virtumonde just won't go away

Status
Not open for further replies.
L

LSF123

New member
Hi,

I have repeatedly run spybot on this computer in safe mode. Virtumonde keeps showing up, I keep removing it, and it just isn't getting removed. (I'm having almost exactly the same symptoms as poster Tim Robbins). In addition, I keep getting a "do you want to run debugger" error message. Sorry I can't be more specific - the message has come up about 50 times tonight but now that I want it to come up I can't get it to...

Anyway, here is my HJT log. Please advise.

Thank you so much for your help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:04 PM, on 10/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BMa76b9761] Rundll32.exe "C:\WINDOWS\System32\jilihfyr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104277493317
O20 - AppInit_DLLs: ctgwcz.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 4353 bytes

This error comes up every other time I click anything in my browser.

"Error: A runtime error has occurred. Do you wish to debug? Line:1 Error: Syntax Error"

Thank You!
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Did you try searching for that error message?
http://www.google.com/search?hl=en&...or:+Syntax+Error"&btnG=Google+Search&aq=f&oq=
No doubt poorly written malware is causing the error and hopefully when it is remove the error will stop.

My first question has to be, with Service Pack #3 in release, why are you still running SP#1? As far as I know, you can not even download Windows Critical Updates and will continue to constantly get infected. See this information: http://forums.spybot.info/showthread.php?t=425

As stated, you do not want to update while infected, but as soon as you are clean you must visit Windows Updates and download/install all critical updates for your system. If you go straight to SP#3, here is Microsoft Support in the event you need it.
Microsoft Windows XP Service Pack 3 (All Languages)
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131

Why are you still running AVG 7 when AVG 8 free has been released for months.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
ComboFix and HJT Logs

First, thank you so much for your help. I agree about the woeful state of the software on this computer. I am helping out a friend so I have no control over the versions that were running before this problem happened. When we get rid of the virus you can be sure I will update everything that can be updated.

