Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

persistant trojans; vundo & BHO


  • This topic is locked This topic is locked
11 replies to this topic

#1 BigRedDog

BigRedDog

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Seattle, WA
  • Local time:04:54 PM

Posted 31 October 2008 - 04:39 PM

Mod. edit: Referred here from Am I Infected. Topic here: http://www.bleepingcomputer.com/forums/t/177235/persistant-trojans;-vundo-bho/ ~ OB

Malwarebytes found and removed trojans but keep coming back, Spyware Doctor full scan did not find viruses, adaware removed tracking cookies.... still had/have trojans.

prior actions to running a HJL as instructed

update windows
install ZoneAlarm firewall
clean and delete temp files
run Adaware
run Spybot
run McAfee stinger
run Hijack this...






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:22 PM, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.farmersagent.com/pthompson2/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {848756E8-E732-4002-87B7-30FA7FB88C1A} - C:\DOCUME~1\PAULTH~1\LOCALS~1\Temp\InfoWindowe.dll (file missing)
O2 - BHO: (no name) - {9030391A-C4A5-475A-B46D-385BB2B1D2CF} - c:\windows\system32\vewrvxu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://conf1.centra.com/SiteRoots/main/Ins...raUpdaterAx.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAg...ImgXTwain61.cab
O16 - DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} (Crystal Reports Print Control 11.0) - https://eagent.farmersinsurance.com/PLA/eAg...rintControl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAg...mgXDialog61.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219875840156
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.theitcrew.net/Remote/msrdp.cab
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/ImgX61.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/msxml4.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - http://mobius.farmersinsurance.com/Agent/c...nt/iejpwenu.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O20 - Winlogon Notify: xkqoldoj - C:\WINDOWS\SYSTEM32\vewrvxu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WorkgroupShare - Softalk Ltd - C:\Program Files\WorkgroupShare\WSService.exe

--
End of file - 10453 bytes

Edited by Orange Blossom, 31 October 2008 - 09:52 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:54 AM

Posted 01 November 2008 - 02:19 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 BigRedDog

BigRedDog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Seattle, WA
  • Local time:04:54 PM

Posted 03 November 2008 - 01:24 PM

Well, that went pretty smoothly, here is the data, thanks!




ComboFix 08-11-02.05 - Paul Thompson 2008-11-03 7:59:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1094 [GMT -8:00]
Running from: c:\documents and settings\Paul Thompson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Thompson\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\dao350.dll
c:\windows\system32\nslookupp.exe
c:\windows\Tasks\At1.job
c:\windows\system32\vewrvxu.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IJOQFVOB
-------\Service_ijoqfvob


