Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo.H


  • This topic is locked This topic is locked
16 replies to this topic

#1 jane doe

jane doe

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 25 November 2008 - 02:38 PM

MBAM detects the Trojan file but can't remove it. Also, the Trojan downloader file shows up in the scan results but when deleted it reappears in the next scan. Malwarebytes antimalware keeps detecting the files and claims to be removing them but keeps popping back up in the next scan. I am running windows xp professional service pack 3. Below is the MBAM log and below that you will find the HighjackThis log.

MBAM log:

Malwarebytes' Anti-Malware 1.30
Database version: 1421
Windows 5.1.2600 Service Pack 3

11/25/2008 11:02:35 AM
mbam-log-2008-11-25 (11-02-35).txt

Scan type: Quick Scan
Objects scanned: 55518
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c1d9452e-4408-4088-84b4-63df06012a7f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\njhhrivh (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c1d9452e-4408-4088-84b4-63df06012a7f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtnwzx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtnwzx (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\vusxvff.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ytmgzr.sys (Trojan.Downloader) -> Quarantined and deleted successfully.


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:59 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Printkey4\Printkey.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nicole\Desktop\RSIT.exe
C:\Documents and Settings\nicole\Desktop\deleteme\hijackthis\nicole.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C1D9452E-4408-4088-84B4-63DF06012A7F} - c:\windows\system32\vusxvff.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GW Port Controller] "C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE"
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Program Files\Printkey4\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.driveragent.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169952232625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187471717281
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9365A8BD-997E-4BC5-B8D6-8FB105FAC887}: NameServer = 68.237.161.12,71.250.0.12
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: njhhrivh - C:\WINDOWS\SYSTEM32\vusxvff.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9838 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 25 November 2008 - 03:48 PM

Hi,

Did you reboot afterwards? Because it needs a reboot afterwards in order to remove some files it has found.
So please reboot and post the new logs after reboot.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 25 November 2008 - 03:52 PM

Yes, I rebooted afterwards... the same thing continues to happen.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 25 November 2008 - 03:57 PM

Ok, no worries.

Do next instead...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 25 November 2008 - 04:00 PM

my IT tech already ran combofix... should I do this again? and then copy/paste the logs as you suggested?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 25 November 2008 - 04:36 PM

Yes, because the most important part of Combofix is the log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 25 November 2008 - 04:40 PM

below you will find both the combofix log and the hijackthis log...

ComboFix log:

ComboFix 08-11-26.01 - nicole 2008-11-25 16:26:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1556 [GMT -5:00]
Running from: c:\documents and settings\nicole\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 14:22 . 2008-11-25 14:23 <DIR> d-------- C:\rsit
2008-11-25 00:10 . 2008-11-25 00:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-25 00:01 . 2008-11-25 00:01 <DIR> d-------- C:\VundoFix Backups
2008-11-24 23:57 . 2008-11-25 09:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-24 23:57 . 2008-11-24 23:57 <DIR> d-------- c:\program files\AVG
2008-11-24 23:57 . 2008-11-24 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-24 23:57 . 2008-11-24 23:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-24 23:57 . 2008-11-24 23:57 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-24 23:56 . 2008-11-24 23:58 8,192 --a------ c:\documents and settings\deleteme
2008-11-24 23:56 . 2008-11-24 23:58 8,192 --a------ c:\documents and settings\all
2008-11-24 21:41 . 2008-11-24 21:41 <DIR> d-------- c:\program files\Eraser
2008-11-24 21:41 . 2008-11-24 21:41 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-11-24 21:21 . 2008-11-24 21:28 <DIR> d-------- c:\program files\a-squared Free
2008-11-21 13:12 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-21 12:20 . 2008-11-21 12:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-11-20 13:42 . 2008-11-20 13:42 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-20 13:42 . 2008-11-20 13:42 1,409 --a------ c:\windows\QTFont.for
2008-11-20 10:13 . 2008-04-14 05:42 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2008-11-20 10:12 . 2008-11-20 10:14 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-20 10:12 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2008-11-20 10:09 . 2006-12-29 00:31 19,569 --a------ c:\windows\003122_.tmp
2008-11-20 09:21 . 2008-11-20 09:22 <DIR> d-------- C:\7ee4d6ea7f7cb03895217f9d8c160a
2008-11-19 21:44 . 2008-11-19 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 21:44 . 2008-11-19 21:44 <DIR> d-------- c:\documents and settings\nicole\Application Data\Malwarebytes
2008-11-19 21:44 . 2008-11-19 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-19 21:44 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-19 21:44 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-19 21:14 . 2008-11-19 21:14 <DIR> d-------- c:\documents and settings\nicole\Application Data\TrueCrypt
2008-11-19 11:20 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\system32\scripting
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\system32\en
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\system32\bits
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\l2schemas
2008-11-19 09:58 . 2004-08-04 01:05 71,040 --------- c:\windows\system32\drivers\_004773_.tmp.dll
2008-11-12 00:19 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-28 18:38 . 2008-10-28 18:38 <DIR> d-------- c:\documents and settings\nicole\Application Data\jfflvocx
2008-10-28 08:53 . 2004-08-03 23:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-10-28 08:53 . 2001-08-17 21:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-28 08:34 . 2008-10-28 08:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 14:25 182 ----a-w c:\program files\iblsrcz.txt
2008-11-25 13:56 102 ----a-w c:\program files\limtmzb.txt
2008-11-25 04:18 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-25 04:18 --------- d-----w c:\program files\Symantec
2008-11-25 04:18 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-28 13:46 2,012 ----a-w c:\program files\DriversHQ.DriverDetective.Client.InstallState
2008-10-28 13:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:40 --------- d-----w c:\documents and settings\NetworkService\Application Data\jfflvocx
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:06 --------- d-----w c:\program files\MSECache
2008-10-06 19:21 98,576 ----a-w c:\program files\DriversHQ.DriverDetective.Common.dll
2008-10-06 19:21 89,872 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Communication.dll
2008-10-06 19:21 80,656 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Updater.exe
2008-10-06 19:21 36,112 ----a-w c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.dll
2008-10-06 19:21 20,240 ----a-w c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.XmlSerializers.dll
2008-10-06 19:21 120,080 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Communication.XmlSerializers.dll
2008-10-06 19:21 1,245,456 ----a-w c:\program files\DriversHQ.DriverDetective.Client.exe
2008-10-06 19:12 90,112 ----a-w c:\program files\Microsoft.Practices.EnterpriseLibrary.Common.dll
2008-10-06 19:12 69,632 ----a-w c:\program files\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll
2008-10-06 19:12 61,440 ----a-w c:\program files\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll
2008-10-06 19:12 28,672 ----a-w c:\program files\Microsoft.ApplicationBlocks.Updater.Downloaders.dll
2008-10-06 19:12 118,784 ----a-w c:\program files\Microsoft.ApplicationBlocks.Updater.dll
2008-10-06 18:46 53,466 ----a-w c:\program files\DriverDetective.chm
2008-10-03 18:59 --------- d-----w c:\documents and settings\nicole\Application Data\alot
2008-10-03 14:36 --------- d-----w c:\program files\alot
2008-09-19 16:07 66,360 ----a-w c:\documents and settings\nicole\g2ax_customer_downloadhelper_win32_x86.exe
2008-09-16 15:22 46,592 ----a-w c:\program files\Microsoft.Practices.ObjectBuilder.dll
2008-08-29 13:23 25,872 ----a-w c:\program files\DriversHQ.DriverDetective.ExceptionLogging.dll
2008-08-25 12:41 33,040 ----a-w c:\program files\DriversHQ.DriverDetective.Client.DirectX.dll
2008-08-18 15:44 60,744 ----a-w c:\documents and settings\nicole\g2mdlhlpx.exe
2008-08-18 13:01 36,864 ----a-w c:\program files\Interop.WindowsInstaller.dll
2008-08-14 19:47 18,856 ----a-w c:\documents and settings\nicole\Application Data\GDIPFONTCACHEV1.DAT
2008-08-14 17:23 49,152 ----a-w c:\program files\XPBurnComponent.dll
2008-03-27 17:33 5,282 ----a-w c:\program files\DriversHQ.DriverDetective.Client.exe.config
2007-10-12 20:51 0 ----a-w c:\documents and settings\nicole\gosetup.exe
2007-10-12 20:35 722,176 ----a-w c:\documents and settings\nicole\gotomypc_428.exe
2007-09-04 16:57 724,984 ----a-w c:\documents and settings\nicole\gotomypc_437.exe
2007-08-11 18:14 914 ----a-w c:\documents and settings\nicole\SDM-2.3.1-1811W-c181x-advipservicesk9-mz.124-6.T7.bin
2007-08-11 18:14 914 ----a-w c:\documents and settings\Default User\SDM-2.3.1-1811W-c181x-advipservicesk9-mz.124-6.T7.bin
2007-08-11 18:14 914 ----a-w c:\documents and settings\Administrator\SDM-2.3.1-1811W-c181x-advipservicesk9-mz.124-6.T7.bin
2007-05-15 13:13 3,569 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Updater.exe.config
.