Best Wishes,

LSF123

Now, here is the ComboFix Log:
ComboFix 08-10-06.05 - Owner 2008-10-06 21:25:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.281 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMa76b9761.txt
C:\WINDOWS\BMa76b9761.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ahikmssu.dll
C:\WINDOWS\system32\ajvdwaww.dll
C:\WINDOWS\system32\bIkllUvw.ini
C:\WINDOWS\system32\bIkllUvw.ini2
C:\WINDOWS\system32\bxttrtdh.dll
C:\WINDOWS\system32\cbmpynyq.ini
C:\WINDOWS\system32\cftxit.dll
C:\WINDOWS\system32\cijvjc.dll
C:\WINDOWS\system32\cjofyyfo.dll
C:\WINDOWS\system32\ctcppwlx.dll
C:\WINDOWS\system32\ctgwcz.dll
C:\WINDOWS\system32\cwbiehwa.dll
C:\WINDOWS\system32\daacgorw.dll
C:\WINDOWS\system32\dagcdnmx.ini
C:\WINDOWS\system32\dgdwirte.dll
C:\WINDOWS\system32\djkscvok.dll
C:\WINDOWS\system32\eggufk.dll
C:\WINDOWS\system32\euuwmkxh.dll
C:\WINDOWS\system32\evbhaicd.dll
C:\WINDOWS\system32\fbfrdxpm.ini
C:\WINDOWS\system32\fccbBQHw.dll
C:\WINDOWS\system32\ffapaces.dll
C:\WINDOWS\system32\geBqRKEv.dll
C:\WINDOWS\system32\gwpklbqv.ini
C:\WINDOWS\system32\hdtrttxb.ini
C:\WINDOWS\system32\hxkmwuue.ini
C:\WINDOWS\system32\iujhwlwj.ini
C:\WINDOWS\system32\jikgoxly.dll
C:\WINDOWS\system32\jilihfyr.dll
C:\WINDOWS\system32\jwlwhjui.dll
C:\WINDOWS\system32\kntlhuae.dll
C:\WINDOWS\system32\KnXHknmp.ini
C:\WINDOWS\system32\KnXHknmp.ini2
C:\WINDOWS\system32\kuazru.dll
C:\WINDOWS\system32\kywkfurk.ini
C:\WINDOWS\system32\lVEdNqru.ini
C:\WINDOWS\system32\lVEdNqru.ini2
C:\WINDOWS\system32\lvoqctub.dll
C:\WINDOWS\system32\mpxdrfbf.dll
C:\WINDOWS\system32\nskyupbm.ini
C:\WINDOWS\system32\nxaeyghr.ini
C:\WINDOWS\system32\ofglnfqq.dll
C:\WINDOWS\system32\ojbjax.dll
C:\WINDOWS\system32\pdujlopa.dll
C:\WINDOWS\system32\pggxcpdp.dll
C:\WINDOWS\system32\pgoomqkh.dll
C:\WINDOWS\system32\pmnkHXnK.dll
C:\WINDOWS\system32\qcmviqin.dll
C:\WINDOWS\system32\qgvsum.dll
C:\WINDOWS\system32\qohspz.dll
C:\WINDOWS\system32\qriajuuo.dll
C:\WINDOWS\system32\qynypmbc.dll
C:\WINDOWS\system32\raumrryv.ini
C:\WINDOWS\system32\rhgyeaxn.dll
C:\WINDOWS\system32\rlehtibv.dll
C:\WINDOWS\system32\rmvdmxyt.dll
C:\WINDOWS\system32\rshiumqe.ini
C:\WINDOWS\system32\rswwkvte.dll
C:\WINDOWS\system32\rxebyhfk.dll
C:\WINDOWS\system32\tjwdvi.dll
C:\WINDOWS\system32\tuvusTlI.dll
C:\WINDOWS\System32\urqNdEVl.dll
C:\WINDOWS\system32\vtkeyxrd.ini
C:\WINDOWS\system32\vworhkfw.dll
C:\WINDOWS\system32\vzebjb.dll
C:\WINDOWS\system32\wdvlxuit.dll
C:\WINDOWS\system32\wkzdog.dll
C:\WINDOWS\system32\wukqok.dll
C:\WINDOWS\system32\wvUllkIb.dll
C:\WINDOWS\system32\wwawdvja.ini
C:\WINDOWS\system32\xghbdn.dll
C:\WINDOWS\system32\xmndcgad.dll
C:\WINDOWS\system32\yimqgncq.dll
C:\WINDOWS\system32\yqyxttse.ini
C:\WINDOWS\system32\yucnlptf.dll
C:\WINDOWS\system32\zedawu.dll
C:\WINDOWS\system32\zhutdd.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-02 21:52 . 2008-10-02 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 20:48 . 2008-09-30 20:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-27 15:24 . 2008-09-27 15:24 121 --ahs---- C:\WINDOWS\system32\wrogcaad.ini
2008-09-24 20:01 . 2008-09-24 20:01 <DIR> dr-h----- C:\$VAULT$.AVG
2008-09-22 21:39 . 2008-09-29 21:32 266 --a------ C:\WINDOWS\wininit.ini
2008-09-22 20:47 . 2008-09-22 20:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-22 20:47 . 2008-09-22 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 20:00 . 2008-09-22 21:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AntispywareBot
2008-09-18 15:27 . 2008-09-18 15:27 <DIR> d-------- C:\Documents and Settings\kelsey !\Application Data\AVG7
2008-09-18 15:26 . 2008-09-18 15:26 <DIR> d-------- C:\Documents and Settings\kelsey !

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 00:00 --------- d-----w C:\Program Files\AVG
2008-09-25 02:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-09-18 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-09-11 00:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-09-11 00:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-10-02 22:43 19,552 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-25 22:55 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-03 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\AVG\avgcc.exe" [2007-04-25 416256]
"AVG7_EMC"="C:\PROGRA~1\AVG\avgemc.exe" [2007-04-25 351744]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 118784]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-01 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 C:\WINDOWS\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\AVG\avgw.exe" [2007-04-25 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ctgwcz.dll xghbdn.dll

S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;C:\WINDOWS\System32\DRIVERS\2862WICB.sys [ ]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINDOWS\System32\DRIVERS\SMCWGU.sys [ ]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-03-03 666624]
.
- - - - ORPHANS REMOVED - - - -

