Virtumonde, Malware INFECTED, falsesVirusScan page

Status
Not open for further replies.
H

HopefulBeliever

New member
Here is the log, I hope I can get help FAST, I do realize MANY have just been infected with the same probs... first my AVG software caught these trojans, said they were healed and quaranteened , apparantly they weren't gone, I cant get into windows except thru ctr/alt/delete (task Manager) and safe mode doesn't work right, I can however still get on the internet and navigate my system. This started with 13 instances of Virtumondo, 3 malware and a few other things. Spybot scan now shows 5 instances of virtumonde, 2 malware, and the few other things...Thank You in advance for your help...patiently waiting :)
______________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:38 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC445] cmd /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: ldvmqk.dll icxhsh.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 5413 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Here is the log, I hope I can get help FAST,
Click to expand...
This forum is staffed by volunteers and is very busy as are all malware removal forums. A four day wait is not unusual, in fact there is this topic:
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

I can take one look and see two Antivirus programs running:
Symantec Shared/Norton AntiVirus
Grisoft\AVG7 <<< as well as an out of date AVG 7 so there are issues to resolve here as well as one nasty infection. If you wish to continue I suggest you make sure that only one antivirus program is running on the computer:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

and the one you are running is up to date. Once you are at that point, if you still need help, post a fresh HijackThis log and I will be glad to take a look.

Thanks
 
Hi PsKelley, yes...I truly understand how busy u guys are, and am glad God gave me patience...

I uninstalled the Norton (I wasn't aware I had) the HJT log looks like Norton Toolbar is still there, I also am aware that I am running AVG 7.5, my stepson has the AVG 8 on his laptop and it seems to not work correctly, is why I chose to keep the 7.5, if it is BEST to update I will, and yes... I think I have a lot of unnecassary things on this comp, and don't use aol at all anymore, so if u feel I should get rid of some more things b4 we proceed in fixing this, please just let me know. I have been staying off the comp except to check this forum, last night I tried to sign on and get in here, but the virus itself kept popping up, so I just turned the comp off. Here is the new HJT log
_______________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:19 AM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: ldvmqk.dll icxhsh.dll zyvhts.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 5756 bytes
 
Thanks for being candid, I will do my best to help you with these issues if you wish, first some information.

1) I run AVG 8 free myself, I have links to a couple of other free ones, but I believe you will be fine with the program. The old version needs to be uninstalled first. I will post the best method for doing that later.

2) You still have Symantec/Norton running, we will use tools Symantec provides to remove the old programs.

3) We can concentrate on making sure the malware is removed first, but I advise you to stay offline except when absolutely necessary because of the out of date antivirus program.

4) DO NOT ENABLE Spybot TeaTimer while we are working, and do expect this to take a while do to the remote repair.

5) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

6) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks...Phil
 
Hi Phil :)

I am so glad you and all the others who help folks like me are here :)

First, I did decide to go ahead and replace 7.5 with 8.0 b4 your latest reply.
I attempted to disable all of my anti virus software...I am not sure if I was successful, as I told you from the beginning on windows start my icons are not showing up, (they are now, after running combofix) I get on thru task manager. so I had no icons to click on, I did my best by going into programs and hoping they were indeed disabled. As far as Norton goes, when I went to remove it after your first reply to me, I could not find it in add/remove programs, I did find it in programs list and attempted to uninstall from there, now I can't find it anyware, to even be able to disable it.

I sure hope I have done everything correctly, here are the logs, and ALL info you requested.
_______________________________________________________
ComboLog

