Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VIRUS ALERT! Start programs gone, etc. Vundo related [RESOLVED]


  • This topic is locked This topic is locked

#1
Rkocour

Rkocour

    New Member

  • Member
  • Pip
  • 3 posts
Hi, i currently got infected with the vundo virus, and i believe i have been able to remove it using superantispyware. However i still have some problems and could really use some help. My time has the "VIRUS ALERT!" next to it. My start has been gutted, i have no computer, no search, no run, no control panel, and no programs link on the start menu. My taskbar has also been disabled. Please some help would really be appreciated. Here is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38: VIRUS ALERT!, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\distnoted.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI]

C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major

Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program

Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program

Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program

Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program

Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware

Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD

DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program

Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions

present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...ls/en/x86/clien

t/muweb_site.cab?1214863695109
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

- http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: evgratsm - {626A872C-32A2-444C-B893-EBA30E19F70D} -

C:\WINDOWS\evgratsm.dll (file missing)
O21 - SSODL: kvxqmtre - {03769C42-2705-435B-8C74-C10BB796DE3B} -

C:\WINDOWS\kvxqmtre.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o.

- C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown

owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation

- C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -

C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -

C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) -

Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner

- C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9086 bytes
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Open notepad, go to format and uncheck "word wrap" otherwise the logs become unreadable.

I'll need you to temporarily disable TeaTimer

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.

Now,

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
  • 0

#3
Rkocour

Rkocour

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks so much for the reply. I did the combofix and it looks like everything is back to normal, though how do i switch my clock from military to regular am-pm time.

Here are my logs

Thanks so much for the help, again really.