((((((((((((((((((((((((((((( snapshot@2008-11-24_22.50.29.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-25 04:57:48 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1D9452E-4408-4088-84B4-63DF06012A7F}]
c:\windows\system32\vusxvff.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2007-07-13 598656]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"GW Port Controller"="c:\program files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 163840]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-24 1234712]
"Resume copy"="copyfstq.exe" [2007-05-03 c:\windows\copyfstq.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-08-30 221295]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-07 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-10-17 581632]
Shortcut to Printkey.lnk - c:\program files\Printkey4\Printkey.exe [2007-01-28 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 10:09 10536 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njhhrivh]
vusxvff.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 qylcutsd;qylcutsd;c:\windows\system32\drivers\qylcutsd.sys [2007-05-05 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-24 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-24 231704]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-19 170640]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-19 15504]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\DRIVERS\EL556ND5.sys [2007-04-27 58951]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;c:\windows\system32\DRIVERS\KMW_SYS.sys [2005-09-01 92032]
S3 KMW_USB;Kensington MouseWorks USB filter driver;c:\windows\system32\DRIVERS\KMW_USB.sys [2005-09-01 10496]
S3 S3GSavageMX;S3GSavageMX;c:\windows\system32\DRIVERS\s3gsavm.sys [2007-04-29 88576]
S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\DRIVERS\WDHAALBA.sys [2007-04-27 706192]
S4 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;c:\windows\system32\DRIVERS\EL556ND5.sys [2007-04-27 58951]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pezlloyo

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\autorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12f6f150-aeec-11db-80b2-000bdbb8bae7}]
\Shell\AutoRun\command - moveXXCOPY-NSL-JUICE to USB-E-PBM.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d61bb43-3418-11dc-a8d7-0000864601d7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69b07ac0-ff33-11db-a8c3-0000864601d7}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cd8fef0-ae62-11db-80ab-f2d517eaf397}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{705f8a10-fb76-11db-a8b3-0000864601d7}]
\Shell\AutoRun\command - moveXXCOPY-NSL-JUICE to USB-E-PBM.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82195c1c-4d2a-11dc-8ce8-001aa0b15876}]
\Shell\AutoRun\command - explorer.exe /n,/e,\
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\At1.job
- c:\windows\system32\rundll32.exe [2008-04-14 05:42]

2008-11-24 c:\windows\Tasks\cloneDrive.job
- d:\backup\TrueImage\CLONE\scripts\cloneDrive.cmd [2008-04-16 19:59]

2008-11-24 c:\windows\Tasks\Malwarebytes' Scheduled Scan for nicole.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-24 c:\windows\Tasks\Malwarebytes' Scheduled Update for nicole.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 16:31:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2008-11-26 16:34:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 21:34:23
ComboFix2.txt 2008-11-25 04:48:04
ComboFix3.txt 2008-11-25 04:13:25
ComboFix4.txt 2008-11-25 03:50:55