ComboFix 08-12-12.02 - Bill 2008-12-12 14:04:37.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.109 [GMT -8:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bill\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\iCheck
c:\windows\system32\efcbyWmk.dll
c:\windows\system32\fhRCffii.ini
c:\windows\system32\fhRCffii.ini2
c:\windows\system32\iiffCRhf.dll
c:\windows\system32\jtbiokrs.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\qicleqvp.ini
c:\windows\system32\qmhjlniu.dll
c:\windows\system32\qqWDJkkj.ini
c:\windows\system32\qqWDJkkj.ini2
c:\windows\system32\rjsigqtx.dll
c:\windows\system32\tadnyucg.ini
c:\windows\system32\uinljhmq.ini
c:\windows\system32\wpv261228549885.cpx
c:\windows\system32\zyvhts.dll
c:\windows\Tasks\pjicdegm.job
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-12 13:17 . 2008-12-12 13:17 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-12 13:17 . 2008-12-12 13:17 <DIR> d-------- c:\program files\AVG
2008-12-12 13:17 . 2008-12-12 13:17 <DIR> d-------- c:\documents and settings\Bill\Application Data\AVGTOOLBAR
2008-12-12 13:17 . 2008-12-12 13:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-12 13:17 . 2008-12-12 13:17 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-12 13:17 . 2008-12-12 13:17 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-12 13:17 . 2008-12-12 13:17 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-09 17:30 . 2008-12-09 17:30 <DIR> d--hs---- C:\FOUND.086
2008-12-07 13:13 . 2008-12-07 13:13 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 21:56 . 2008-12-09 22:18 142 --a------ c:\windows\wininit.ini
2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d--hs---- C:\FOUND.085
2008-11-28 14:10 . 2008-11-28 14:10 <DIR> d--hs---- C:\FOUND.084
2008-11-28 10:45 . 2008-11-28 10:45 <DIR> d--hs---- C:\FOUND.009
2008-11-20 22:48 . 2008-11-20 22:48 <DIR> d--hs---- C:\FOUND.008
2008-11-16 10:14 . 2008-11-16 10:14 <DIR> d--hs---- C:\FOUND.007
2008-11-15 06:42 . 2008-11-15 06:42 <DIR> d--hs---- C:\FOUND.006

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 22:08 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-12-12 22:08 502,272 ----a-w c:\windows\system32\dllcache\winlogon.exe
2008-11-26 04:59 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-05 20:05 --------- d-----w c:\documents and settings\Bill\Application Data\Viewpoint
2008-11-04 23:51 --------- d-----w c:\documents and settings\Bill\Application Data\Lexmark Productivity Studio
.

------- Sigcheck -------

2008-11-25 20:59 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
2004-08-04 00:56 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-03-07 26112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-03 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-03 312240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-12 1261336]
"PCTVOICE"="pctspk.exe" [2003-01-06 c:\windows\system32\pctspk.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\System32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddPSWX.EXE"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-12 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-12 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-12 76040]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service []
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2008-09-29 99248]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{034A40A4-F4AD-4231-9AE7-25C6F12DEA24} - (no file)
BHO-{7D973754-991B-4A4C-9E4B-612948B0403B} - (no file)
BHO-{A6B8088C-534A-484A-9CBD-BE7422E540D4} - c:\windows\system32\jkkJDWqq.dll
BHO-{cbcb5226-ae81-43d6-ad5c-c2c154c170a6} - c:\windows\system32\zyvhts.dll
BHO-{CF45110B-F045-4F64-8411-21FF4B482420} - c:\windows\system32\iiffCRhf.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\a7qtg1gb.default\
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 14:12:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LXDDSERV.EXE
c:\windows\SYSTEM32\LXDDCOMS.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-12 14:15:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-12 22:15:20

Pre-Run: 32,675,037,184 bytes free
Post-Run: 32,851,099,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\="Microsoft Windows"

161
____________________________________________________________
HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:11 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 6335 bytes
_____________________________________________________________
UnInstall List <<< posted a HJT log in error.


______________________________________________________________

Hey Phil...By The Way, I am not even sure when this was installed on my comp,<b>::ABBYY FineReader 6.0 Sprint::</b>
seems it is very recent to me, I may also be forgetting too, I am a mother of many and tend to forget sometimes

thanks again

becoming hopeful
 
Last edited by a moderator:
Thanks for the feedback, please look at the fact you posted the same HijackThis log twice and no uninstall list. Read those directions for posting the uninstall list carefully, then do so. I will edit the second HijackThis log once I see the uninstall list posted and know you have seen the error.

Phil
 
oops...my bad...I believe I know how that happened, here is the uninstall list

ABBYY FineReader 6.0 Sprint
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0
Apple Software Update
AVG Free 8.0
Easy CD & DVD Creator 6
HijackThis 2.0.2
HSP56 MR Drivers
Java(TM) 6 Update 5
Lexmark 2500 Series
Lexmark Fax Solutions
Microsoft .NET Framework 2.0
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
QuickTime
RealPlayer Basic
Spybot - Search & Destroy
Viewpoint Media Player
W Photo Studio
WinZip
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

Phil I did notice something, in the Combofix log.... this~~~>ComboFix 08-12-12.02 - Bill 2008-12-12 14:04:37.1 - FAT32x86

somebody built this comp for me and since I first turned it on, there were issues with freezing up, my life is pretty crazy most of the time, and I never found or took the time, to take it back to the guy to fix it. I did however eventually quit freezing, after I noticed when it froze and after reboot, the disc check it ran, it was in the FAT32, (d something file) I was pretty sure this has to do with the Defrag program, it was after I had successfully been able to defrag the system, that the freezing issue stopped... just thought this would be some useful info for you

ttys
Julia
 
What I need you to do is to read my directions and follow them from this point on. I requested you wait to install AVG for a reason. I would be glad to get out of the way if you wish, but if you want my help, my directions must be followed. Please hold questions for later, I will do my best to answer them all or direct you to where you can get answers. If we are in agreement on this, I will first discuess your uninstall list.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.0 <<< out of date, see this information:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 5 <<< out of date, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Mozilla Firefox (3.0.3) <<< out of date, update from within.
Tools > Options > Update

Spybot - Search & Destroy <<< please be sure this is the newest version:
Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html

Viewpoint Media Player <<< suggest you uninstall:
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

You can work on the above as time permits.

