Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob Infection With Vitumonde


  • This topic is locked This topic is locked
13 replies to this topic

#1 goofy yno

goofy yno

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 17 May 2008 - 09:49 AM

Hi, This is my first post. Let me say as I read through this site, I wish I'd known about it before :) .

Also, I know very little about computers, enough to get by, and probably enough to get myself in trouble.

so I was infected with the Zlob trojan and along with it Vitumonde and smith something or other. the computer first showed the security pop ups then I lost all the icons, toolbars and had the blue screen.

I got to the task manager, got to your site and used the advise to remove the smith thing, which seem to work. screen was back to normal. but it was then I found the Zlob. My avg progam said it removed it. then the spybot kept finding the Vitumonde.
as per instructions I downloaded DDS. I also ran Vundofix (still there) and Vitumundobegone- still there.

HELP!! :thumbsup:

Here is the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:28 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Maxtor\Sync\MaxSync.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\The Gettleman's\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\THEGET~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {6105DD99-E09B-4977-AD05-3D7E89EF5E2B} - C:\WINDOWS\system32\awtqnkhe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7DCA366E-9956-4F1B-8BFE-4158BFE7D427} - C:\WINDOWS\system32\qoMeDTll.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B1420E10-D5D4-4646-8BF0-AF3687394E15} - C:\WINDOWS\system32\geBtSMgE.dll (file missing)
O2 - BHO: (no name) - {E4759D79-86A1-4C30-AAF4-8DFC0F59F4A7} - C:\WINDOWS\system32\ddcBSLCV.dll (file missing)
O2 - BHO: (no name) - {FCF94398-A9A8-476C-A484-D743609149E1} - C:\WINDOWS\system32\efcYSmjK.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [08061830] rundll32.exe "C:\WINDOWS\system32\poqkmuwb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZUzed004MVUS_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O21 - SSODL: vbksrofa - {17E7E075-3864-410F-84F5-FE79E811A0BA} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 8539 bytes

-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-16 14:42:30 91776 --a------ C:\WINDOWS\system32\poqkmuwb.dll
2008-05-16 14:41:00 0 d-------- C:\Program Files\Trend Micro
2008-05-16 13:12:40 0 d-------- C:\VundoFix Backups
2008-05-16 12:24:28 1246708 --ahs---- C:\WINDOWS\system32\KjmSYcfe.ini2
2008-05-15 15:07:30 91264 -----n--- C:\WINDOWS\system32\pmldmgrp.dll
2008-05-15 14:01:23 1228452 --ahs---- C:\WINDOWS\system32\VCLSBcdd.ini2
2008-05-15 10:39:43 1223169 --ahs---- C:\WINDOWS\system32\EgMStBeg.ini2
2008-05-15 10:29:09 3856 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-15 08:43:01 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-15 08:43:01 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-15 08:43:01 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-15 08:43:01 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-15 08:43:01 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-15 08:43:01 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-15 08:43:01 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-15 08:43:01 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-15 08:43:01 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-15 08:43:01 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-15 08:43:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-15 08:43:01 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-15 08:43:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-15 08:43:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-15 08:30:51 69796 --a------ C:\WINDOWS\system32\cbXqNGAR.dll
2008-05-15 05:16:09 91264 -----n--- C:\WINDOWS\system32\naviirdt.dll
2008-05-15 05:00:23 1111293 --ahs---- C:\WINDOWS\system32\llTDeMoq.ini2
2008-05-15 00:14:00 0 d-------- C:\Documents and Settings\The Gettleman's\Application Data\TmpRecentIcons
2008-05-14 23:08:44 90240 -----n--- C:\WINDOWS\system32\yyidfdrr.dll
2008-05-14 23:07:27 1255 --ahs---- C:\WINDOWS\system32\ehknqtwa.ini2
2008-05-14 23:01:33 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-25 15:15:53 0 dr------- C:\Documents and Settings\The Gettleman's\Application Data\Brother
2008-04-23 06:15:52 0 dr-h----- C:\$VAULT$.AVG

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 17 May 2008 - 12:13 PM

Hello goofy yno,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 goofy yno

goofy yno
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 17 May 2008 - 06:05 PM

Teacup,
Fist let me apologize, I did not think this was a toy. I know on most forums if you post something that has been answered you get flammed. so went I saw a post about what I thought was my problem, I tried the solution given. My bad.