((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-10-31 11:13 . 2008-10-31 11:14 <DIR> d-------- c:\documents and settings\Paul Thompson\.housecall6.6
2008-10-31 08:40 . 2008-11-03 08:11 745,504 --ahs---- c:\windows\SYSTEM32\DRIVERS\fidbox.dat
2008-10-31 08:40 . 2008-11-03 08:06 9,764 --ahs---- c:\windows\SYSTEM32\DRIVERS\fidbox.idx
2008-10-31 08:36 . 2008-10-31 08:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-10-31 08:36 . 2008-10-31 08:38 4,212 ---h----- c:\windows\SYSTEM32\zllictbl.dat
2008-10-31 08:35 . 2008-10-31 08:35 <DIR> d-------- c:\program files\Zone Labs
2008-10-31 08:34 . 2008-11-03 07:23 <DIR> d-------- c:\windows\Internet Logs
2008-10-28 12:23 . 2008-10-30 12:41 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 12:08 . 2008-10-28 12:08 <DIR> d-------- c:\program files\Trend Micro
2008-10-28 11:26 . 2008-10-28 11:26 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-10-23 12:43 . 2008-10-15 08:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-21 14:03 . 2008-10-30 12:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-21 14:03 . 2008-10-30 12:41 <DIR> d-------- c:\documents and settings\Paul Thompson\Application Data\SUPERAntiSpyware.com
2008-10-21 14:03 . 2008-10-21 14:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-21 12:20 . 2008-10-21 12:20 <DIR> d-------- C:\VundoFix Backups
2008-10-21 09:12 . 2008-10-21 09:12 <DIR> d-------- c:\program files\CCleaner
2008-10-20 11:54 . 2008-10-20 11:54 <DIR> d-------- c:\documents and settings\Paul Thompson\Application Data\Roxio
2008-10-17 08:55 . 2008-10-17 08:58 <DIR> d-------- c:\documents and settings\TEMP
2008-10-15 20:13 . 2008-08-14 02:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-15 20:13 . 2008-08-14 02:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-15 20:13 . 2008-08-14 01:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-15 20:13 . 2008-08-14 01:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 20:13 . 2008-09-15 04:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-10-15 20:13 . 2008-09-08 02:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-03 10:10 . 2008-10-03 10:10 92,700 --a------ c:\windows\Run32A50.mch
2008-10-03 10:08 . 2008-10-03 10:08 <DIR> d-------- c:\windows\A5W_DATA
2008-10-03 10:08 . 2008-10-03 10:08 <DIR> d-------- C:\commbas
2008-10-03 10:08 . 2008-10-03 10:08 35 --a------ c:\windows\A5W.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 15:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 15:53 --------- d-----w c:\program files\Spyware Doctor
2008-11-03 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 17:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-29 16:49 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-28 20:24 --------- d-----w c:\program files\Lavasoft
2008-10-28 19:26 --------- d-----w c:\program files\Java
2008-10-28 00:23 --------- d-----w c:\documents and settings\Paul Thompson\Application Data\AdobeUM
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 17:03 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 00:22 --------- d-----w c:\documents and settings\Paul Thompson\Application Data\U3
2008-10-21 00:03 --------- d-----w c:\documents and settings\Paul Thompson\Application Data\Ahead
2008-09-26 21:59 --------- d-----w c:\program files\DiskCheckup
2008-09-24 23:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-24 23:09 --------- d-----w c:\program files\InterlinkElectronics
2008-09-09 04:16 81,288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2008-09-09 04:16 66,952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2008-09-09 04:16 40,840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
2008-08-22 17:44 475 ----a-w c:\documents and settings\All Users\Application Data\ustore.dat
2008-07-25 00:37 5,632 --sha-w c:\program files\Thumbs.db
2008-05-06 22:13 66,304 ------w c:\documents and settings\Paul Thompson\Application Data\GDIPFONTCACHEV1.DAT
2006-09-22 17:08 56,912 ------w c:\documents and settings\Paul Thompson\g2mdlhlpx.exe
2004-05-24 20:15 24,127 ------w c:\program files\export.xpt
2004-05-19 16:40 670,720 ------w c:\program files\MDB350.DLL
2004-04-22 19:48 876,032 ------w c:\program files\CSSCAN.EXE
2004-04-22 19:48 269,312 ------w c:\program files\RTF350.DLL
2004-02-17 22:57 203,776 ------w c:\program files\maptool.exe
2004-02-13 23:58 137,232 ------w c:\program files\unzip16.dll
2004-02-10 23:26 520,192 ------w c:\program files\cslaunch.exe
2004-02-10 23:26 284,160 ------w c:\program files\csdownld.exe
2003-09-11 22:05 254 ------w c:\program files\CSXFER.RUL
2003-09-11 22:05 140,800 ------w c:\program files\unzip32.dll
2003-09-11 22:05 135,312 ------w c:\program files\metonln.hlp
2003-09-11 22:05 1,947 ------w c:\program files\exceptio.fil
2003-08-05 21:07 92,378 ------w c:\program files\msonline.bmp
2003-08-05 21:07 118,278 ------w c:\program files\winmetro.hlp
2003-08-05 21:06 99,328 ------w c:\program files\lm_dxi_w.dll
2003-08-05 21:06 85,998 ------w c:\program files\bitmaps.blb
2003-08-05 21:06 8,845 ------w c:\program files\tvstyles
2003-08-05 21:06 8,478 ------w c:\program files\ntstyles
2003-08-05 21:06 565,598 ------w c:\program files\tv203.dll
2003-08-05 21:06 5,368 ------w c:\program files\tvfont
2003-08-05 21:06 29,536 ------w c:\program files\dib.drv
2003-08-05 21:06 1,076 ------w c:\program files\tvlicens
2003-08-05 21:05 59,856 ------w c:\program files\bids47.dll
2003-08-05 21:05 486,560 ------w c:\program files\owl254.dll
2003-08-05 21:05 27,200 ------w c:\program files\ctl3dv2.dll
2003-08-05 21:05 222,720 ------w c:\program files\bc453rtl.dll
2001-09-28 23:00 164,864 ------w c:\program files\UNWISE.EXE
2007-10-16 20:28 80 --sh--r c:\windows\SYSTEM32\6BAC806A46.dll
2004-12-15 17:52 56 --sh--r c:\windows\SYSTEM32\6BAC806A46.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030391A-C4A5-475A-B46D-385BB2B1D2CF}]
2008-11-03 08:08 120320 --a------ c:\windows\system32\vewrvxu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-05 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"APL"="c:\program files\ACT\ACT for Win 7\APL.exe" [2005-05-24 20480]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-22 98304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-03-24 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-05-09 573440]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vtd23.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reminders.lnk
backup=c:\windows\pss\Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2002-12-17 09:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2004-06-22 17:38 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2008-05-05 08:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-03-16 16:12 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--------- 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\ACT\\ACT for Win 7\\ActRunner.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 6\\NetGroup.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL$ACT7\\Binn\\sqlservr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=

R0 vxggnshq;vxggnshq;c:\windows\system32\drivers\vxggnshq.sys [2002-08-29 23424]
R1 pctfw2;pctfw2;c:\windows\SYSTEM32\DRIVERS\pctfw2.sys [2008-08-27 160792]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\System32\drivers\AsfAlrt.sys [2002-12-18 36064]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-28 152984]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 7544916]
R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2007-03-08 12032]
R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2007-03-08 39424]
S0 Vtd23;Vtd23;c:\windows\system32\Drivers\Vtd23.sys [ ]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\A302.sys [2003-04-15 11319]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WorkgroupShare;WorkgroupShare;c:\program files\WorkgroupShare\WSService.exe [2004-06-11 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2005-03-26 c:\windows\Tasks\Automatic Differential Backup.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]

2005-06-03 c:\windows\Tasks\Automatic Full Backup.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]

2008-10-07 c:\windows\Tasks\Monthly Full.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]

2008-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-10-31 c:\windows\Tasks\Weekly Diff.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{848756E8-E732-4002-87B7-30FA7FB88C1A} - c:\docume~1\PAULTH~1\LOCALS~1\Temp\InfoWindowe.dll
Toolbar-ID - (no file)
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Paul Thompson\Application Data\Mozilla\Firefox\Profiles\fvax77qk.default\
FF -: plugin - c:\documents and settings\Paul Thompson\Application Data\Mozilla\plugins\NPAbacheck.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
.
------- File Associations -------
.
scrfile="%1" %*
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 08:09:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-11-03 8:16:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-03 16:16:18

Pre-Run: 17,077,714,944 bytes free
Post-Run: 17,172,787,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

256 --- E O F --- 2008-10-24 17:51:48




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:03 AM, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.farmersagent.com/pthompson2/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {848756E8-E732-4002-87B7-30FA7FB88C1A} - C:\DOCUME~1\PAULTH~1\LOCALS~1\Temp\InfoWindowe.dll (file missing)
O2 - BHO: (no name) - {9030391A-C4A5-475A-B46D-385BB2B1D2CF} - c:\windows\system32\vewrvxu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://conf1.centra.com/SiteRoots/main/Ins...raUpdaterAx.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAg...ImgXTwain61.cab
O16 - DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} (Crystal Reports Print Control 11.0) - https://eagent.farmersinsurance.com/PLA/eAg...rintControl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAg...mgXDialog61.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219875840156
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.theitcrew.net/Remote/msrdp.cab
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/ImgX61.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/msxml4.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - http://mobius.farmersinsurance.com/Agent/c...nt/iejpwenu.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WorkgroupShare - Softalk Ltd - C:\Program Files\WorkgroupShare\WSService.exe

--
End of file - 9874 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:54 AM

Posted 03 November 2008 - 02:05 PM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\vewrvxu.dll
Collect::[8]
c:\windows\system32\drivers\vxggnshq.sys
c:\windows\SYSTEM32\6BAC806A46.dll
c:\windows\SYSTEM32\6BAC806A46.sys
Folder::
C:\VundoFix Backups
Driver::
Vtd23
vxggnshq
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030391A-C4A5-475A-B46D-385BB2B1D2CF}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vtd23.sys]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.


After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 03 November 2008 - 02:05 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 BigRedDog

BigRedDog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Seattle, WA
  • Local time:04:54 PM

Posted 03 November 2008 - 06:15 PM

thanks again, I had to try turning off Spybot/Teatimer twice but got the boxes unchecked. My clock is still incorrect by exactly two hours (earlier than actual time)

here are the logs.

ComboFix 08-11-03.01 - Paul Thompson 2008-11-03 12:33:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1141 [GMT -8:00]
Running from: c:\documents and settings\Paul Thompson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Thompson\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\vewrvxu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\SYSTEM32\6BAC806A46.dll
c:\windows\SYSTEM32\6BAC806A46.sys
c:\windows\system32\drivers\vxggnshq.sys
c:\windows\system32\vewrvxu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VTD23
-------\Legacy_VXGGNSHQ
-------\Service_Vtd23
-------\Service_vxggnshq


((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-10-31 11:13 . 2008-10-31 11:14 <DIR> d-------- c:\documents and settings\Paul Thompson\.housecall6.6
2008-10-31 08:40 . 2008-11-03 12:43 876,576 --ahs---- c:\windows\SYSTEM32\DRIVERS\fidbox.dat
2008-10-31 08:40 . 2008-11-03 12:38 11,300 --ahs---- c:\windows\SYSTEM32\DRIVERS\fidbox.idx
2008-10-31 08:36 . 2008-10-31 08:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-10-31 08:36 . 2008-10-31 08:38 4,212 ---h----- c:\windows\SYSTEM32\zllictbl.dat
2008-10-31 08:35 . 2008-10-31 08:35 <DIR> d-------- c:\program files\Zone Labs
2008-10-31 08:34 . 2008-11-03 12:25 <DIR> d-------- c:\windows\Internet Logs
2008-10-28 12:23 . 2008-10-30 12:41 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 12:08 . 2008-10-28 12:08 <DIR> d-------- c:\program files\Trend Micro
2008-10-28 11:26 . 2008-10-28 11:26 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-10-23 12:43 . 2008-10-15 08:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-21 14:03 . 2008-10-30 12:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-21 14:03 . 2008-10-30 12:41 <DIR> d-------- c:\documents and settings\Paul Thompson\Application Data\SUPERAntiSpyware.com
2008-10-21 14:03 . 2008-10-21 14:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-21 09:12 . 2008-10-21 09:12 <DIR> d-------- c:\program files\CCleaner
2008-10-20 11:54 . 2008-10-20 11:54 <DIR> d-------- c:\documents and settings\Paul Thompson\Application Data\Roxio
2008-10-17 08:55 . 2008-10-17 08:58 <DIR> d-------- c:\documents and settings\TEMP
2008-10-15 20:13 . 2008-08-14 02:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-15 20:13 . 2008-08-14 02:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-15 20:13 . 2008-08-14 01:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-15 20:13 . 2008-08-14 01:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 20:13 . 2008-09-15 04:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-10-15 20:13 . 2008-09-08 02:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-03 10:10 . 2008-10-03 10:10 92,700 --a------ c:\windows\Run32A50.mch
2008-10-03 10:08 . 2008-10-03 10:08 <DIR> d-------- c:\windows\A5W_DATA
2008-10-03 10:08 . 2008-10-03 10:08 <DIR> d-------- C:\commbas
2008-10-03 10:08 . 2008-10-03 10:08 35 --a------ c:\windows\A5W.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 20:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 20:05 --------- d-----w c:\program files\Spyware Doctor
2008-11-03 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 17:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-29 16:49 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-28 20:24 --------- d-----w c:\program files\Lavasoft
2008-10-28 19:26 --------- d-----w c:\program files\Java
2008-10-28 00:23 --------- d-----w c:\documents and settings\Paul Thompson\Application Data\AdobeUM
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 17:03 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 00:22 --------- d-----w c:\documents and settings\Paul Thompson\Application Data\U3
2008-10-21 00:03 --------- d-----w c:\documents and settings\Paul Thompson\Application Data\Ahead
2008-09-26 21:59 --------- d-----w c:\program files\DiskCheckup
2008-09-24 23:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-24 23:09 --------- d-----w c:\program files\InterlinkElectronics
2008-09-09 04:16 81,288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2008-09-09 04:16 66,952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2008-09-09 04:16 40,840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
2008-08-22 17:44 475 ----a-w c:\documents and settings\All Users\Application Data\ustore.dat
2008-07-25 00:37 5,632 --sha-w c:\program files\Thumbs.db
2008-05-06 22:13 66,304 ------w c:\documents and settings\Paul Thompson\Application Data\GDIPFONTCACHEV1.DAT
2006-09-22 17:08 56,912 ------w c:\documents and settings\Paul Thompson\g2mdlhlpx.exe
2004-05-24 20:15 24,127 ------w c:\program files\export.xpt
2004-05-19 16:40 670,720 ------w c:\program files\MDB350.DLL
2004-04-22 19:48 876,032 ------w c:\program files\CSSCAN.EXE
2004-04-22 19:48 269,312 ------w c:\program files\RTF350.DLL
2004-02-17 22:57 203,776 ------w c:\program files\maptool.exe
2004-02-13 23:58 137,232 ------w c:\program files\unzip16.dll
2004-02-10 23:26 520,192 ------w c:\program files\cslaunch.exe
2004-02-10 23:26 284,160 ------w c:\program files\csdownld.exe
2003-09-11 22:05 254 ------w c:\program files\CSXFER.RUL
2003-09-11 22:05 140,800 ------w c:\program files\unzip32.dll
2003-09-11 22:05 135,312 ------w c:\program files\metonln.hlp
2003-09-11 22:05 1,947 ------w c:\program files\exceptio.fil
2003-08-05 21:07 92,378 ------w c:\program files\msonline.bmp
2003-08-05 21:07 118,278 ------w c:\program files\winmetro.hlp
2003-08-05 21:06 99,328 ------w c:\program files\lm_dxi_w.dll
2003-08-05 21:06 85,998 ------w c:\program files\bitmaps.blb
2003-08-05 21:06 8,845 ------w c:\program files\tvstyles
2003-08-05 21:06 8,478 ------w c:\program files\ntstyles
2003-08-05 21:06 565,598 ------w c:\program files\tv203.dll
2003-08-05 21:06 5,368 ------w c:\program files\tvfont
2003-08-05 21:06 29,536 ------w c:\program files\dib.drv
2003-08-05 21:06 1,076 ------w c:\program files\tvlicens
2003-08-05 21:05 59,856 ------w c:\program files\bids47.dll
2003-08-05 21:05 486,560 ------w c:\program files\owl254.dll
2003-08-05 21:05 27,200 ------w c:\program files\ctl3dv2.dll
2003-08-05 21:05 222,720 ------w c:\program files\bc453rtl.dll
2001-09-28 23:00 164,864 ------w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-11-03_ 8.15.34.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-03 20:39:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_14c.dat
+ 2008-11-03 20:39:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{848756E8-E732-4002-87B7-30FA7FB88C1A}]
c:\docume~1\PAULTH~1\LOCALS~1\Temp\InfoWindowe.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"APL"="c:\program files\ACT\ACT for Win 7\APL.exe" [2005-05-24 20480]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-22 98304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-03-24 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-05-09 573440]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reminders.lnk
backup=c:\windows\pss\Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2002-12-17 09:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2004-06-22 17:38 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2008-05-05 08:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-03-16 16:12 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--------- 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\ACT\\ACT for Win 7\\ActRunner.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 6\\NetGroup.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL$ACT7\\Binn\\sqlservr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=

R1 pctfw2;pctfw2;c:\windows\SYSTEM32\DRIVERS\pctfw2.sys [2008-08-27 160792]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\System32\drivers\AsfAlrt.sys [2002-12-18 36064]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-28 152984]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 7544916]
R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2007-03-08 12032]
R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2007-03-08 39424]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\A302.sys [2003-04-15 11319]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WorkgroupShare;WorkgroupShare;c:\program files\WorkgroupShare\WSService.exe [2004-06-11 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - VXGGNSHQ
.
Contents of the 'Scheduled Tasks' folder

2005-03-26 c:\windows\Tasks\Automatic Differential Backup.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]

2005-06-03 c:\windows\Tasks\Automatic Full Backup.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]

2008-10-07 c:\windows\Tasks\Monthly Full.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]

2008-11-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-10-31 c:\windows\Tasks\Weekly Diff.job
- c:\program files\Stomp\Backup MyPC\System\bestart.exe [2003-10-30 04:10]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 12:40:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-11-03 12:47:41 - machine was rebooted [Paul Thompson]
ComboFix-quarantined-files.txt 2008-11-03 20:47:34
ComboFix2.txt 2008-11-03 16:16:30

Pre-Run: 17,169,760,256 bytes free
Post-Run: 17,151,918,080 bytes free

227 --- E O F --- 2008-10-24 17:51:48



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:56 PM, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.farmersagent.com/pthompson2/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {848756E8-E732-4002-87B7-30FA7FB88C1A} - C:\DOCUME~1\PAULTH~1\LOCALS~1\Temp\InfoWindowe.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://conf1.centra.com/SiteRoots/main/Ins...raUpdaterAx.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAg...ImgXTwain61.cab
O16 - DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} (Crystal Reports Print Control 11.0) - https://eagent.farmersinsurance.com/PLA/eAg...rintControl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAg...mgXDialog61.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219875840156
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.theitcrew.net/Remote/msrdp.cab
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/ImgX61.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/msxml4.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - http://mobius.farmersinsurance.com/Agent/c...nt/iejpwenu.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WorkgroupShare - Softalk Ltd - C:\Program Files\WorkgroupShare\WSService.exe

--
End of file - 9407 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:54 AM

Posted 04 November 2008 - 12:47 AM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {848756E8-E732-4002-87B7-30FA7FB88C1A} - C:\DOCUME~1\PAULTH~1\LOCALS~1\Temp\InfoWindowe.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

My clock is still incorrect by exactly two hours (earlier than actual time)


For your clock, rightclick the taskbar and select to adjust date/time and adjust it there.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 BigRedDog

BigRedDog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Seattle, WA
  • Local time:04:54 PM

Posted 04 November 2008 - 05:34 PM

HiJack This and combofix uninstall completed. Everything seems to be running OK :thumbsup:
THANKS!

#8 BigRedDog

BigRedDog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Seattle, WA
  • Local time:04:54 PM

Posted 04 November 2008 - 06:09 PM

Miekiemos,

thank you for your help. I am grateful you were able to fix these persistant viruses and I have learned a little more about how to protect my computer.

I made a contribution through paypal, you certainly deserve it. Here are pictures of my two dogs.

cheers, BRD

Attached Files



#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:54 AM

Posted 05 November 2008 - 01:55 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Thank you for the donation, much appreciated.
Nice dogs you have there btw. Is that an Akita Inu?

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 BigRedDog

BigRedDog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Seattle, WA
  • Local time:04:54 PM

Posted 05 November 2008 - 02:16 PM

thanks for the links. The red dog is Ainu Inu (Hokkaido hound) and white dog is Kishu, I rescued both from the animal shelter so do not know for certain but that is what they look like and act like... http://japanesedogs.bulldoginformation.com/

and your malware killer is?

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:54 AM

Posted 05 November 2008 - 03:26 PM

Really nice dogs you have!
The one in my avatar is an American Staffordshire. I have currently three of them. I used to breed them, but unfortunately, I don't have the space and time for it anymore. You can find more pics of my dogs here

Edited by miekiemoes, 05 November 2008 - 03:48 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:54 AM

Posted 07 November 2008 - 02:16 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users