Instructions start here, please read and follow them carefully and in the numbered order.

1) Use these instructions to remove the leftover Sysmantec items:
http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running?

Thanks...Phil
 
ok Phil...I have followed your instructions to the 'T', got to the ATF, ran it, just as u said, But...now I am unsure if this is what you want me to do next


*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

so... I will go no further until I hear back from you

Thanks

Julia

P.S. I am sorry about jumping ahead when I upgraded AVG, I only did because u had suggested I do so at first, than after I decided not to update to 8.0, I thought better of it and did the upgrade BEFORE you asked me not to.
Yes...I want, need and very much appreciate your help!
 
That is there for your information.
1) To make you aware of the fact you may get a couple of slow starts.
2) To show you (in the link) what Prefetch is. You would be surprised how many folks using Windows XP are not aware they even have a Prefetch folder.
3) Please continue with the rest of the instructions.

Thanks
 
Morning Phil, here is the Malware Log

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2

12/13/2008 10:41:22 AM
mbam-log-2008-12-13 (10-41-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 76282
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426512.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426513.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426514.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426515.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426516.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426519.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426520.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426521.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426522.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426523.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE234C54-49D8-42DA-9816-0CD3A8AD71FA}\RP202\A0426538.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Application Data\Google\ijdkq13324484.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Here is the new HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:55 AM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 5948 bytes

Not sure how the comp is running, just yet... before running this tool, Firefox kept having a shutdown error.
Time Will Tell

Thanks again
Julia
 
1) When you mention an error message, I must see the message word for word, exactly as it is presented to you by Windows. I should also say it may be the error will stop when you update Firefox.

2) Most of what MBAM found are infected System Restore files but it did pick up a couple of items.

3) I need to point out that you appear to have a new malware item was not in the last HJT log.
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
http://www.systemlookup.com/CLSID/55210.html
Parasite, related to asksearch.org - see their "Terms of Use"
Use HJT to check and remove that item.

4) Let's then proceed like this:
Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update AVG 8 and scan the system, to be sure it is running right and scanning clean.

I will post this information for you to use as you wish.
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/
Optional tutorial, your call:
http://russelltexas.com/tutorials/avg8install.htm

I would like to see one last HJT log.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Hey Phil...sorry took me so long to get back to you...I did all u asked, but could NOT get back in here to post...kept telling me spybot server was busy or down.

so...I did most of the updates u suggested, like java, adobe, mozilla...couldn't update spybot, cuz spybot server was down

well....the comp started acting funny again, so I ran avg scan, found nothing, ran spybot...found VIRTUMONDO (spell check) again!!!

updated malwarebytes, ran full scan...found nothing (I saved the log if u need it)

here is a very recent HJT Log...and I see a problem, several actually...I'll be back tomorrow

Thanks
Julia
________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:54 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {034A40A4-F4AD-4231-9AE7-25C6F12DEA24} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {252F9382-FDE0-400A-9CE2-8B46ACE68CBB} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7D973754-991B-4A4C-9E4B-612948B0403B} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC445] cmd /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [SpybotDeletingB3861] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7554] cmd /c del "C:\WINDOWS\system32\~.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: efcbyWmk - C:\WINDOWS\
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 6855 bytes
 
Sorry for the wait, the forum (and servers) has been down as you are aware if you tried to get in.

Thanks for the feedback, and it appears some junk was returned by TeaTimer's memory which we will remove soon. These are the items that concern me:
O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC445] cmd /c del "C:\WINDOWS\system32\~.exe"
~.exe <<< can't get information on that file and you can see why. Nothing at Google:
http://www.google.com/search?hl=en&q=~.exe&btnG=Search

Could you make sure you can see all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html

Now navigate to that folder: C:\WINDOWS\system32\~.exe <<< here in red, and see if it is there and if so, what information you can provide by right clicking the file and looking at "Properties" Post any information that is there.

After you do that, then let's clean the junk again unless it is just a leftover Spybot is finding.

