Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spambot.g And A Trojan Downloader Help Please


  • This topic is locked This topic is locked
16 replies to this topic

#1 mreasyrider

mreasyrider

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 10 September 2008 - 08:33 PM

I have got spambot.g and a trojan downloader that has gotten the best of me trying to fix it. AVG finds them at every scan and the machine has slowed to a crawl. Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:16:19, on 9/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: addpin - addpin.dll (file missing)
O20 - Winlogon Notify: wlctrl32 - WLCtrl32.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Computer Browser BrowserImapiService (BrowserImapiService) - Unknown owner - C:\WINDOWS\system32\1041l.exe (file missing)
O23 - Service: Microsoft DDE+ server (d85d5991) - Unknown owner - C:\WINDOWS\system32\.d85d5991\d85d5991.exe (file missing)
O23 - Service: Event Log EventlogNetlogon (EventlogNetlogon) - Unknown owner - C:\WINDOWS\system32\dhcpv.exe (file missing)
O23 - Service: Event Log EventlogWebClient (EventlogWebClient) - Unknown owner - C:\WINDOWS\system32\smsk437.exe (file missing)
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityWmiApSrvSharedAccess (FastUserSwitchingCompatibilityWmiApSrvSharedAccess) - Unknown owner - C:\WINDOWS\system32\SFWIUDLLx.exe (file missing)
O23 - Service: Googles Onlines Search Services - Unknown owner - C:\WINDOWS\system32\wnslogan.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card SCardSvrEventlogWebClient (SCardSvrEventlogWebClient) - Unknown owner - C:\WINDOWS\system32\kdcome.exe (file missing)
O23 - Service: System Restore Service srserviceClipSrv (srserviceClipSrv) - Unknown owner - C:\WINDOWS\system32\hpzcon09x.exe (file missing)
O23 - Service: System Restore Service srservicelanmanserver (srservicelanmanserver) - Unknown owner - C:\WINDOWS\system32\winso.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider SwPrvAudioSrv (SwPrvAudioSrv) - Unknown owner - C:\WINDOWS\system32\lz32c.exe (file missing)
O23 - Service: Universal Plug and Play Device Host upnphostsrservicelanmanserver (upnphostsrservicelanmanserver) - Unknown owner - C:\WINDOWS\system32\olesvr32u.exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSRasMan (UPSRasMan) - Unknown owner - C:\WINDOWS\system32\wbemu.exe (file missing)
O23 - Service: Winkbqu - Unknown owner - C:\WINDOWS\System32\Winkbqu.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvSharedAccess (WmiApSrvSharedAccess) - Unknown owner - C:\WINDOWS\system32\dllcachei.exe (file missing)
O23 - Service: Automatic Updates wuauservFastUserSwitchingCompatibility (wuauservFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\system32\usmtt.exe (file missing)
O24 - Desktop Component 2: (no name) - http://autohobbypage.com/show/03/belv/pic034.jpg
O24 - Desktop Component 4: (no name) - http://i11.ebayimg.com/02/i/02/ab/6d/0b_1.JPG
O24 - Desktop Component 6: (no name) - http://www.forsalebyowner.com/propgfx/20218697-1.jpg

--
End of file - 5760 bytes


PS This morning AVG reports that there is now a trojan called Rootkit-Agent.AV

Pasted in log from topic in Misplaced Forum that OP had linked to instead of posting log. ~ OB

Edited by mreasyrider, 11 September 2008 - 05:21 AM.


BC AdBot (Login to Remove)

 


m

#2 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 22 September 2008 - 07:39 PM

No help? :thumbsup:

#3 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 22 September 2008 - 08:30 PM

Tonight I connected the machine to the internet. I watched as AVG scanned 4591 messages on the outbound of Outlook Express. I guess the spambot is hiding somewhere that I can't identify. Here is the HJT log from this evening when I connected the machine again. I really need help to figure this spam thing out guys.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:35 PM, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: addpin - addpin.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Computer Browser BrowserImapiService (BrowserImapiService) - Unknown owner - C:\WINDOWS\system32\1041l.exe (file missing)
O23 - Service: Microsoft DDE+ server (d85d5991) - Unknown owner - C:\WINDOWS\system32\.d85d5991\d85d5991.exe (file missing)
O23 - Service: Event Log EventlogNetlogon (EventlogNetlogon) - Unknown owner - C:\WINDOWS\system32\dhcpv.exe (file missing)
O23 - Service: Event Log EventlogWebClient (EventlogWebClient) - Unknown owner - C:\WINDOWS\system32\smsk437.exe (file missing)
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityWmiApSrvSharedAccess (FastUserSwitchingCompatibilityWmiApSrvSharedAccess) - Unknown owner - C:\WINDOWS\system32\SFWIUDLLx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card SCardSvrEventlogWebClient (SCardSvrEventlogWebClient) - Unknown owner - C:\WINDOWS\system32\kdcome.exe (file missing)
O23 - Service: System Restore Service srserviceClipSrv (srserviceClipSrv) - Unknown owner - C:\WINDOWS\system32\hpzcon09x.exe (file missing)
O23 - Service: System Restore Service srservicelanmanserver (srservicelanmanserver) - Unknown owner - C:\WINDOWS\system32\winso.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider SwPrvAudioSrv (SwPrvAudioSrv) - Unknown owner - C:\WINDOWS\system32\lz32c.exe (file missing)
O23 - Service: Universal Plug and Play Device Host upnphostsrservicelanmanserver (upnphostsrservicelanmanserver) - Unknown owner - C:\WINDOWS\system32\olesvr32u.exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSRasMan (UPSRasMan) - Unknown owner - C:\WINDOWS\system32\wbemu.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Winkbqu - Unknown owner - C:\WINDOWS\System32\Winkbqu.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvSharedAccess (WmiApSrvSharedAccess) - Unknown owner - C:\WINDOWS\system32\dllcachei.exe (file missing)
O23 - Service: Automatic Updates wuauservFastUserSwitchingCompatibility (wuauservFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\system32\usmtt.exe (file missing)
O24 - Desktop Component 2: (no name) - http://autohobbypage.com/show/03/belv/pic034.jpg
O24 - Desktop Component 4: (no name) - http://i11.ebayimg.com/02/i/02/ab/6d/0b_1.JPG
O24 - Desktop Component 6: (no name) - http://www.forsalebyowner.com/propgfx/20218697-1.jpg

--
End of file - 6020 bytes

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 25 September 2008 - 09:42 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

#5 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 25 September 2008 - 10:02 AM

:thumbsup: I have NOT resolved this thing. As I said in a previous post the thing started send emails and AVG let them through. There was over 4900 messages that went out and I am sure was all spam. Comcast closed port 25 on me because of this varmit.

Edited by mreasyrider, 25 September 2008 - 10:12 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 25 September 2008 - 10:06 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#7 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 25 September 2008 - 10:15 AM

I am at work but I will do this jast as soon as I get home this afternoon. THANKS for all the help

#8 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 25 September 2008 - 06:59 PM

Here is the ComboFix log:

ComboFix 08-09-25.03 - John 2008-09-25 18:28:42.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\system32\Drivers\Lqu83.sys
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\w32apiw.dll
C:\WINDOWS\system32\WLCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BROWSERIMAPISERVICE
-------\Legacy_EVENTLOGNETLOGON
-------\Legacy_FASTUSERSWITCHINGCOMPATIBILITYWMIAPSRVSHAREDACCESS
-------\Legacy_LQU83
-------\Legacy_SCARDSVREVENTLOGWEBCLIENT
-------\Legacy_SRSERVICECLIPSRV
-------\Legacy_SWPRVAUDIOSRV
-------\Legacy_UPNPHOSTSRSERVICELANMANSERVER
-------\Legacy_UPSRASMAN
-------\Legacy_WMIAPSRVSHAREDACCESS
-------\Legacy_WUAUSERVFASTUSERSWITCHINGCOMPATIBILITY
-------\Service_BrowserImapiService
-------\Service_EventlogNetlogon
-------\Service_FastUserSwitchingCompatibilityWmiApSrvSharedAccess
-------\Service_Lqu83
-------\Service_SCardSvrEventlogWebClient
-------\Service_srserviceClipSrv
-------\Service_SwPrvAudioSrv
-------\Service_upnphostsrservicelanmanserver
-------\Service_UPSRasMan
-------\Service_WmiApSrvSharedAccess
-------\Service_wuauservFastUserSwitchingCompatibility


((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-23 19:12 . 2008-09-23 19:12 <DIR> d-------- C:\Program Files\CCleaner
2008-09-12 05:47 . 2008-09-12 05:47 <DIR> d--hs---- C:\FOUND.002
2008-09-11 23:57 . 2008-09-12 00:11 1,736 --a------ C:\WINDOWS\SetupPestPatrolCorporate.mif
2008-09-11 23:28 . 2008-09-11 23:28 <DIR> d-------- C:\Program Files\CA
2008-09-11 23:24 . 2008-09-11 23:24 58 --a------ C:\WINDOWS\PestPatrol.ini
2008-09-11 20:58 . 2008-09-11 20:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-11 20:58 . 2008-09-11 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 19:23 . 2008-09-25 18:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-11 19:23 . 2008-09-25 18:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-11 19:20 . 2008-09-11 19:20 137 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-11 06:05 . 2008-09-11 06:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-11 06:04 . 2008-09-11 06:17 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-09-11 06:02 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-11 06:02 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-11 05:58 . 2008-09-11 05:58 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-09-11 05:58 . 2008-09-11 05:58 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-11 05:58 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-09-11 05:58 . 2008-09-25 18:39 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-09-11 05:56 . 2008-09-11 05:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-09 19:06 . 2008-09-09 19:06 <DIR> d--hs---- C:\FOUND.001
2008-09-09 06:02 . 2008-09-09 06:02 <DIR> d--hs---- C:\FOUND.000
2008-09-09 05:14 . 2008-09-09 05:14 <DIR> d-------- C:\e82a51fe190d7695fc
2008-09-08 23:32 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-08 23:31 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-08 22:49 . 2008-09-08 22:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 21:02 . 2008-09-08 21:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-08 20:58 . 2008-09-08 20:58 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-08 20:58 . 2008-09-08 20:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-08 20:57 . 2008-09-08 20:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-08 20:57 . 2008-09-08 20:57 <DIR> d-------- C:\Program Files\AVG
2008-09-08 20:57 . 2008-09-08 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-08 20:57 . 2008-09-08 20:57 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-08 20:19 . 2008-09-09 19:08 1,696 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-08 19:44 . 2008-09-08 19:44 <DIR> d-------- C:\Program Files\NKProds
2008-09-08 19:44 . 2008-09-08 19:44 <DIR> d-------- C:\Documents and Settings\John\Application Data\nCleaner
2008-09-08 19:15 . 2008-09-08 19:15 <DIR> d-------- C:\VundoFix Backups
2008-09-08 18:40 . 2008-09-08 18:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 18:40 . 2008-09-08 18:40 <DIR> d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-09-08 18:40 . 2008-09-08 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-08 18:40 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 18:40 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 01:05 16,384 ----a-w C:\WINDOWS\system32\drivers\a3751b42.sys
2008-09-12 01:05 1,326,592 ------w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2005-06-21 02:32 340 ----a-w C:\Program Files\imaginfo.pe4
2005-06-21 02:32 2,197 ----a-w C:\Program Files\imageiio.pe4
2003-01-24 22:27 99,186 ---ha-w C:\Program Files\Paprport.GID
2001-10-16 13:10 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2001-10-02 13:58 36,864 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2001-09-28 13:00 139,264 ----a-w C:\WINDOWS\inf\i386\Rtscan.dll
2001-09-27 13:11 167,936 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-10 15:51 96,768 ----a-w C:\Program Files\PPnt10.exe
2001-08-10 15:51 96,256 ----a-w C:\Program Files\ppnt97.exe
2001-08-10 15:51 96,256 ----a-w C:\Program Files\ppnt2000.exe
2001-08-10 15:51 91,648 ----a-w C:\Program Files\VTPWRA.EXE
2001-08-10 15:51 504,832 ----a-w C:\Program Files\appres.dll
2001-08-10 15:51 227,840 ----a-w C:\Program Files\ViewerJP.exe
2001-08-10 15:51 227,840 ----a-w C:\Program Files\MAXVIEW.EXE
2001-08-10 15:51 218,624 ----a-w C:\Program Files\ViewerJ.exe
2001-08-10 15:51 142,336 ----a-w C:\Program Files\WEBPub.EXE
2001-08-10 15:51 142,336 ----a-w C:\Program Files\AOLPub.exe
2001-08-10 15:50 40,960 ----a-w C:\Program Files\PPWEBCAP.EXE
2001-08-10 15:50 38,400 ----a-w C:\Program Files\VIZREG.EXE
2001-08-10 15:50 199,680 ----a-w C:\Program Files\Viewer.exe
2001-08-10 15:50 111,616 ----a-w C:\Program Files\Uninstal.exe
2001-08-10 15:50 1,181,184 ----a-w C:\Program Files\Pppagevw.exe
2001-08-10 15:49 9,728 ----a-w C:\Program Files\INITWAIN.EXE
2001-08-10 15:49 89,088 ----a-w C:\Program Files\Ppocrmg.exe
2001-08-10 15:49 84,480 ----a-w C:\Program Files\PPSCANMG.EXE
2001-08-10 15:49 82,432 ----a-w C:\Program Files\PPPRINT.EXE
2001-08-10 15:49 71,168 ----a-w C:\Program Files\Pplinks.exe
2001-08-10 15:49 307,200 ----a-w C:\Program Files\Paprport.exe
2001-08-10 15:49 26,624 ----a-w C:\Program Files\Pptd40nt.exe
2001-08-10 15:49 144,896 ----a-w C:\Program Files\SSINDEXR.EXE
2001-08-10 15:49 123,904 ----a-w C:\Program Files\Register.exe
2001-08-10 15:48 98,816 ----a-w C:\Program Files\Maxpdf.flt
2001-08-10 15:48 8,192 ----a-w C:\Program Files\Maxawd.flt
2001-08-10 15:48 76,288 ----a-w C:\Program Files\Maxnhnd.ann
2001-08-10 15:48 54,784 ----a-w C:\Program Files\Maxntxt.ann
2001-08-10 15:48 49,664 ----a-w C:\Program Files\Maxnhlt.ann
2001-08-10 15:48 36,864 ----a-w C:\Program Files\MAXFIX.EXE
2001-08-10 15:48 33,792 ----a-w C:\Program Files\Maxnbmp.ann
2001-08-10 15:48 25,600 ----a-w C:\Program Files\PPDEBUG.EXE
2001-08-10 15:48 20,480 ----a-w C:\Program Files\Maxfilt.flt
2001-08-10 15:04 524,315 ----a-w C:\Program Files\PP7Readme.rtf
2000-04-25 16:16 25,600 ----a-w C:\Program Files\Ptdntins.exe
2000-04-12 16:11 86 ----a-w C:\Program Files\VizSupp.url
2000-04-10 16:03 957,663 ----a-w C:\Program Files\Paprport.hlp
2000-04-07 17:16 434,691 ----a-w C:\Program Files\UKsupport.rtf
2000-03-31 22:41 11,152,043 ----a-w C:\Program Files\FORMTYP.HLP
2000-03-31 22:37 42,522 ----a-w C:\Program Files\WEBPUB.HLP
2000-03-31 22:33 125,516 ----a-w C:\Program Files\Support.rtf
2000-03-31 21:54 16,914 ----a-w C:\Program Files\paprport.cnt
2000-03-31 17:54 9,226 ----a-w C:\Program Files\scan200.hlp
2000-01-05 18:03 321 ----a-w C:\Program Files\VizReg.ini
2000-01-05 18:02 49 ----a-w C:\Program Files\VizUses.url
2000-01-05 18:02 49 ----a-w C:\Program Files\VizOutlt.url
2000-01-05 18:02 49 ----a-w C:\Program Files\VizHome.url
2000-01-05 18:01 556 ----a-w C:\Program Files\PIPELINE.INI
2000-01-05 18:01 54,272 ----a-w C:\Program Files\IQTAPI.DLL
2000-01-05 18:01 48,128 ----a-w C:\Program Files\WFTP32.DLL
2000-01-05 18:01 30,720 ----a-w C:\Program Files\INT32.DLL
2000-01-05 18:01 23,552 ----a-w C:\Program Files\SYSNPR32.DLL
2000-01-05 18:01 2,921 ----a-w C:\Program Files\MAILFRMV.CTL
2000-01-05 18:01 2,851 ----a-w C:\Program Files\MAILFRMI.CTL
2000-01-05 18:01 2,692 ----a-w C:\Program Files\REGPRNTV.CTL
2000-01-05 18:01 2,626 ----a-w C:\Program Files\REGPRNTI.CTL
2000-01-05 18:01 19,456 ----a-w C:\Program Files\PHONE32.DLL
2000-01-05 18:01 182,784 ----a-w C:\Program Files\PLINE32.DLL
2000-01-05 17:58 36,352 ----a-w C:\Program Files\MAXLINK.DLL
2000-01-05 17:57 59,904 ----a-w C:\Program Files\ppnt95.exe
2000-01-05 17:57 217 ----a-w C:\Program Files\AOLPUB.CNT
2000-01-05 17:57 15,834 ----a-w C:\Program Files\AOLPUB.HLP
2000-01-05 17:57 10,240 ----a-w C:\Program Files\THUMB.DLL
2000-01-05 17:56 77,824 ----a-w C:\Program Files\ascend.exe
2000-01-05 17:55 52,498 ----a-w C:\Program Files\twain.hlp
2000-01-05 17:55 1,756 ----a-w C:\Program Files\WEBPUB.CNT
2000-01-05 17:55 1,114 ----a-w C:\Program Files\FORMTYP.CNT
2000-01-05 17:52 90,112 ----a-w C:\Program Files\MAXPDF.FLX
2000-01-05 17:52 84,992 ----a-w C:\Program Files\Ppspool.dll
2000-01-05 17:52 6,144 ----a-w C:\Program Files\Blicectr.dll
2000-01-05 17:52 51,200 ----a-w C:\Program Files\MAXMAPI.GLK
2000-01-05 17:52 39,936 ----a-w C:\Program Files\TB96LINK.GLK
2000-01-05 17:52 29,456 ----a-w C:\Program Files\VMEFNW16.DLL
2000-01-05 17:52 19,968 ----a-w C:\Program Files\CPUINF32.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-08 1235736]
"PP3100b"="C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe" [1999-04-21 34304]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 68856]