ComboFix 08-07-14.2 - Robby Kocour 2008-07-15 17:41:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1326 [GMT -5:00]
Running from: C:\Documents and Settings\Robby Kocour\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robby Kocour\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\epeb.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 01:39 . 2008-07-15 01:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 00:51 . 2008-07-15 00:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-15 00:51 . 2008-07-15 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 00:50 . 2008-07-15 00:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-15 00:50 . 2008-07-15 00:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 00:50 . 2008-07-15 00:50 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\SUPERAntiSpyware.com
2008-07-15 00:50 . 2008-07-15 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-15 00:49 . 2008-07-15 00:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-15 00:41 . 2008-07-15 00:41 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-15 00:41 . 2008-07-15 00:41 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\PC Tools
2008-07-15 00:41 . 2008-07-15 00:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 00:41 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-15 00:41 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-15 00:41 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-15 00:41 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-15 00:40 . 2008-07-15 00:40 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-07-15 00:39 . 2008-07-15 00:39 <DIR> d-------- C:\Program Files\Google
2008-07-15 00:39 . 2008-07-15 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-15 00:19 . 2008-06-30 21:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-15 00:19 . 2008-07-15 00:56 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-14 23:57 . 2008-07-14 23:57 <DIR> d-------- C:\VundoFix Backups
2008-07-14 23:43 . 2008-07-14 17:43 163,840 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-14 22:25 . 2008-07-14 22:25 0 --a------ C:\WINDOWS\QuickInstall.INI
2008-07-14 22:05 . 2008-07-14 22:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-14 21:11 . 2008-07-14 21:11 <DIR> d-------- C:\Program Files\Audacity
2008-07-13 18:01 . 2008-07-13 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-07-13 18:01 . 2008-07-13 17:57 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2008-07-13 17:59 . 2008-07-14 17:11 <DIR> d-------- C:\Program Files\palmOne
2008-07-13 17:58 . 2008-07-13 17:58 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\HotSync
2008-07-13 17:57 . 2008-07-13 17:57 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-11 04:37 . 2008-07-11 04:37 <DIR> d-------- C:\Program Files\FOSTER
2008-07-11 04:37 . 2006-12-08 02:52 <DIR> d-------- C:\Paradise Heights 1
2008-07-10 02:02 . 2008-07-10 02:02 14 --a------ C:\autoimbue.dat
2008-07-10 00:09 . 2008-07-10 01:19 <DIR> d-------- C:\Sierra
2008-07-09 17:20 . 2008-07-09 17:20 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-09 17:20 . 2008-07-09 17:20 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-09 17:20 . 2008-07-09 17:20 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\SmartFTP
2008-07-09 01:13 . 2008-07-09 01:13 <DIR> d-------- C:\Program Files\Microsoft Reader
2008-07-09 01:13 . 2008-07-14 02:29 <DIR> d-------- C:\Program Files\ABC Amber LIT Converter
2008-07-09 01:13 . 2003-06-05 17:15 57,436 --a------ C:\WINDOWS\DASShp.dll
2008-07-08 21:05 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-07-08 02:20 . 2008-07-14 22:30 <DIR> d-------- C:\azureus
2008-07-08 02:06 . 2008-07-08 02:06 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\vlc
2008-07-06 22:10 . 2008-07-15 14:52 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\OpenOffice.org2
2008-07-06 21:11 . 2008-07-06 21:12 <DIR> d-------- C:\Program Files\Hero Editor
2008-07-06 21:11 . 2008-07-06 21:11 249,856 --------- C:\WINDOWS\Setup1.exe
2008-07-06 21:11 . 2008-07-06 21:11 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-07-06 20:47 . 2008-07-10 02:05 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-06 20:38 . 2008-07-06 20:38 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-07-06 20:38 . 2008-07-06 20:47 36,140 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-06 20:38 . 2008-07-06 20:38 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-07-06 20:32 . 2008-07-10 02:05 <DIR> d-------- C:\Program Files\Diablo II
2008-07-02 00:56 . 2008-07-02 00:56 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\cYo
2008-07-01 20:33 . 2008-07-14 23:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-01 12:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-01 12:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-01 03:35 . 2008-07-01 03:35 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\DivX
2008-07-01 03:35 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-01 03:35 . 2008-06-10 19:07 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-07-01 03:35 . 2008-06-10 19:07 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-07-01 03:35 . 2008-06-10 19:07 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-07-01 03:35 . 2008-06-10 19:07 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-01 03:35 . 2008-06-10 19:07 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-01 03:34 . 2008-07-01 03:35 <DIR> d-------- C:\Program Files\DivX
2008-07-01 02:00 . 2008-07-01 02:00 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-01 01:20 . 2008-07-15 00:18 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\Azureus
2008-07-01 01:20 . 2008-07-01 01:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-01 01:19 . 2008-07-01 03:20 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\DeepBurner
2008-06-30 22:59 . 2008-06-30 22:59 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Incomplete
2008-06-30 22:49 . 2008-07-01 01:25 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\FrostWire
2008-06-30 22:09 . 2008-06-30 22:09 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\CyberLink
2008-06-30 22:09 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-30 22:04 . 2008-06-30 22:04 <DIR> d-------- C:\Program Files\CyberLink
2008-06-30 22:04 . 2007-03-02 14:33 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-06-30 21:57 . 2008-07-08 01:36 <DIR> d-------- C:\Program Files\Steam
2008-06-30 21:56 . 2008-06-30 21:57 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-30 21:53 . 2008-06-30 21:53 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\DAEMON Tools
2008-06-30 21:53 . 2008-06-30 21:53 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-30 21:52 . 2008-06-30 21:52 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 21:51 . 2008-06-30 21:51 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-30 21:49 . 2008-07-01 18:02 <DIR> d-------- C:\Program Files\Vuze
2008-06-30 21:48 . 2008-06-30 21:48 <DIR> d-------- C:\Program Files\iTunes
2008-06-30 21:48 . 2008-06-30 21:48 <DIR> d-------- C:\Program Files\iPod
2008-06-30 21:48 . 2008-06-30 21:48 <DIR> d-------- C:\Program Files\Bonjour
2008-06-30 21:48 . 2008-06-30 21:48 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\Apple Computer
2008-06-30 21:47 . 2008-06-30 21:48 <DIR> d-------- C:\Program Files\QuickTime
2008-06-30 21:47 . 2008-06-30 21:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-30 21:47 . 2008-06-30 21:47 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-30 21:47 . 2008-06-30 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-30 21:47 . 2008-06-30 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-30 21:46 . 2008-06-30 21:46 <DIR> d-------- C:\Program Files\Astonsoft
2008-06-30 21:45 . 2008-06-30 22:49 <DIR> d-------- C:\Program Files\FrostWire
2008-06-30 21:44 . 2008-06-30 21:44 <DIR> d-------- C:\Program Files\ComicRack
2008-06-30 21:36 . 2008-07-15 00:35 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-30 21:36 . 2008-07-15 00:30 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\Spyware Terminator
2008-06-30 21:36 . 2008-07-15 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-30 21:36 . 2008-06-30 21:36 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-06-30 21:32 . 2008-06-30 21:32 <DIR> d-------- C:\Program Files\COMODO
2008-06-30 21:32 . 2008-06-30 21:32 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\Comodo
2008-06-30 21:32 . 2008-06-30 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-06-30 21:32 . 2008-06-30 21:32 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-06-30 21:32 . 2008-06-30 21:32 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-06-30 21:32 . 2008-06-30 21:32 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-06-30 21:30 . 2008-07-15 17:47 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-30 21:30 . 2008-06-30 21:30 <DIR> d-------- C:\Program Files\AVG
2008-06-30 21:30 . 2008-06-30 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-30 21:30 . 2008-07-05 00:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-30 21:30 . 2008-07-05 00:09 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-30 21:30 . 2008-07-05 00:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-30 21:27 . 2008-06-30 21:27 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-30 21:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-30 21:11 . 2008-06-30 21:11 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\Intel
2008-06-30 21:11 . 2008-06-30 21:11 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-06-30 21:11 . 2008-06-30 21:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-06-30 21:10 . 2008-06-30 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-06-30 21:10 . 2007-08-27 11:12 2,777,088 --a------ C:\WINDOWS\system32\NETw4r32.dll
2008-06-30 21:10 . 2007-09-26 06:01 2,236,032 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2008-06-30 21:10 . 2007-08-27 11:12 745,472 --a------ C:\WINDOWS\system32\NETw4c32.dll
2008-06-30 21:10 . 2008-06-30 21:10 376,832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe
2008-06-30 21:10 . 2008-06-30 21:10 21,361 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-30 21:10 . 2008-06-30 21:10 21,361 --a------ C:\WINDOWS\AegisP.sys
2008-06-30 21:10 . 2008-06-30 21:10 13,984 --a------ C:\WINDOWS\AegisP.inf
2008-06-30 21:10 . 2008-06-30 21:10 10,640 --a------ C:\WINDOWS\AegisP.cat
2008-06-30 21:03 . 2008-06-30 21:03 <DIR> d-------- C:\Documents and Settings\Robby Kocour\Application Data\InstallShield
2008-06-30 21:03 . 2005-08-12 17:50 16,128 --a------ C:\WINDOWS\system32\drivers\APPDRV.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 22:57 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-06-30 20:54 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-01 22:44 8470528]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-01 22:44 81920]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 14:23 1191936]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 14:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 14:13 1101824]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-05 00:09 1232152]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-06-30 21:32 1655552]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-30 21:36 1817600]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"nwiz"="nwiz.exe" [2007-08-01 22:44 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-06-30 16:50:08 24576]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-05 00:09]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-06-30 21:32]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-06-30 21:32]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-30 21:36]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-05 00:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 00:09]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 00:09]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 05:40:10 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
- - - - ORPHANS REMOVED - - - -