BHO-{329D490E-B7C4-4C34-8C09-A0A520A658C1} - (no file)
BHO-{40199CB3-3651-43C8-82A5-4B7A79C639CF} - (no file)
BHO-{54690E14-C9B4-428D-BCED-0EF0D8C2AE49} - (no file)
BHO-{8e3c4402-79dc-44da-a7d7-e6314bb5c0bc} - C:\WINDOWS\System32\xghbdn.dll
BHO-{919e0956-8814-436e-81b2-06f21a5aef90} - (no file)
BHO-{9B8AEDB6-9AD1-4189-814E-2A11FBBDB3B2} - (no file)
BHO-{A18D5DEF-6A61-46FE-8BDF-8C05904F6E6F} - (no file)
BHO-{ADFD5FD2-2DD2-4572-80DA-C74F1193FBA1} - C:\WINDOWS\system32\geBqRKEv.dll
BHO-{ED34E60B-8D9B-404C-A25C-7263DD21C9B5} - C:\WINDOWS\System32\urqNdEVl.dll
HKLM-Run-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-BMa76b9761 - C:\WINDOWS\System32\cjofyyfo.dll
ShellExecuteHooks-{ADFD5FD2-2DD2-4572-80DA-C74F1193FBA1} - C:\WINDOWS\system32\geBqRKEv.dll
MSConfigStartUp-GhostStartTrayApp - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 21:59:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-10-06 22:04:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 02:04:14

Pre-Run: 23,007,739,904 bytes free
Post-Run: 23,271,055,360 bytes free

199 --- E O F --- 2008-09-11 00:13:16


Here is the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:15 PM, on 10/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104277493317
O20 - AppInit_DLLs: ctgwcz.dll xghbdn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 4449 bytes
 
Thanks for returning your information and the feedback. Please read and follow the directions carefully and in the numbered order.

This information will help with getting AVG up to date, you may wait until the computer is clean to do this.
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
This tutorial will help if you can use it.
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

I see other programs that are out of date and dangerous, and junk like this:
AntispywareBot: http://www.castlecops.com/s15060-AntiSpywareBot.html
I'll look at a uninstall list soon and make suggestions.


1) C:\Program Files\Java\jre1.5.0_03\ <<< appears Java is out of date:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\wrogcaad.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
C:\Documents and Settings\Owner\Application Data\AntispywareBot

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: ctgwcz.dll xghbdn.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks...Phil
 
steps completed...

Phil,

Thank you for your thorough instructions. The only thing I was confused about was in Step 5 "*Cleaning Prefetch ". I couldn't tell if that was another step I was supposed to take, or just more information about what the ATF Cleaner had done automatically.

The computer seems to be running faster and I'm not gettting the errors that I was getting before. Please tell me when I can start updating the service pack and all the outdated software. You are the best!

Laura


Here are the log files from CFScript, MBAM, and HJT.

ComboFix 08-10-06.05 - Owner 2008-10-08 20:48:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.278 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\wrogcaad.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\AntispywareBot
C:\WINDOWS\system32\wrogcaad.ini

.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-08 20:45 . 2008-10-08 20:45 <DIR> d-------- C:\Program Files\Sun
2008-10-08 20:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-08 20:41 . 2008-10-08 20:45 <DIR> d-------- C:\Program Files\Java
2008-10-08 20:41 . 2008-10-08 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-02 21:52 . 2008-10-02 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 20:48 . 2008-09-30 20:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-24 20:01 . 2008-09-24 20:01 <DIR> dr-h----- C:\$VAULT$.AVG
2008-09-22 21:39 . 2008-09-29 21:32 266 --a------ C:\WINDOWS\wininit.ini
2008-09-22 20:47 . 2008-09-22 20:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-22 20:47 . 2008-09-22 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 15:27 . 2008-09-18 15:27 <DIR> d-------- C:\Documents and Settings\kelsey !\Application Data\AVG7
2008-09-18 15:26 . 2008-09-18 15:26 <DIR> d-------- C:\Documents and Settings\kelsey !