1) Make sure Spybot S&D TeaTimer is DISABLED.

2) http://downloads.subratam.org/ResetTeaTimer.bat <<< right click the link and choose "Save target as...
Download ResetTeaTimer.bat to the Desktop
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {034A40A4-F4AD-4231-9AE7-25C6F12DEA24} - (no file)
O2 - BHO: (no name) - {252F9382-FDE0-400A-9CE2-8B46ACE68CBB} - (no file)
O2 - BHO: (no name) - {7D973754-991B-4A4C-9E4B-612948B0403B} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC445] cmd /c del "C:\WINDOWS\system32\~.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3861] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7554] cmd /c del "C:\WINDOWS\system32\~.exe"
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O20 - Winlogon Notify: efcbyWmk - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Restart the computer and post a new HJT log and the information about that file.

Thanks...Phil
 
Hi Phil... wow this is tedious work!
I did all u asked. well...I still have the HJT open and haven't selected 'fix this' yet...BECAUSE, these items are not showing on the log

O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC445] cmd /c del "C:\WINDOWS\system32\~.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3861] command /c del "C:\WINDOWS\system32\~.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7554] cmd /c del "C:\WINDOWS\system32\~.exe"
Click to expand...

I searched for the ~exe. file...can't find anything at all, I went to 'search' all files and folders to do this

I also felt telling you what happened when I turned on my comp this morning, may have some bearing, you know better than I

when I logged onto windows, it is just like before... I had my windows background, but NO start-up menu or desktop icons showing, than spybot scan automatically started, it got to about 40 something thousand scanned files and windows shut down, or tried, I had to push restart button in order for the shut down to complete...than when I restarted windows again, it seemed Safe Mode came up for a brief moment, than logon was normal EXCEPT while it was loading, the black Command Prompt window appeared, than disappeared.

Just thought this may all be helpful

Julia
 
Not a problem Julia, I had a feeling they would be gone, if you have finished all instructions you could, then reboot the computer a couple of times, watch for any issues to tell me about. If you get any error message, write them down and post them word for word. Then post a new HJT log so I can take a look.

Thanks
 
OK Phil...I rebooted the comp, 3 times...the first and third reboot, went to the safe mode start up, had my operating system highlighted, than started normally...there were NO other issues or error messages.

(there is one thing I have been meaning to ask/tell you/even tho u asked me to save questions til we are finished, this 'maybe' important. When I bought this comp (built-not new) the guy told me NOT to do microsoft updates because I don't have a legal copy of windows XP and that the comp could be compromised if I did so... I haven't updated, but feel I should of been doing so, especially because of these infections)

Here is the NEW HJT Log
________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:59 AM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 5844 bytes
 
When I bought this comp (built-not new) the guy told me NOT to do microsoft updates because I don't have a legal copy of windows
Click to expand...
Whoops...I think I am glad we got as far as we did before you told me that, I would not know looking at your HJT log:
Platform: Windows XP SP2
This guy has not done you a favor by selling you a machine with an illegal copy of Windows, see this:
http://forums.spybot.info/showpost.php?p=25290&postcount=4
If you do not have a legitimate copy of Windows please rectify.
Aside from the legalities, there is little point in cleaning a system that will be re-infected almost immediately.
Click to expand...
Note: We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.
Click to expand...
Not only has he commited a crime, he has involved you in criminal activitie.

My suggestion would be to contact Microsoft to find out how you can pay to get the copy of Windows valided, or consider purchasing your own copy of Windows or Vista that is legal. Another option would be (especially now when prices are very low) a new Desktop or Laptop.

Wish I could help you more, good luck and Happy Holidays:santa:

Phil
 
Not only has he commited a crime, he has involved you in criminal activitie.
Click to expand...

Am I going to be in legal trouble? :sad:

My suggestion would be to contact Microsoft to find out how you can pay to get the copy of Windows valided, or consider purchasing your own copy of Windows or Vista that is legal. Another option would be (especially now when prices are very low) a new Desktop or Laptop.
Click to expand...

I wish it was that easy for me right now, I haven't even been able to get my kids anything for Christmas *sighs* and doubt if Christmas happens this year in my house...we have quite a few legal issues in front of us (husband and I) and having a working comp is a MUST... when the motherboard on my first comp fried, I went to a so called 'tech' he sold me a piece of JUNK, and was supposed to give me back things I had stored on my first comp, including my Legal Copy of XP...maybe I should go enquire with him again, to get back what is rightfully mine.
I have faith and believe in time, ALL will work out.

Thanks Phil for all of your time and help. :) I truly appreciate it

Sincerely
Julia

Julia
 
Status
Not open for further replies.
Back
Top