SSODL-evgratsm-{626A872C-32A2-444C-B893-EBA30E19F70D} - C:\WINDOWS\evgratsm.dll
SSODL-kvxqmtre-{03769C42-2705-435B-8C74-C10BB796DE3B} - C:\WINDOWS\kvxqmtre.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 17:45:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\398ced2c-fcce-460b-a2db-268d32a944e0.tmp 0 bytes
C:\WINDOWS\TEMP\6512b28c-be17-41a4-b827-0849caa9513c.tmp 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-15 17:49:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 22:49:25

Pre-Run: 51,306,729,472 bytes free
Post-Run: 51,225,751,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

249 --- E O F --- 2008-07-09 02:53:34


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1214863695109
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8357 bytes
  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,


We will re-set your clock afterwards :)

Delete this file,

C:\WINDOWS\agpqlrfm.exe

You may need to do so in safe mode (reboot your PC and press f8 to enter, choose the option safe mode from the boot menu)

You may need to show hidden files, which you can do by following the instructions found here.

Now,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then,


Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • 0

#5
Rkocour

Rkocour

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Malwarebytes found nothing

Kaspersky found 1 thing

here is the log

thank you again

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 16, 2008 23:25:38
Records in database: 960988
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 48007
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:25:55


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\epeb.exe.vir Infected: Trojan.Win32.Vapsup.ihs 1

The selected area was scanned.
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there your logs look clean :)

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

&

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.

If the above didn't reset your clock just do the following:


In Control Panel, double-click Regional Options.
In Regional Options, click Customize.
Click the Time tab.
Change Time format to hh:mm:ss tt for a 12-hour clock.
Press apply and click ok.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to avoid downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your programs updated! Software such as JAVA update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#7
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP