26 15:12 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Lavasoft
2007-12-26 14:27 . 2005-09-30 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-26 14:27 . 2005-09-30 14:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-12-01 12:51 . 2007-12-29 10:53 20,480 --a------ C:\WINDOWS\quit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 22:53 --------- d-----w C:\Program Files\Java
2007-12-30 22:12 0 ----a-w C:\Documents and Settings\Sherry\NTDLL.dll
2007-10-21 01:25 82,432 ----a-w C:\WINDOWS\zolgdeho.dll
2007-10-21 01:25 82,432 ----a-w C:\Documents and Settings\All Users\Application Data\mbgvotcb.dll
2007-09-10 20:10 2,011,099 --sha-w C:\WINDOWS\system32\ccbeg.bak1
2007-09-22 16:00 1,978,569 --sha-w C:\WINDOWS\system32\ccbeg.bak2
.
C:\WINDOWS\system32\mswsock.dll ... is infected !!

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
359,808 2006-04-20 11:51:50 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
359,040 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\tcpip.sys
359,040 2006-02-28 12:00:00 C:\WINDOWS\system32\drivers\tcpip.sys


((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\smax4pnp.exe

----a-w 81,920 2004-07-27 21:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 21:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 86,016 2005-01-27 06:02:00 C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe

----a-w 332,800 2005-05-15 07:04:12 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2004-09-13 21:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 278,528 2006-06-14 21:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 53,248 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

----a-w 131,072 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 282,624 2006-08-19 20:38:04 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 26,112 2005-09-30 20:31:48 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

----a-w 1,921,024 2004-01-30 14:44:32 C:\Program Files\Support.com\bin\bak\tgcmd.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2006-02-28 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 126,976 2005-01-23 21:31:34 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 126,976 2005-01-23 21:31:34 C:\WINDOWS\system32\hkcmd.exe

----a-w 155,648 2005-01-23 21:36:10 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 155,648 2005-01-23 21:36:10 C:\WINDOWS\system32\igfxtray.exe

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a46cb08-135c-44e5-b84f-37aff70bf4c3}]
C:\WINDOWS\system32\xkcwaudc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{440EC62D-5187-4340-8ECF-C5AB50ACC040}]
C:\WINDOWS\system32\ddccy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 10:59:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Sherry\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Sherry\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 10:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnse]
C:\Program Files\Common Files\Update\dnse.exe -c -product=was

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Esid]
C:\Documents and Settings\Sherry\Application Data\?icrosoft.NET\m?hta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\twinrldt.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-01-23 15:36 155648 --a------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4]
C:\Program Files\ISM\ISMModule4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\niwo]
C:\Program Files\MSN Gaming Zone\niwo22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe C:\WINDOWS\system32\lpssxtcq.dll,sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
C:\PROGRA~1\ASEMBL~1\javaw.exe -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-27 11:49 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\system32\fomnymkd.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
C:\Program Files\WinAntiSpyware 2007\was7.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{30-08-8B-B9-ZN}]
C:\windows\system32\kqdsrngs.exe CHD003


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 23:04:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dmdlgs.cpl 649 bytes
C:\WINDOWS\system32\rshx348.dll 106496 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basemcdpf32.dll
.
Completion time: 2007-12-30 23:08:13 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 05:08:05
.
2007-12-31 03:50:08 --- E O F ---
 
ComboFix Log Workaround Part 2

Here is the log for the User connected to all previous logs (including Vudo and HJT)

ComboFix 07-12-31.4 - Sherry 2007-12-30 23:11:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.240 [GMT -6:00]
Running from: C:\Documents and Settings\Sherry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 22:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 17:01 . 2007-12-30 21:35 <DIR> d-------- C:\VundoFix Backups
2007-12-30 16:47 . 2007-12-30 16:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-30 15:49 . 2007-12-30 16:27 16,384 --a------ C:\Program Files\NTDLL.dll
2007-12-30 15:15 . 2007-12-30 15:15 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Grisoft
2007-12-28 16:53 . 2007-12-28 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 16:51 . 2007-12-28 16:51 <DIR> d-------- C:\Documents and Settings\Sherry\Application Data\Grisoft
2007-12-28 16:51 . 2007-12-28 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-28 16:51 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-28 13:23 . 2007-12-28 13:23 4,096 --ahs---- C:\WINDOWS\system32\5558.dat
2007-12-28 12:35 . 2007-12-28 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 13:10 . 2007-12-27 13:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-26 15:12 . 2007-12-26 15:12 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Lavasoft
2007-12-26 14:27 . 2005-09-30 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-26 14:27 . 2005-09-30 14:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-12-01 12:51 . 2007-12-29 10:53 20,480 --a------ C:\WINDOWS\quit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 22:53 --------- d-----w C:\Program Files\Java
2007-12-30 22:12 0 ----a-w C:\Documents and Settings\Sherry\NTDLL.dll
2007-10-21 02:15 110,592 ----a-w C:\WINDOWS\system32\imm32.dll
2007-10-21 01:25 82,432 ----a-w C:\WINDOWS\zolgdeho.dll
2007-10-21 01:25 82,432 ----a-w C:\Documents and Settings\All Users\Application Data\mbgvotcb.dll
2007-10-16 19:56 3,194 ----a-w C:\WINDOWS\system32\tmp.reg
2007-10-16 17:12 1,979,849 --sha-w C:\WINDOWS\system32\ccbeg.ini2
2007-09-22 16:00 1,978,569 --sha-w C:\WINDOWS\system32\ccbeg.bak2
2007-09-10 20:10 2,011,099 --sha-w C:\WINDOWS\system32\ccbeg.bak1
2007-09-06 05:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
2007-09-10 20:10 2,011,099 --sha-w C:\WINDOWS\system32\ccbeg.bak1
2007-09-22 16:00 1,978,569 --sha-w C:\WINDOWS\system32\ccbeg.bak2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\smax4pnp.exe

----a-w 81,920 2004-07-27 21:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 21:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 86,016 2005-01-27 06:02:00 C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe

----a-w 332,800 2005-05-15 07:04:12 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2004-09-13 21:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 278,528 2006-06-14 21:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 53,248 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

----a-w 131,072 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 282,624 2006-08-19 20:38:04 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 26,112 2005-09-30 20:31:48 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

----a-w 1,921,024 2004-01-30 14:44:32 C:\Program Files\Support.com\bin\bak\tgcmd.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2006-02-28 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 126,976 2005-01-23 21:31:34 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 126,976 2005-01-23 21:31:34 C:\WINDOWS\system32\hkcmd.exe

----a-w 155,648 2005-01-23 21:36:10 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 155,648 2005-01-23 21:36:10 C:\WINDOWS\system32\igfxtray.exe

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a46cb08-135c-44e5-b84f-37aff70bf4c3}]
C:\WINDOWS\system32\xkcwaudc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{440EC62D-5187-4340-8ECF-C5AB50ACC040}]
C:\WINDOWS\system32\ddccy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]
"QdrModule9"="C:\Program Files\QdrModule\QdrModule9.exe" [ ]
"QdrPack11"="C:\Program Files\QdrPack\QdrPack11.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 15:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 15:31 126976]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 16:03 75128]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42 1404928]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"0c430816"="C:\WINDOWS\system32\evvaeyij.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 11:49 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 10:59:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\General Socket Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Sherry\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Sherry\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 10:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnse]
C:\Program Files\Common Files\Update\dnse.exe -c -product=was

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Esid]
C:\Documents and Settings\Sherry\Application Data\?icrosoft.NET\m?hta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\twinrldt.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-01-23 15:36 155648 --a------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4]
C:\Program Files\ISM\ISMModule4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\niwo]
C:\Program Files\MSN Gaming Zone\niwo22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe C:\WINDOWS\system32\lpssxtcq.dll,sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
C:\PROGRA~1\ASEMBL~1\javaw.exe -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-27 11:49 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\system32\fomnymkd.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
C:\Program Files\WinAntiSpyware 2007\was7.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{30-08-8B-B9-ZN}]
C:\windows\system32\kqdsrngs.exe CHD003


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 23:13:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basemcdpf32.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basemcdpf32.dll
.
Completion time: 2007-12-30 23:15:14
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 05:14:56
C:\qoobox\ComboFix2.txt 2007-12-31 05:08:14
.
2007-12-31 03:50:08 --- E O F ---
 
And Finally, the new HJT log

THANK YOU SO MUCH!!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:27 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {3c4fb07f-fa73-f48b-5e44-c53180bc64a1} - {1a46cb08-135c-44e5-b84f-37aff70bf4c3} - C:\WINDOWS\system32\xkcwaudc.dll (file missing)
O2 - BHO: (no name) - {440EC62D-5187-4340-8ECF-C5AB50ACC040} - C:\WINDOWS\system32\ddccy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [0c430816] rundll32.exe "C:\WINDOWS\system32\evvaeyij.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKUS\S-1-5-21-1027933603-2979384076-1457232258-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Randy')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mozilla.com
O15 - Trusted Zone: http://spybot.safer-networking.de
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

--
End of file - 6184 bytes
 
Thanks for returning your information. While I think about it, these tools should be run while signed in as the system administrator. With multiple user account, I will need to see HJT log from each before we finish.

I am going to give you an option now I believe you should have time to consider. This computer is badly infected and the Virtumonde is far from being all of your problems.
You also have these problems:
C:\WINDOWS\system32\mswsock.dll ... is infected !!
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

And you have another nasty trojan that replaces your files with infected files called AWF
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))

http://www.google.com/search?hl=en&q=AWF+trojan&btnG=Search

While the junk can be removed, this is going to be a long and difficult process and I believe you might want to consider reformatting your computer.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

I realize this is a holiday, take the time you need to consider what you wish to do and then let me know.

Thanks...Phil
 
reformatting

I think I will reformat. If the infection is that bad, it may be the simplest thing to do. Luckily there isn't too much "good stuff" on the computer so there won't be too much to back up, mainly word files.

The computer is a dell and the manual instructs me to use the "Dell PC Restore" option - it came with no disks. Shall I do that or attempt one of the procedures that you linked to?

Thank you again.
 
Thanks for letting me know, I have two Dells but mine came with Disks? I looked at the Google and there is lots of information if you need it:
http://www.google.com/search?hl=en&q=Dell+PC+Restore&btnG=Google+Search
You would have to use this method since you have no disks.

Here is some information to help you avoid this in the future.

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
You must log in or register to reply here.
Back
Top