Had this site been down today? because I have been trying to get here without success. I have been able to get to other internet sites.

here is my log:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Seekmo Programs
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\bwumkqop.ini
C:\WINDOWS\system32\EgMStBeg.ini
C:\WINDOWS\system32\EgMStBeg.ini2
C:\WINDOWS\system32\ehknqtwa.ini
C:\WINDOWS\system32\ehknqtwa.ini2
C:\WINDOWS\system32\jfuefqex.ini
C:\WINDOWS\system32\KjmSYcfe.ini
C:\WINDOWS\system32\KjmSYcfe.ini2
C:\WINDOWS\system32\llTDeMoq.ini
C:\WINDOWS\system32\llTDeMoq.ini2
C:\WINDOWS\system32\prgmdlmp.ini
C:\WINDOWS\system32\rrdfdiyy.ini
C:\WINDOWS\system32\tdriivan.ini
C:\WINDOWS\system32\VCLSBcdd.ini
C:\WINDOWS\system32\VCLSBcdd.ini2
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 14:42 . 2008-05-16 14:42 91,776 --a------ C:\WINDOWS\system32\poqkmuwb.dll
2008-05-16 14:41 . 2008-05-16 14:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 14:38 . 2008-05-16 14:38 <DIR> d-------- C:\Deckard
2008-05-16 13:12 . 2008-05-16 13:12 <DIR> d-------- C:\VundoFix Backups
2008-05-15 15:07 . 2008-05-15 15:07 91,264 --------- C:\WINDOWS\system32\pmldmgrp.dll
2008-05-15 10:36 . 2008-05-15 10:36 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-15 10:29 . 2008-05-15 10:29 3,856 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-15 08:43 . 2008-05-15 08:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-15 08:43 . 2008-05-17 11:05 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-15 08:30 . 2008-05-15 08:30 69,796 --a------ C:\WINDOWS\system32\cbXqNGAR.dll
2008-05-15 05:16 . 2008-05-15 05:16 91,264 --------- C:\WINDOWS\system32\naviirdt.dll
2008-05-15 00:14 . 2008-05-15 00:14 <DIR> d-------- C:\Documents and Settings\The Gettleman's\Application Data\TmpRecentIcons
2008-05-14 23:02 . 2008-05-14 23:02 29,824 --a------ C:\WINDOWS\system32\hgGaxYRj.dll.vir
2008-05-14 23:01 . 2008-05-14 23:01 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-25 15:15 . 2008-04-25 15:15 <DIR> dr------- C:\Documents and Settings\The Gettleman's\Application Data\Brother
2008-04-25 15:14 . 2008-04-25 15:15 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-04-25 15:14 . 2008-04-25 15:14 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-04-23 06:15 . 2008-05-17 11:05 <DIR> dr-h----- C:\$VAULT$.AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 19:29 --------- d-----w C:\Documents and Settings\The Gettleman's\Application Data\AVG7
2008-05-15 14:46 --------- d-----w C:\Program Files\Multimedia Organizer
2008-05-14 16:09 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 01:47 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-21 18:12 --------- d-----w C:\Program Files\Palm
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 18:47 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-27 18:22 6,652,928 ----a-w C:\Program Files\winzip111.msi
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6105DD99-E09B-4977-AD05-3D7E89EF5E2B}]
C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DCA366E-9956-4F1B-8BFE-4158BFE7D427}]
C:\WINDOWS\system32\qoMeDTll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1420E10-D5D4-4646-8BF0-AF3687394E15}]
C:\WINDOWS\system32\geBtSMgE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4759D79-86A1-4C30-AAF4-8DFC0F59F4A7}]
C:\WINDOWS\system32\ddcBSLCV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCF94398-A9A8-476C-A484-D743609149E1}]
C:\WINDOWS\system32\efcYSmjK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 16:44 679936]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-08-08 13:00 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-08 13:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 13:00 28739]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45 257088]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56 143360]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 15:01 169264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 15:54 579584]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"08061830"="C:\WINDOWS\system32\poqkmuwb.dll" [2008-05-16 14:42 91776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-26 12:01 219136]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 16:14 171448]

C:\Documents and Settings\The Gettleman's\Start Menu\Programs\Startup\
HotSync Manager.LNK - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 10:47:12 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 21:16:46 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 13:00:00 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 13:00:00 24633]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {17E7E075-3864-410F-84F5-FE79E811A0BA} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Palm\\HOTSYNC.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-07-13 15:02]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-19 05:44]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-19 10:17]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys []
S3 HPUATA;HP CD Writer Plus Controller Driver;C:\WINDOWS\system32\DRIVERS\HPUATA.sys [2000-06-29 06:11]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 08:21:25 C:\WINDOWS\Tasks\User_Feed_Synchronization-{541D4C37-ED67-47C2-B54E-B747C8611AD8}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 11:10:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Maxtor\Sync\MaxSync.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-05-17 11:16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 18:16:14

Pre-Run: 9,417,109,504 bytes free
Post-Run: 9,488,969,728 bytes free

171 --- E O F --- 2008-05-14 17:01:21

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 17 May 2008 - 07:45 PM

Hello,

Silly you....you tattled on yourself! I don't see any place where you said you already ran it. That warning is for the ones that think they know what ComboFix is all about, and not knowing how powerful it is, and ultimately ruining their computer. Then they come running to us wondering what happened.

Could you please post me a new HijackThis log? :thumbsup: How is it running?

Thanks,
tea

P.S. ~ Yes, the site was down. It wasn't just you.

Edited by teacup61, 17 May 2008 - 07:46 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 goofy yno

goofy yno
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 May 2008 - 12:16 AM

Ah man. I saw I hadn't post the HJT log and thought I posted it before I left this evening. sorry. :thumbsup:
seems to be running better except that spybot keeps coming up with Vitumonde, and I had one new window open up a unknown internet site.
BTW, thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:48 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Maxtor\Sync\MaxSync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6105DD99-E09B-4977-AD05-3D7E89EF5E2B} - C:\WINDOWS\system32\awtqnkhe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7DCA366E-9956-4F1B-8BFE-4158BFE7D427} - C:\WINDOWS\system32\qoMeDTll.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B1420E10-D5D4-4646-8BF0-AF3687394E15} - C:\WINDOWS\system32\geBtSMgE.dll (file missing)
O2 - BHO: (no name) - {E4759D79-86A1-4C30-AAF4-8DFC0F59F4A7} - C:\WINDOWS\system32\ddcBSLCV.dll (file missing)
O2 - BHO: (no name) - {FCF94398-A9A8-476C-A484-D743609149E1} - C:\WINDOWS\system32\efcYSmjK.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [08061830] rundll32.exe "C:\WINDOWS\system32\poqkmuwb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZUzed004MVUS_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O21 - SSODL: vbksrofa - {17E7E075-3864-410F-84F5-FE79E811A0BA} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8702 bytes

#6 goofy yno

goofy yno
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 May 2008 - 11:30 AM

Ops, Lost the icons and tool bars after internet got stuck. I still have my background though.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 18 May 2008 - 11:58 AM

You're welcome. :)

What do you mean by your internet got stuck? :thumbsup: Yes, there are still entries/orphans present, so Spybot should be picking these up. It's doing its job. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {6105DD99-E09B-4977-AD05-3D7E89EF5E2B} - C:\WINDOWS\system32\awtqnkhe.dll (file missing)
O2 - BHO: (no name) - {7DCA366E-9956-4F1B-8BFE-4158BFE7D427} - C:\WINDOWS\system32\qoMeDTll.dll (file missing)
O2 - BHO: (no name) - {B1420E10-D5D4-4646-8BF0-AF3687394E15} - C:\WINDOWS\system32\geBtSMgE.dll (file missing)
O2 - BHO: (no name) - {E4759D79-86A1-4C30-AAF4-8DFC0F59F4A7} - C:\WINDOWS\system32\ddcBSLCV.dll (file missing)
O2 - BHO: (no name) - {FCF94398-A9A8-476C-A484-D743609149E1} - C:\WINDOWS\system32\efcYSmjK.dll (file missing)
O4 - HKLM\..\Run: [08061830] rundll32.exe "C:\WINDOWS\system32\poqkmuwb.dll",b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZUzed004MVUS_ZZzer000
O21 - SSODL: vbksrofa - {17E7E075-3864-410F-84F5-FE79E811A0BA} - C:\WINDOWS\vbksrofa.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\hgGaxYRj.dll.vir
C:\WINDOWS\system32\naviirdt.dll
C:\WINDOWS\system32\cbXqNGAR.dll
C:\WINDOWS\system32\pmldmgrp.dll
C:\WINDOWS\system32\poqkmuwb.dll
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\qoMeDTll.dll
C:\WINDOWS\system32\geBtSMgE.dll
C:\WINDOWS\system32\ddcBSLCV.dll
C:\WINDOWS\system32\efcYSmjK.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6105DD99-E09B-4977-AD05-3D7E89EF5E2B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DCA366E-9956-4F1B-8BFE-4158BFE7D427}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1420E10-D5D4-4646-8BF0-AF3687394E15}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4759D79-86A1-4C30-AAF4-8DFC0F59F4A7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCF94398-A9A8-476C-A484-D743609149E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 goofy yno

goofy yno
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 May 2008 - 12:38 PM

OK, I think you are the coolest!! :thumbsup:

here are the logs-

Do I need to do anything else? and why does the big red warning worry me? do I need to install something?


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\cbXqNGAR.dll
C:\WINDOWS\system32\ddcBSLCV.dll
C:\WINDOWS\system32\efcYSmjK.dll
C:\WINDOWS\system32\geBtSMgE.dll
C:\WINDOWS\system32\hgGaxYRj.dll.vir
C:\WINDOWS\system32\naviirdt.dll
C:\WINDOWS\system32\pmldmgrp.dll
C:\WINDOWS\system32\poqkmuwb.dll
C:\WINDOWS\system32\qoMeDTll.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\bwumkqop.ini
C:\WINDOWS\system32\cbXqNGAR.dll
C:\WINDOWS\system32\hgGaxYRj.dll.vir
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\naviirdt.dll
C:\WINDOWS\system32\pmldmgrp.dll
C:\WINDOWS\system32\poqkmuwb.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-16 14:41 . 2008-05-16 14:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 14:38 . 2008-05-16 14:38 <DIR> d-------- C:\Deckard
2008-05-15 10:36 . 2008-05-15 10:36 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-15 10:29 . 2008-05-15 10:29 3,856 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-15 08:43 . 2008-05-15 08:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-15 08:43 . 2008-05-18 10:02 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-15 00:14 . 2008-05-15 00:14 <DIR> d-------- C:\Documents and Settings\The Gettleman's\Application Data\TmpRecentIcons
2008-05-14 23:01 . 2008-05-14 23:01 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-25 15:15 . 2008-04-25 15:15 <DIR> dr------- C:\Documents and Settings\The Gettleman's\Application Data\Brother
2008-04-25 15:14 . 2008-04-25 15:15 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-04-25 15:14 . 2008-04-25 15:14 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-04-23 06:15 . 2008-05-17 11:05 <DIR> dr-h----- C:\$VAULT$.AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 19:29 --------- d-----w C:\Documents and Settings\The Gettleman's\Application Data\AVG7
2008-05-15 14:46 --------- d-----w C:\Program Files\Multimedia Organizer
2008-05-14 16:09 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 01:47 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-21 18:12 --------- d-----w C:\Program Files\Palm
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 18:47 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-27 18:22 6,652,928 ----a-w C:\Program Files\winzip111.msi
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_11.16.01.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 18:09:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 17:20:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 16:44 679936]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-08-08 13:00 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-08 13:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 13:00 28739]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45 257088]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56 143360]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 15:01 169264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 15:54 579584]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-26 12:01 219136]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 16:14 171448]