Pre-Run: 223,050,473,472 bytes free
Post-Run: 223,037,812,736 bytes free

240 --- E O F --- 2008-11-20 14:20:11


HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:58 PM, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Printkey4\Printkey.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\nicole\Desktop\deleteme\hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C1D9452E-4408-4088-84B4-63DF06012A7F} - c:\windows\system32\vusxvff.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GW Port Controller] "C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE"
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Program Files\Printkey4\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.driveragent.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169952232625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187471717281
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9365A8BD-997E-4BC5-B8D6-8FB105FAC887}: NameServer = 68.237.161.12,71.250.0.12
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: njhhrivh - C:\WINDOWS\SYSTEM32\vusxvff.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9847 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 25 November 2008 - 05:12 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\qylcutsd.sys
C:\WINDOWS\SYSTEM32\vusxvff.dll
Suspect::[8]
c:\windows\system32\drivers\_004773_.tmp.dll
c:\documents and settings\deleteme
c:\documents and settings\all
c:\windows\003122_.tmp
Folder::
C:\VundoFix Backups
Dirlook::
c:\documents and settings\nicole\Application Data\jfflvocx
Driver::
qylcutsd
NetSvc::
pezlloyo
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1D9452E-4408-4088-84B4-63DF06012A7F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njhhrivh]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 26 November 2008 - 09:25 AM

Good morning, I did everything requested in your last note. Below you will find both logs. BTW, I was not prompted to reboot after doing all of that. Please let me know what's next ... THANK YOU! :thumbsup:

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:00 AM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Printkey4\Printkey.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nicole\Desktop\deleteme\hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GW Port Controller] "C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE"
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Program Files\Printkey4\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.driveragent.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169952232625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187471717281
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9365A8BD-997E-4BC5-B8D6-8FB105FAC887}: NameServer = 68.237.161.12,71.250.0.12
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9661 bytes

ComboFix Log:

ComboFix 08-11-26.03 - nicole 2008-11-27 9:04:56.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470 [GMT -5:00]
Running from: c:\documents and settings\nicole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nicole\Desktop\deleteme\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\qylcutsd.sys
c:\windows\SYSTEM32\vusxvff.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\system32\drivers\qylcutsd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QYLCUTSD
-------\Service_qylcutsd