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 02:17 --------- d-----w C:\Program Files\AVG
2008-10-07 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-09-25 02:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-09-11 00:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-09-11 00:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-10-02 22:43 19,552 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-25 22:55 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-06_22.03.29.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-13 06:19:56 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-04-13 06:20:04 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-04-13 07:48:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-03 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\AVG\avgcc.exe" [2007-04-25 416256]
"AVG7_EMC"="C:\PROGRA~1\AVG\avgemc.exe" [2007-04-25 351744]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 118784]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-01 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 C:\WINDOWS\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\AVG\avgw.exe" [2007-04-25 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;C:\WINDOWS\System32\DRIVERS\2862WICB.sys [ ]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINDOWS\System32\DRIVERS\SMCWGU.sys [ ]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-03-03 666624]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 20:50:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-08 20:52:35
ComboFix-quarantined-files.txt 2008-10-09 00:52:30
ComboFix2.txt 2008-10-07 02:04:20

Pre-Run: 22,308,552,704 bytes free
Post-Run: 22,380,359,680 bytes free

100 --- E O F --- 2008-09-11 00:13:16





Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 1

10/8/2008 9:40:40 PM
mbam-log-2008-10-08 (21-40-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 78012
Time elapsed: 35 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 89

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\kelsey !\Desktop\setup_sbd_en.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ahikmssu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cftxit.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cijvjc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cjofyyfo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cwbiehwa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\daacgorw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dgdwirte.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eggufk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\euuwmkxh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccbBQHw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ffapaces.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\geBqRKEv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jikgoxly.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jwlwhjui.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kntlhuae.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kuazru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lvoqctub.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mpxdrfbf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ofglnfqq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ojbjax.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pggxcpdp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pgoomqkh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qcmviqin.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qgvsum.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qohspz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qriajuuo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qynypmbc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rhgyeaxn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rlehtibv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rmvdmxyt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rswwkvte.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rxebyhfk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tjwdvi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvusTlI.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vworhkfw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vzebjb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wdvlxuit.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wkzdog.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wukqok.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xghbdn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xmndcgad.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yimqgncq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yucnlptf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zhutdd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000007.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000012.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000013.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000022.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000023.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000027.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000028.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000033.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000035.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000036.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000041.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000044.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000045.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000047.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000048.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000050.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000051.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000052.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000053.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000054.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000057.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000058.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000060.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000061.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000062.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000063.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000066.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000067.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000069.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000073.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000075.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000077.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000079.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000038.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000056.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{43B125BD-E507-4641-9114-2EA7D0C849D8}\RP2\A0000074.dll (Trojan.Vundo) -> Quarantined and deleted successfully.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:36 PM, on 10/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104277493317
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 4727 bytes
 
Hi Laura, thanks for returning your information and the feedback. The Prefetch disclaimer is just for your information, many folks don't even know it exists. Hackers do hide their junk there and cleaning it removes the bad stuff but also removes stuff that Windows uses to speed up your computer. Some folks are surprised when the computer is running better, then I ask them to clean and it slows a little. So...I added that disclaimer so they know about Prefetch for their own benefit and why it has happened.
Please tell me when I can start updating the service pack and all the outdated software.
Click to expand...
DO NOT update Windows Criticals until we know you are clean, since you will be making the leap to SP#3, Microsoft offers free help if needed:
Microsoft Windows XP Service Pack 3 (All Languages)
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131
Here is a small free tool that lets you know when something needs an update if you are interested:
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Stick with me a bit longer, most of what MBAM found is in combofix quarantine and in infected System Restore files that must be dealt with, but this important step is first.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

RC1-4.gif


Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks...Phil
 
I almost did it right...

Phil,

I installed the Recovery Console but clicked Yes instead of No to scan for malware. Did I screw it up?

Also, I have searched the entire hard drive and can't find C:\*CF-RC.txt*.

Here is the ComboFix log.

I hope I didn't mess it up. Please let me know what to do next.