C:\Documents and Settings\The Gettleman's\Start Menu\Programs\Startup\
HotSync Manager.LNK - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 10:47:12 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 21:16:46 24576]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 13:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Palm\\HOTSYNC.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-07-13 15:02]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-19 05:44]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-19 10:17]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys []
S3 HPUATA;HP CD Writer Plus Controller Driver;C:\WINDOWS\system32\DRIVERS\HPUATA.sys [2000-06-29 06:11]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 09:06:15 C:\WINDOWS\Tasks\User_Feed_Synchronization-{541D4C37-ED67-47C2-B54E-B747C8611AD8}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 10:27:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 10:31:27
ComboFix-quarantined-files.txt 2008-05-18 17:30:31
ComboFix2.txt 2008-05-17 18:16:18

Pre-Run: 9,381,965,824 bytes free



HJT:
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Maxtor\Sync\MaxSync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7651 bytes

Post-Run: 9,418,076,160 bytes free

146 --- E O F --- 2008-05-18 17:02:07

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 18 May 2008 - 12:57 PM

Hi there,

Ops, Lost the icons and tool bars after internet got stuck.

Is this still the case?

The warning is for this, and I leave it to you to decide if you want to do it. :thumbsup:

You should now install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, then you can follow the instructions found in the tutorial listed below.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 goofy yno

goofy yno
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 May 2008 - 04:07 PM

Must be my ADHD thing, but I missed that the first time I read it. It had been installed.

One last (I think?!) question. as I run spybot, I watch the programs being scanned on the bottom and it FREAK ME OUT!! :thumbsup: It still scans lot of bad programs, ZLOB, Vitumondo, smithfraus, lots of spy this and that, fake alert programs, etc. It said I was free of malware, so I assume these are all fixed or quarenteened programs? true.


Thanks for all you help. I will make a donation to show my appreciation.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 18 May 2008 - 05:14 PM

Hi there,

What you see at the bottom as Spybot is scanning are all the rogues and spyware that it's looking for, not what it found. :thumbsup: Ask all the questions you like.....how else will you ever know the answer?

Thank you. I got it. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 goofy yno

goofy yno
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 May 2008 - 05:42 PM

Thanks,
I have done all of the above.

I hope never to need your service again, but it is comforting to know were to go if a problem arises.

actually, before I go I have another question. This may be beyond what you can accomplish via a web site, but it never hurts to ask. I my office I have a network with 2 servers, 10 tablet on wireless, a dozen or so work stations. we have two external Internet data banks we exchange info with constantly. we are having all kind of trouble with loosing Microsoft licences, which is being blamed on problems with Microsoft sequel server. My IT guys keep trying to fix the problem without success- ( I am very leery with IT people having had 3 of the last four which I caught causing problem so only they could fix them.) It is a medical office. Like I said, it is probably beyond what our situation allows, but I thought I'd ask.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 18 May 2008 - 07:02 PM

Hello,

Please see my PM to you. I'm sorry I couldn't do more. :thumbsup:

Take care, and thank you!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:47 PM

Posted 20 May 2008 - 12:02 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users