((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-25 14:22 . 2008-11-25 14:23 <DIR> d-------- C:\rsit
2008-11-25 00:10 . 2008-11-27 01:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-24 23:57 . 2008-11-27 08:49 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-24 23:57 . 2008-11-24 23:57 <DIR> d-------- c:\program files\AVG
2008-11-24 23:57 . 2008-11-24 23:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-24 23:57 . 2008-11-24 23:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-24 23:57 . 2008-11-24 23:57 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-24 23:56 . 2008-11-24 23:58 8,192 --a------ c:\documents and settings\deleteme
2008-11-24 23:56 . 2008-11-24 23:58 8,192 --a------ c:\documents and settings\all
2008-11-24 21:41 . 2008-11-24 21:41 <DIR> d-------- c:\program files\Eraser
2008-11-24 21:41 . 2008-11-24 21:41 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-11-24 21:21 . 2008-11-24 21:28 <DIR> d-------- c:\program files\a-squared Free
2008-11-21 13:12 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-21 12:20 . 2008-11-21 12:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-11-20 13:42 . 2008-11-20 13:42 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-20 13:42 . 2008-11-20 13:42 1,409 --a------ c:\windows\QTFont.for
2008-11-20 10:13 . 2008-04-14 05:42 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2008-11-20 10:12 . 2008-11-20 10:14 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-20 10:12 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2008-11-20 10:09 . 2006-12-29 00:31 19,569 --a------ c:\windows\003122_.tmp
2008-11-20 09:21 . 2008-11-20 09:22 <DIR> d-------- C:\7ee4d6ea7f7cb03895217f9d8c160a
2008-11-19 21:44 . 2008-11-19 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 21:44 . 2008-11-19 21:44 <DIR> d-------- c:\documents and settings\nicole\Application Data\Malwarebytes
2008-11-19 21:44 . 2008-11-19 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-19 21:44 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-19 21:44 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-19 21:14 . 2008-11-19 21:14 <DIR> d-------- c:\documents and settings\nicole\Application Data\TrueCrypt
2008-11-19 11:20 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\system32\scripting
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\system32\en
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\system32\bits
2008-11-19 10:16 . 2008-11-20 10:13 <DIR> d-------- c:\windows\l2schemas
2008-11-19 09:58 . 2004-08-04 01:05 71,040 --------- c:\windows\system32\drivers\_004773_.tmp.dll
2008-11-12 00:19 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-28 18:38 . 2008-10-28 18:38 <DIR> d-------- c:\documents and settings\nicole\Application Data\jfflvocx
2008-10-28 08:53 . 2004-08-03 23:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-10-28 08:53 . 2001-08-17 21:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-28 08:34 . 2008-10-28 08:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 14:25 182 ----a-w c:\program files\iblsrcz.txt
2008-11-25 13:56 102 ----a-w c:\program files\limtmzb.txt
2008-11-25 04:18 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-25 04:18 --------- d-----w c:\program files\Symantec
2008-11-25 04:18 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-28 13:46 2,012 ----a-w c:\program files\DriversHQ.DriverDetective.Client.InstallState
2008-10-28 13:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:40 --------- d-----w c:\documents and settings\NetworkService\Application Data\jfflvocx
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:06 --------- d-----w c:\program files\MSECache
2008-10-06 19:21 98,576 ----a-w c:\program files\DriversHQ.DriverDetective.Common.dll
2008-10-06 19:21 89,872 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Communication.dll
2008-10-06 19:21 80,656 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Updater.exe
2008-10-06 19:21 36,112 ----a-w c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.dll
2008-10-06 19:21 20,240 ----a-w c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.XmlSerializers.dll
2008-10-06 19:21 120,080 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Communication.XmlSerializers.dll
2008-10-06 19:21 1,245,456 ----a-w c:\program files\DriversHQ.DriverDetective.Client.exe
2008-10-06 19:12 90,112 ----a-w c:\program files\Microsoft.Practices.EnterpriseLibrary.Common.dll
2008-10-06 19:12 69,632 ----a-w c:\program files\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll
2008-10-06 19:12 61,440 ----a-w c:\program files\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll
2008-10-06 19:12 28,672 ----a-w c:\program files\Microsoft.ApplicationBlocks.Updater.Downloaders.dll
2008-10-06 19:12 118,784 ----a-w c:\program files\Microsoft.ApplicationBlocks.Updater.dll
2008-10-06 18:46 53,466 ----a-w c:\program files\DriverDetective.chm
2008-10-03 18:59 --------- d-----w c:\documents and settings\nicole\Application Data\alot
2008-10-03 14:36 --------- d-----w c:\program files\alot
2008-09-19 16:07 66,360 ----a-w c:\documents and settings\nicole\g2ax_customer_downloadhelper_win32_x86.exe
2008-09-16 15:22 46,592 ----a-w c:\program files\Microsoft.Practices.ObjectBuilder.dll
2008-08-29 13:23 25,872 ----a-w c:\program files\DriversHQ.DriverDetective.ExceptionLogging.dll
2008-08-25 12:41 33,040 ----a-w c:\program files\DriversHQ.DriverDetective.Client.DirectX.dll
2008-08-18 15:44 60,744 ----a-w c:\documents and settings\nicole\g2mdlhlpx.exe
2008-08-18 13:01 36,864 ----a-w c:\program files\Interop.WindowsInstaller.dll
2008-08-14 19:47 18,856 ----a-w c:\documents and settings\nicole\Application Data\GDIPFONTCACHEV1.DAT
2008-08-14 17:23 49,152 ----a-w c:\program files\XPBurnComponent.dll
2008-03-27 17:33 5,282 ----a-w c:\program files\DriversHQ.DriverDetective.Client.exe.config
2007-10-12 20:51 0 ----a-w c:\documents and settings\nicole\gosetup.exe
2007-10-12 20:35 722,176 ----a-w c:\documents and settings\nicole\gotomypc_428.exe
2007-09-04 16:57 724,984 ----a-w c:\documents and settings\nicole\gotomypc_437.exe
2007-08-11 18:14 914 ----a-w c:\documents and settings\nicole\SDM-2.3.1-1811W-c181x-advipservicesk9-mz.124-6.T7.bin
2007-08-11 18:14 914 ----a-w c:\documents and settings\Default User\SDM-2.3.1-1811W-c181x-advipservicesk9-mz.124-6.T7.bin
2007-08-11 18:14 914 ----a-w c:\documents and settings\Administrator\SDM-2.3.1-1811W-c181x-advipservicesk9-mz.124-6.T7.bin
2007-05-15 13:13 3,569 ----a-w c:\program files\DriversHQ.DriverDetective.Client.Updater.exe.config
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\nicole\Application Data\jfflvocx ----

2008-11-19 16:19 65536 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\cert8.db
2008-11-19 16:19 536 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\prefs.js
2008-11-19 16:19 2048 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\cookies.sqlite
2008-11-19 16:19 16384 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\key3.db
2008-11-19 16:18 2048 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\webappsstore.sqlite
2008-11-19 16:17 4829 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\pluginreg.dat
2008-11-19 16:16 96173 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\xpti.dat
2008-11-19 16:16 207 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\compatibility.ini
2008-11-19 16:16 127885 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\compreg.dat
2008-10-30 11:12 569 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\localstore.rdf
2008-10-28 19:06 131072 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\places.sqlite
2008-10-28 18:38 4096 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\formhistory.sqlite
2008-10-28 18:38 2048 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\permissions.sqlite
2008-10-28 18:38 16384 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\Profiles\getihg1m.default\secmod.db
2008-10-28 18:38 111 --a------ c:\documents and settings\nicole\Application Data\jfflvocx\profiles.ini


((((((((((((((((((((((((((((( snapshot@2008-11-24_22.50.29.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-25 04:57:48 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2007-07-13 598656]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"GW Port Controller"="c:\program files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 163840]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-24 1234712]
"Resume copy"="copyfstq.exe" [2007-05-03 c:\windows\copyfstq.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-08-30 221295]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-07 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-10-17 581632]
Shortcut to Printkey.lnk - c:\program files\Printkey4\Printkey.exe [2007-01-28 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 10:09 10536 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-24 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-24 231704]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-19 170640]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-19 15504]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\DRIVERS\EL556ND5.sys [2007-04-27 58951]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;c:\windows\system32\DRIVERS\KMW_SYS.sys [2005-09-01 92032]
S3 KMW_USB;Kensington MouseWorks USB filter driver;c:\windows\system32\DRIVERS\KMW_USB.sys [2005-09-01 10496]
S3 S3GSavageMX;S3GSavageMX;c:\windows\system32\DRIVERS\s3gsavm.sys [2007-04-29 88576]
S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\DRIVERS\WDHAALBA.sys [2007-04-27 706192]
S4 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;c:\windows\system32\DRIVERS\EL556ND5.sys [2007-04-27 58951]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\autorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12f6f150-aeec-11db-80b2-000bdbb8bae7}]
\Shell\AutoRun\command - moveXXCOPY-NSL-JUICE to USB-E-PBM.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d61bb43-3418-11dc-a8d7-0000864601d7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69b07ac0-ff33-11db-a8c3-0000864601d7}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cd8fef0-ae62-11db-80ab-f2d517eaf397}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{705f8a10-fb76-11db-a8b3-0000864601d7}]
\Shell\AutoRun\command - moveXXCOPY-NSL-JUICE to USB-E-PBM.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82195c1c-4d2a-11dc-8ce8-001aa0b15876}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

*Newly Created Service* - QYLCUTSD
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\At1.job
- c:\windows\system32\rundll32.exe [2008-04-14 05:42]

2008-11-27 c:\windows\Tasks\cloneDrive.job
- d:\backup\TrueImage\CLONE\scripts\cloneDrive.cmd [2008-04-16 19:59]