Laura

ComboFix 08-10-06.05 - Owner 2008-10-09 20:38:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.305 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\winxpsp1_en_hom_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-08 21:01 . 2008-10-08 21:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-08 21:01 . 2008-10-08 21:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-08 21:01 . 2008-10-08 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 21:01 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 21:01 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-08 20:45 . 2008-10-08 20:45 <DIR> d-------- C:\Program Files\Sun
2008-10-08 20:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-08 20:41 . 2008-10-08 20:45 <DIR> d-------- C:\Program Files\Java
2008-10-08 20:41 . 2008-10-08 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-02 21:52 . 2008-10-02 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 20:48 . 2008-09-30 20:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-24 20:01 . 2008-09-24 20:01 <DIR> dr-h----- C:\$VAULT$.AVG
2008-09-22 21:39 . 2008-09-29 21:32 266 --a------ C:\WINDOWS\wininit.ini
2008-09-22 20:47 . 2008-09-22 20:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-22 20:47 . 2008-09-22 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 15:27 . 2008-09-18 15:27 <DIR> d-------- C:\Documents and Settings\kelsey !\Application Data\AVG7
2008-09-18 15:26 . 2008-09-18 15:26 <DIR> d-------- C:\Documents and Settings\kelsey !

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 00:28 --------- d-----w C:\Program Files\AVG
2008-10-07 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-09-25 02:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-09-11 00:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-09-11 00:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-10-02 22:43 19,552 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-25 22:55 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-06_22.03.29.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-13 06:19:56 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-04-13 06:20:04 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-04-13 07:48:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-03 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\AVG\avgcc.exe" [2007-04-25 416256]
"AVG7_EMC"="C:\PROGRA~1\AVG\avgemc.exe" [2007-04-25 351744]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 118784]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-01 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 C:\WINDOWS\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\AVG\avgw.exe" [2007-04-25 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;C:\WINDOWS\System32\DRIVERS\2862WICB.sys [ ]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINDOWS\System32\DRIVERS\SMCWGU.sys [ ]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-03-03 666624]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 20:41:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-09 20:44:00
ComboFix-quarantined-files.txt 2008-10-10 00:43:50
ComboFix2.txt 2008-10-09 00:52:37
ComboFix3.txt 2008-10-07 02:04:20

Pre-Run: 22,322,929,664 bytes free
Post-Run: 22,298,308,608 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

115 --- E O F --- 2008-09-11 00:13:16
 
Morning Laura, Recovery Console is install correctly, here is a little information for you.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Before we remove combofix, could I have a look at your uninstall list:

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

Thanks...Phil
 
HJT Log

Phil,

I hope you had a good weekend. Ours was good. Back to the fixes...

Here's the latest HJT log. You said I could edit things out but I left it alone just in case.

Thanks!

Laura

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:06 PM, on 10/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgcc.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104277493317
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 4870 bytes
 
HJT Uninstall List

Phil,

Now that I gave you the HJT log, here's the logfile you were actually looking for. Sorry for the mixup. It helps to actually read the directions...

Laura

Adobe Flash Player 9 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
AVG Free Edition
Conexant HSF V92 56K Data Fax PCI Modem
Garmin Communicator Plugin
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Intel(R) Extreme Graphics Driver
Java DB 10.3.1.4
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 7
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
MA111 Configuration Utility
Malwarebytes' Anti-Malware
MapSource - North American City Select v4.01
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
NoAd HOSTS file (remove only)
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Pocket RAR documentation
Quicken 2002 New User Edition
QuickTime
RealPlayer Basic
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
SoundMAX
Spybot - Search & Destroy
The Sims Complete Collection
Tweak UI
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR archiver
 
Thanks for the uninstall list. I see no malware in this HJT log:
Scan saved at 9:53:06 PM, on 10/13/2008

Uninstall list:

Here is a small free tool that lets you know when something needs an update if you are interested:
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
http://www.netsquirrel.com/msconfig/msconfig_xp.html

Adobe Reader 7.1.0 <<< out of date and being exploited
http://www.filehippo.com/download_adobe_reader/

AVG Free Edition <<< update

LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation
Since you are running Grisolft's AVG, I would uninstall Symantec.
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

Viewpoint Media Player <<< if you do not use this, I suggest you uninstall it.


Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update AVG and scan the system, to be sure it is running right and scanning clean. Since AVG 8 Free offers no tech support, here is valuable information: FAQ
http://www.avg.com/faq
AVG Free Forum
http://freeforum.avg.com/

If all is well as this point, let me know and I will close this topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Status
Not open for further replies.
Back
Top