C:\Documents and Settings\John\Start Menu\Programs\Startup\
Check for OneTouch Updates.lnk - C:\Program Files\Visioneer OneTouch\WiseUpdt.exe [2003-05-11 166518]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\d85d5991]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyd26.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup=C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reboot.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe
backup=C:\WINDOWS\pss\Reboot.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Check for OneTouch Updates.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\Check for OneTouch Updates.lnk
backup=C:\WINDOWS\pss\Check for OneTouch Updates.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=C:\WINDOWS\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-12-04 07:44 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-08-06 12:03 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2001-10-16 08:08 86016 C:\PROGRA~1\VISION~2\ONETOU~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2001-08-10 10:49 26624 c:\PROGRA~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
--a------ 2001-08-10 10:50 40960 c:\PROGRA~1\PPWEBCAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-10-04 14:48 173056 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Canon\\CSCLIB\\CDPROCMN.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 avgldx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-08 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-08 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-08 231704]
R2 avgtdix;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-08 76040]
R3 SiS630;SiS630;C:\WINDOWS\system32\DRIVERS\sis630p.sys [2003-01-23 164608]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-04-17 60416]
S0 tyd26;tyd26;C:\WINDOWS\system32\Drivers\Tyd26.sys [ ]
S1 a3751b42;a3751b42;C:\WINDOWS\system32\drivers\a3751b42.sys [2008-09-11 16384]
S2 d85d5991;Microsoft DDE+ server;C:\WINDOWS\system32\.d85d5991\d85d5991.exe [ ]
S2 EventlogWebClient;Event Log EventlogWebClient;C:\WINDOWS\system32\smsk437.exe [ ]
S2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [ ]
S2 srservicelanmanserver;System Restore Service srservicelanmanserver;C:\WINDOWS\system32\winso.exe [ ]
S2 Winkbqu;Winkbqu;C:\WINDOWS\System32\Winkbqu.exe [ ]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 3168]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 39552]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
S3 SMALUSB;Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\smalidt.sys [2002-05-31 9216]
S4 Pctspk;W2k PCtel speaker phone;C:\WINDOWS\system32\pctspk.exe [2001-10-04 173056]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-addpin - addpin.dll
MSConfigStartUp-DataCaching - C:\PROGRA~1\DATACA~1\FLashKsk.exe
MSConfigStartUp-HotbarOE - C:\Program Files\Hotbar\bin\10.0.356.0\OEAddOn.exe
MSConfigStartUp-HotbarSA - C:\Program Files\Hotbar\bin\10.0.356.0\HotbarSA.exe
MSConfigStartUp-lphc1qcj0er6c - C:\WINDOWS\system32\lphc1qcj0er6c.exe
MSConfigStartUp-MSMSGS - C:\Program Files\Messenger\msmsgs.exe
MSConfigStartUp-nav agent - C:\PROGRA~1\NORTON~1\navapw32.exe
MSConfigStartUp-s9201 - C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe
MSConfigStartUp-smrhc5qcj0er6c - C:\Program Files\rhc5qcj0er6c\rhc5qcj0er6c.exe
MSConfigStartUp-Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-sysrest32 - C:\WINDOWS\system32\sysrest32.exe
MSConfigStartUp-Microsoft Windows System - dubfsnvf.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 18:38:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-25 18:44:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 23:43:58