2008-11-27 c:\windows\Tasks\Malwarebytes' Scheduled Scan for nicole.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-27 c:\windows\Tasks\Malwarebytes' Scheduled Update for nicole.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 09:10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-11-27 9:12:53 - machine was rebooted [nicole]
ComboFix-quarantined-files.txt 2008-11-27 14:12:49
ComboFix2.txt 2008-11-26 21:34:28
ComboFix3.txt 2008-11-25 04:48:04
ComboFix4.txt 2008-11-25 04:13:25
ComboFix5.txt 2008-11-27 13:59:06

Pre-Run: 223,036,235,776 bytes free
Post-Run: 223,020,953,600 bytes free

259 --- E O F --- 2008-11-20 14:20:11

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 26 November 2008 - 09:37 AM

Hi,

As you most probably already have noticed... The infection is gone now. :thumbsup:

The files you submitted appear to be Ok as well.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

extra question, do you know what these txtfiles are?

c:\program files\iblsrcz.txt
c:\program files\limtmzb.txt

Did you create them? Just open them if you're not sure. In case you - or someone else (your IT tech) didn't create them, you can safely delete them as they won't do anything anyway since they are only textfiles.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 26 November 2008 - 10:52 AM

Hi again,

You are the best!!! :thumbsup: thank you SO much!

Here's what I found when I checked the files you inquired about... I have a call into my IT tech to see if he saved them and if ok to delete. I would imagine I'm ok to delete but just checking. I know that c:\windows\system32\vusxvff.dll had something to do with Trojan.Vundo.H. I ran a scan with my Malwarebytes and the files are gone!! first they were quarantined so I removed them completely. This is a work computer and 3 other systems are networked with mine... my system is used as the backup. Is is possible the other computers have been infected?

Files to delete:
c:\windows\system32\vusxvff.dll


Files to delete:
c:\windows\system32\vusxvff.dll
C:\WINDOWS\system32\drivers\okrruj.sys

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 26 November 2008 - 11:06 AM

Files to delete:
c:\windows\system32\vusxvff.dll


Files to delete:
c:\windows\system32\vusxvff.dll
C:\WINDOWS\system32\drivers\okrruj.sys

Is this what was present in the txtfiles? If so, then you probably also used The Avenger in order to remove the files previously.

This is a work computer and 3 other systems are networked with mine... my system is used as the backup. Is is possible the other computers have been infected?

Yes, that's possible - but this isn't always the case. Did you already scan with Malwarebytes there?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 26 November 2008 - 11:39 AM

I have't touched any of the other computers yet. My system was recently updated with protective software... the other systems are still running old software (ZoneAlarm, Symantec Anti-virus, SpySweeper etc...). I have Malwarebytes and AVG. Soon we will have all systems updated but in the meantime what should I use to scan the other systems with to be sure they are safe? Also, when I came in this morning Malwarebytes found a virus (Win32/Heur) -- I moved it to the vault. I don't know what this means and I haven't been able to reach my IT tech yet.

Yes that's what was present in the files. When I opened the txt files all it said was this...

Files to delete:
c:\windows\system32\vusxvff.dll


Files to delete:
c:\windows\system32\vusxvff.dll
C:\WINDOWS\system32\drivers\okrruj.sys

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:00 AM

Posted 26 November 2008 - 11:52 AM

Win/Heur isn't really to worry about - after all, it's now deleted anyway.

For your others systems, I suggest you update all the older software first (can be done by the IT Tech at your company). Then let the scanner perform a full scan with the updated Antivirus.
As a matter of fact, it actually suprises me that computers used for work are still running older software, because you can't afford to have a compromised computer at work since all passwords may be known and other important data may be collected. This is a serious risk for your company.
It won't hurt to run Malwarebytes on those computers as well.

Once all computers are up to date, including scanners and other software, and if infected, then I suggest you start a new thread in this forum for it, this to keep it seperated from this computer.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future. Also let the other at the company read this, because it's still unclear how this infection was installed.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jane doe

jane doe
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 26 November 2008 - 12:05 PM

Ok, thank you SO much! BTW, your dog is beautiful... have a Happy Thanksgiving!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users