Pre-Run: 11,607,670,784 bytes free
Post-Run: 11,630,510,080 bytes free

320 --- E O F --- 2008-09-12 00:21:17

#9 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 25 September 2008 - 07:05 PM

Here is the HJT log after combofix ran:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:45 PM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Microsoft DDE+ server (d85d5991) - Unknown owner - C:\WINDOWS\system32\.d85d5991\d85d5991.exe (file missing)
O23 - Service: Event Log EventlogWebClient (EventlogWebClient) - Unknown owner - C:\WINDOWS\system32\smsk437.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Restore Service srservicelanmanserver (srservicelanmanserver) - Unknown owner - C:\WINDOWS\system32\winso.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Winkbqu - Unknown owner - C:\WINDOWS\System32\Winkbqu.exe (file missing)
O24 - Desktop Component 2: (no name) - http://autohobbypage.com/show/03/belv/pic034.jpg
O24 - Desktop Component 4: (no name) - http://i11.ebayimg.com/02/i/02/ab/6d/0b_1.JPG
O24 - Desktop Component 6: (no name) - http://www.forsalebyowner.com/propgfx/20218697-1.jpg

--
End of file - 4601 bytes

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 25 September 2008 - 09:49 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\drivers\a3751b42.sys
C:\WINDOWS\system32\Drivers\Tyd26.sys
C:\WINDOWS\system32\drivers\a3751b42.sys
C:\WINDOWS\system32\smsk437.exe
C:\WINDOWS\system32\winso.exe
C:\WINDOWS\System32\Winkbqu.exe

Folder::
C:\WINDOWS\system32\.d85d5991

Driver::
tyd26
a3751b42
d85d5991
EventlogWebClient
srservicelanmanserver
Winkbqu


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#11 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 26 September 2008 - 06:14 AM

Here os the Combofix log:

ComboFix 08-09-25.03 - John 2008-09-26 5:51:54.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\a3751b42.sys
C:\WINDOWS\system32\Drivers\Tyd26.sys
C:\WINDOWS\system32\smsk437.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\System32\Winkbqu.exe
C:\WINDOWS\system32\winso.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\.d85d5991
C:\WINDOWS\system32\drivers\a3751b42.sys
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\w32apiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_D85D5991
-------\Legacy_EVENTLOGWEBCLIENT
-------\Legacy_SRSERVICELANMANSERVER
-------\Legacy_tyd26
-------\Legacy_WINKBQU
-------\Service_a3751b42
-------\Service_d85d5991
-------\Service_EventlogWebClient
-------\Service_srservicelanmanserver
-------\Service_tyd26
-------\Service_Winkbqu


((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-23 19:12 . 2008-09-23 19:12 <DIR> d-------- C:\Program Files\CCleaner
2008-09-12 05:47 . 2008-09-12 05:47 <DIR> d--hs---- C:\FOUND.002
2008-09-11 23:57 . 2008-09-12 00:11 1,736 --a------ C:\WINDOWS\SetupPestPatrolCorporate.mif
2008-09-11 23:28 . 2008-09-11 23:28 <DIR> d-------- C:\Program Files\CA
2008-09-11 23:24 . 2008-09-11 23:24 58 --a------ C:\WINDOWS\PestPatrol.ini
2008-09-11 20:58 . 2008-09-11 20:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-11 20:58 . 2008-09-11 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 19:23 . 2008-09-26 05:58 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-11 19:23 . 2008-09-26 05:58 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-11 19:20 . 2008-09-11 19:20 137 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-11 06:05 . 2008-09-11 06:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-11 06:04 . 2008-09-11 06:17 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-09-11 06:02 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-11 06:02 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-11 05:58 . 2008-09-11 05:58 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-09-11 05:58 . 2008-09-11 05:58 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-11 05:58 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-09-11 05:58 . 2008-09-26 06:02 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-09-11 05:56 . 2008-09-11 05:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-09 19:06 . 2008-09-09 19:06 <DIR> d--hs---- C:\FOUND.001
2008-09-09 06:02 . 2008-09-09 06:02 <DIR> d--hs---- C:\FOUND.000
2008-09-09 05:14 . 2008-09-09 05:14 <DIR> d-------- C:\e82a51fe190d7695fc
2008-09-08 23:32 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-08 23:31 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-08 22:49 . 2008-09-08 22:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 21:02 . 2008-09-08 21:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-08 20:58 . 2008-09-08 20:58 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-08 20:58 . 2008-09-08 20:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-08 20:57 . 2008-09-08 20:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-08 20:57 . 2008-09-08 20:57 <DIR> d-------- C:\Program Files\AVG
2008-09-08 20:57 . 2008-09-08 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-08 20:57 . 2008-09-08 20:57 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-08 19:44 . 2008-09-08 19:44 <DIR> d-------- C:\Program Files\NKProds
2008-09-08 19:44 . 2008-09-08 19:44 <DIR> d-------- C:\Documents and Settings\John\Application Data\nCleaner
2008-09-08 19:15 . 2008-09-08 19:15 <DIR> d-------- C:\VundoFix Backups
2008-09-08 18:40 . 2008-09-08 18:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 18:40 . 2008-09-08 18:40 <DIR> d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-09-08 18:40 . 2008-09-08 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-08 18:40 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 18:40 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 01:05 1,326,592 ------w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2005-06-21 02:32 340 ----a-w C:\Program Files\imaginfo.pe4
2005-06-21 02:32 2,197 ----a-w C:\Program Files\imageiio.pe4
2003-01-24 22:27 99,186 ---ha-w C:\Program Files\Paprport.GID
2001-10-16 13:10 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2001-10-02 13:58 36,864 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2001-09-28 13:00 139,264 ----a-w C:\WINDOWS\inf\i386\Rtscan.dll
2001-09-27 13:11 167,936 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-10 15:51 96,768 ----a-w C:\Program Files\PPnt10.exe
2001-08-10 15:51 96,256 ----a-w C:\Program Files\ppnt97.exe
2001-08-10 15:51 96,256 ----a-w C:\Program Files\ppnt2000.exe
2001-08-10 15:51 91,648 ----a-w C:\Program Files\VTPWRA.EXE
2001-08-10 15:51 504,832 ----a-w C:\Program Files\appres.dll
2001-08-10 15:51 227,840 ----a-w C:\Program Files\ViewerJP.exe
2001-08-10 15:51 227,840 ----a-w C:\Program Files\MAXVIEW.EXE
2001-08-10 15:51 218,624 ----a-w C:\Program Files\ViewerJ.exe
2001-08-10 15:51 142,336 ----a-w C:\Program Files\WEBPub.EXE
2001-08-10 15:51 142,336 ----a-w C:\Program Files\AOLPub.exe
2001-08-10 15:50 40,960 ----a-w C:\Program Files\PPWEBCAP.EXE
2001-08-10 15:50 38,400 ----a-w C:\Program Files\VIZREG.EXE
2001-08-10 15:50 199,680 ----a-w C:\Program Files\Viewer.exe
2001-08-10 15:50 111,616 ----a-w C:\Program Files\Uninstal.exe
2001-08-10 15:50 1,181,184 ----a-w C:\Program Files\Pppagevw.exe
2001-08-10 15:49 9,728 ----a-w C:\Program Files\INITWAIN.EXE
2001-08-10 15:49 89,088 ----a-w C:\Program Files\Ppocrmg.exe
2001-08-10 15:49 84,480 ----a-w C:\Program Files\PPSCANMG.EXE
2001-08-10 15:49 82,432 ----a-w C:\Program Files\PPPRINT.EXE
2001-08-10 15:49 71,168 ----a-w C:\Program Files\Pplinks.exe
2001-08-10 15:49 307,200 ----a-w C:\Program Files\Paprport.exe
2001-08-10 15:49 26,624 ----a-w C:\Program Files\Pptd40nt.exe
2001-08-10 15:49 144,896 ----a-w C:\Program Files\SSINDEXR.EXE
2001-08-10 15:49 123,904 ----a-w C:\Program Files\Register.exe
2001-08-10 15:48 98,816 ----a-w C:\Program Files\Maxpdf.flt
2001-08-10 15:48 8,192 ----a-w C:\Program Files\Maxawd.flt
2001-08-10 15:48 76,288 ----a-w C:\Program Files\Maxnhnd.ann
2001-08-10 15:48 54,784 ----a-w C:\Program Files\Maxntxt.ann
2001-08-10 15:48 49,664 ----a-w C:\Program Files\Maxnhlt.ann
2001-08-10 15:48 36,864 ----a-w C:\Program Files\MAXFIX.EXE
2001-08-10 15:48 33,792 ----a-w C:\Program Files\Maxnbmp.ann
2001-08-10 15:48 25,600 ----a-w C:\Program Files\PPDEBUG.EXE
2001-08-10 15:48 20,480 ----a-w C:\Program Files\Maxfilt.flt
2001-08-10 15:04 524,315 ----a-w C:\Program Files\PP7Readme.rtf
2000-04-25 16:16 25,600 ----a-w C:\Program Files\Ptdntins.exe
2000-04-12 16:11 86 ----a-w C:\Program Files\VizSupp.url
2000-04-10 16:03 957,663 ----a-w C:\Program Files\Paprport.hlp
2000-04-07 17:16 434,691 ----a-w C:\Program Files\UKsupport.rtf
2000-03-31 22:41 11,152,043 ----a-w C:\Program Files\FORMTYP.HLP
2000-03-31 22:37 42,522 ----a-w C:\Program Files\WEBPUB.HLP
2000-03-31 22:33 125,516 ----a-w C:\Program Files\Support.rtf
2000-03-31 21:54 16,914 ----a-w C:\Program Files\paprport.cnt
2000-03-31 17:54 9,226 ----a-w C:\Program Files\scan200.hlp
2000-01-05 18:03 321 ----a-w C:\Program Files\VizReg.ini
2000-01-05 18:02 49 ----a-w C:\Program Files\VizUses.url
2000-01-05 18:02 49 ----a-w C:\Program Files\VizOutlt.url
2000-01-05 18:02 49 ----a-w C:\Program Files\VizHome.url
2000-01-05 18:01 556 ----a-w C:\Program Files\PIPELINE.INI
2000-01-05 18:01 54,272 ----a-w C:\Program Files\IQTAPI.DLL
2000-01-05 18:01 48,128 ----a-w C:\Program Files\WFTP32.DLL
2000-01-05 18:01 30,720 ----a-w C:\Program Files\INT32.DLL
2000-01-05 18:01 23,552 ----a-w C:\Program Files\SYSNPR32.DLL
2000-01-05 18:01 2,921 ----a-w C:\Program Files\MAILFRMV.CTL
2000-01-05 18:01 2,851 ----a-w C:\Program Files\MAILFRMI.CTL
2000-01-05 18:01 2,692 ----a-w C:\Program Files\REGPRNTV.CTL
2000-01-05 18:01 2,626 ----a-w C:\Program Files\REGPRNTI.CTL
2000-01-05 18:01 19,456 ----a-w C:\Program Files\PHONE32.DLL
2000-01-05 18:01 182,784 ----a-w C:\Program Files\PLINE32.DLL
2000-01-05 17:58 36,352 ----a-w C:\Program Files\MAXLINK.DLL
2000-01-05 17:57 59,904 ----a-w C:\Program Files\ppnt95.exe
2000-01-05 17:57 217 ----a-w C:\Program Files\AOLPUB.CNT
2000-01-05 17:57 15,834 ----a-w C:\Program Files\AOLPUB.HLP
2000-01-05 17:57 10,240 ----a-w C:\Program Files\THUMB.DLL
2000-01-05 17:56 77,824 ----a-w C:\Program Files\ascend.exe
2000-01-05 17:55 52,498 ----a-w C:\Program Files\twain.hlp
2000-01-05 17:55 1,756 ----a-w C:\Program Files\WEBPUB.CNT
2000-01-05 17:55 1,114 ----a-w C:\Program Files\FORMTYP.CNT
2000-01-05 17:52 90,112 ----a-w C:\Program Files\MAXPDF.FLX
2000-01-05 17:52 84,992 ----a-w C:\Program Files\Ppspool.dll
2000-01-05 17:52 6,144 ----a-w C:\Program Files\Blicectr.dll
2000-01-05 17:52 51,200 ----a-w C:\Program Files\MAXMAPI.GLK
2000-01-05 17:52 39,936 ----a-w C:\Program Files\TB96LINK.GLK
2000-01-05 17:52 29,456 ----a-w C:\Program Files\VMEFNW16.DLL
2000-01-05 17:52 19,968 ----a-w C:\Program Files\CPUINF32.DLL
2000-01-05 17:52 167,056 ----a-w C:\Program Files\VIM.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-09-25_18.41.31.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-25 23:38:02 53,248 ----a-w C:\WINDOWS\temp\catchme.dll
+ 2008-09-26 11:00:38 53,248 ----a-w C:\WINDOWS\temp\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-08 1235736]
"PP3100b"="C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe" [1999-04-21 34304]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 68856]

C:\Documents and Settings\John\Start Menu\Programs\Startup\
Check for OneTouch Updates.lnk - C:\Program Files\Visioneer OneTouch\WiseUpdt.exe [2003-05-11 166518]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tyd26.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup=C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reboot.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe
backup=C:\WINDOWS\pss\Reboot.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Check for OneTouch Updates.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\Check for OneTouch Updates.lnk
backup=C:\WINDOWS\pss\Check for OneTouch Updates.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=C:\WINDOWS\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-12-04 07:44 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-08-06 12:03 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2001-10-16 08:08 86016 C:\PROGRA~1\VISION~2\ONETOU~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2001-08-10 10:49 26624 c:\PROGRA~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
--a------ 2001-08-10 10:50 40960 c:\PROGRA~1\PPWEBCAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-10-04 14:48 173056 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Canon\\CSCLIB\\CDPROCMN.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 avgldx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-08 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-08 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-08 231704]
R2 avgtdix;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-08 76040]
R3 SiS630;SiS630;C:\WINDOWS\system32\DRIVERS\sis630p.sys [2003-01-23 164608]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-04-17 60416]
S2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [ ]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 3168]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 39552]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
S3 SMALUSB;Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\smalidt.sys [2002-05-31 9216]
S4 Pctspk;W2k PCtel speaker phone;C:\WINDOWS\system32\pctspk.exe [2001-10-04 173056]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 06:00:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-26 6:07:41 - machine was rebooted [John]
ComboFix-quarantined-files.txt 2008-09-26 11:07:06
ComboFix2.txt 2008-09-25 23:44:50

Pre-Run: 11,439,177,728 bytes free
Post-Run: 11,426,463,744 bytes free

294 --- E O F --- 2008-09-12 00:21:17



And the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:39 AM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 2: (no name) - http://autohobbypage.com/show/03/belv/pic034.jpg
O24 - Desktop Component 4: (no name) - http://i11.ebayimg.com/02/i/02/ab/6d/0b_1.JPG
O24 - Desktop Component 6: (no name) - http://www.forsalebyowner.com/propgfx/20218697-1.jpg

--
End of file - 4137 bytes

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 26 September 2008 - 08:08 AM

Looks good. How is the computer feeling to you now?

#13 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 26 September 2008 - 09:11 AM

:thumbsup: :) It is running faster and better than it has in a long time. You are a miracle worker! BTW what was that one rootkit? AVG never found it and SpyBot never saw it either.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:43 AM

Posted 26 September 2008 - 09:59 AM

They weren't necessarily rootkits, and to be honest, I am not 100% sure what they are. All of these files that were removed are located in C:\QooBox\Quarantine. So if you want to scan them first at http://www.virustotal.com to see what they are let me know, and I will hold off getting rid of the quarantine.

#15 mreasyrider

mreasyrider
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 26 September 2008 - 10:19 AM

I am at work right now. I will run the scan as soon as I get home this afternoon.. Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users