Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Agent.icb + Zlob.Downloader.vcd now clear?


  • Please log in to reply
17 replies to this topic

#1 NocturnalNewt

NocturnalNewt

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 03 January 2009 - 08:08 PM

Hello to everyone on the forum and thank you for any assistance you can provide.
AVGs resident shield gave me a warning about Worm/Generic.QEV. Later when I thought I had dealt with it and was clean a Malware bytes scan in safe mode reported 240 trojan.agent entries in various files, processes, keys etc and a Spybot Search and Destroy scan highlighted these nasties Win32.Agent.icb and Zlob.Downloader.vcd which is what I put in the title as the other things seemed too non-descript. I do not know if they are all related. In each case I deleted the entries flagged up as viruses/malware and my latest anti-virus scans come up as clean, however my computer now seems to be running slow. I appreciate this could be because it is catching up with lots of updates or because I have accidentally quaranteened a file that was needed but please could someone check my HJT log in case they are still there waiting to respawn or some other gremlin has gotten in undetected.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:36, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\ZoneLabs\vsmon.exe
I:\WINDOWS\system32\spoolsv.exe
I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
I:\WINDOWS\system32\CTsvcCDA.exe
I:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\PROGRA~1\AVG\AVG8\avgemc.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\AVG\AVG8\avgtray.exe
I:\WINDOWS\ALCWZRD.EXE
I:\WINDOWS\ALCMTR.EXE
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] I:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZC6mSOqiXa] I:\Documents and Settings\All Users\Application Data\tofwnwzi\zspgzwpg.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182873638453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - I:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5791 bytes


If there is anything else I can provide or do please let me know
Thank you again

Edited by NocturnalNewt, 03 January 2009 - 08:14 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 15 January 2009 - 06:16 PM

Hello NocturnalNewt,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 15 January 2009 - 11:31 PM

Hi Tea
Thank you very much for your help :thumbsup:
Since my last post I have mostly kept my computer off line. A Panda activescan said I have a W32/Patched.D Virus which Im still looking into.
Here is a current HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:33:17, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\ZoneLabs\vsmon.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
I:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
I:\WINDOWS\system32\CTsvcCDA.exe
I:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\PROGRA~1\AVG\AVG8\avgemc.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\AVG\AVG8\avgtray.exe
I:\WINDOWS\ALCWZRD.EXE
I:\WINDOWS\ALCMTR.EXE
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
I:\WINDOWS\system32\wuauclt.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] I:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "I:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] I:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZC6mSOqiXa] I:\Documents and Settings\All Users\Application Data\tofwnwzi\zspgzwpg.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182873638453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - I:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - I:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - I:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6607 bytes

Like the line in your sig about pop tarts by the way :)
Let me know if I can provide any fruther info

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 16 January 2009 - 02:33 AM

Hello,

You're most welcome, and thanks! :thumbsup:

A couple of things before we clean........

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (Avira and AVG) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 17 January 2009 - 01:29 AM

Hi
Thank you for all your help.
Sorry it has taken me a little while to get back to you. I had not used ComboFix before and Im easily distracted by new (and or) shiny things so I was reading the tutorials about it.
The recovery console did not install so I will have to do that manually but I think I have the logs we need hopefully.

First the ComboFix Log


ComboFix 09-01-16.02 - gareth gates 2009-01-17 5:38:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.245 [GMT 0:00]
Running from: i:\documents and settings\gareth gates\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\windows\Downloaded Program Files\setup.inf
i:\windows\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-06 20:24 . 2009-01-16 03:44 267,152 --a------ i:\program files\zaSetup_en.exe
2009-01-06 20:18 . 2008-06-19 17:24 28,544 --a------ i:\windows\system32\drivers\pavboot.sys
2009-01-04 18:38 . 2009-01-17 05:04 <DIR> d-------- i:\program files\Avira
2009-01-03 00:21 . 2009-01-03 00:21 <DIR> d-------- i:\program files\Trend Micro
2009-01-03 00:21 . 2009-01-03 00:21 812,344 --a------ i:\program files\HJTInstall.exe
2008-12-31 22:07 . 2009-01-04 18:35 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2008-12-31 22:05 . 2008-12-31 22:06 15,083,520 --a------ i:\program files\spybotsd160.exe
2008-12-31 22:02 . 2009-01-16 02:44 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2008-12-31 22:02 . 2008-12-31 22:02 <DIR> d-------- i:\documents and settings\gareth gates\Application Data\Malwarebytes
2008-12-31 22:02 . 2008-12-31 22:02 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 22:02 . 2009-01-14 16:11 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 22:02 . 2009-01-14 16:11 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2008-12-31 22:01 . 2008-12-31 22:01 2,539,400 --a------ i:\program files\mbam-setup.exe
2008-12-31 17:40 . 2001-08-17 13:48 12,160 --a------ i:\windows\system32\drivers\mouhid.sys
2008-12-31 17:40 . 2001-08-17 13:48 12,160 --a--c--- i:\windows\system32\dllcache\mouhid.sys
2008-12-31 17:40 . 2008-04-13 19:45 10,368 --a------ i:\windows\system32\drivers\hidusb.sys
2008-12-31 17:40 . 2008-04-13 19:45 10,368 --a--c--- i:\windows\system32\dllcache\hidusb.sys
2008-12-22 23:18 . 2009-01-02 23:09 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 03:08 2,266,624 ----a-w i:\windows\Internet Logs\xDB2A.tmp
2008-12-11 10:57 333,952 ----a-w i:\windows\system32\drivers\srv.sys
2008-12-04 02:30 2,247,168 ----a-w i:\windows\Internet Logs\xDB29.tmp
2008-12-02 00:34 578,560 ----a-w i:\windows\system32\user32.DLL
2008-11-14 09:48 2,222,080 ----a-w i:\windows\Internet Logs\xDB28.tmp
2008-11-13 19:39 10,318,683 ----a-w i:\windows\Internet Logs\tvDebug.zip
2008-11-03 10:11 2,186,752 ----a-w i:\windows\Internet Logs\xDB27.tmp
2008-10-23 18:24 10,520 ----a-w i:\windows\system32\avgrsstx.dll
2008-10-23 12:36 286,720 ----a-w i:\windows\system32\gdi32.dll
2008-07-30 00:55 7,680 --sha-w i:\program files\Thumbs.db
2008-07-11 19:13 46,829,456 ----a-w i:\program files\zlsSetup_70_483_000_en.exe
2008-05-05 02:34 16,500,592 ----a-w i:\program files\DivXInstaller.exe
2008-03-31 00:17 35,960 ----a-w i:\documents and settings\gareth gates\Application Data\GDIPFONTCACHEV1.DAT
2008-01-15 21:49 125,892,318 ----a-w i:\program files\OOo_2.3.1_Win32Intel_install_wJRE_en-US.exe
2008-01-14 21:21 7,878 ----a-w i:\documents and settings\gareth gates\Application Data\wklnhst.dat
2008-07-11 20:53 32,768 --sha-w i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071120080712\index.dat
.
i:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:09:30 i:\windows\$hf_mig$\KB890859\SP2GDR\user32.dll
577,024 2005-03-02 18:19:56 i:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 i:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 i:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 07:56:46 i:\windows\$NtServicePackUninstall$\user32.dll.000
577,024 2004-08-04 07:56:46 i:\windows\$NtUninstallKB890859$\user32.dll
560,128 2003-03-31 12:00:00 i:\windows\$NtUninstallKB890859_0$\user32.dll
577,024 2005-03-02 18:09:30 i:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 i:\windows\ServicePackFiles\i386\user32.dll
578,560 2008-12-02 00:34:22 i:\windows\system32\user32.DLL
578,560 2008-12-02 00:34:22 i:\windows\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 18:09 577024 de2db164bbb35db061af0997e4499054 i:\windows\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 18:19 577024 1800f293bccc8ede8a70e12b88d80036 i:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b i:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 15:36 577536 b409909f6e2e8a7067076ed748abf1e7 i:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 07:56 577024 c72661f8552ace7c5c85e16a3cf505c4 i:\windows\$NtUninstallKB890859$\user32.dll
2003-03-31 12:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb i:\windows\$NtUninstallKB890859_0$\user32.dll
2005-03-02 18:09 577024 de2db164bbb35db061af0997e4499054 i:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b i:\windows\ServicePackFiles\i386\user32.dll
2008-12-02 00:34 578560 b086fb49247b0da65d0fe18bd879e67c i:\windows\system32\user32.DLL
2008-12-02 00:34 578560 b086fb49247b0da65d0fe18bd879e67c i:\windows\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="i:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Microsoft Works Portfolio"="i:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
"AVG8_TRAY"="i:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 i:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 i:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 i:\windows\AGRSMMSG.exe]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - i:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk.disabled]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk.disabled
backup=i:\windows\pss\InterVideo WinCinema Manager.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 i:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 i:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=i:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"TkBellExe"="i:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"i:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;i:\windows\system32\drivers\pavboot.sys [2009-01-06 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;i:\windows\system32\drivers\avgldx86.sys [2008-10-23 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;i:\progra~1\AVG\AVG8\avgemc.exe [2008-10-23 875288]
R4 avg8wd;AVG Free8 WatchDog;i:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-23 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;i:\windows\system32\drivers\avgtdix.sys [2008-10-23 76040]
S3 SDTHOOK;SDTHOOK;i:\windows\system32\drivers\SDTHOOK.SYS [2008-01-20 44928]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-ZC6mSOqiXa - i:\documents and settings\All Users\Application Data\tofwnwzi\zspgzwpg.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/

i:\windows\KingComIE.dll - O16 -: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1}
hxxp://www.king.com/ctl/kingcomie.cab
i:\windows\Downloaded Program Files\KingComIE.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 05:40:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
i:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-17 5:43:02
ComboFix-quarantined-files.txt 2009-01-17 05:42:48

Pre-Run: 185,104,912,384 bytes free
Post-Run: 185,235,841,024 bytes free

157 --- E O F --- 2009-01-16 04:37:53






Now the HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:54:54, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\spoolsv.exe
I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
I:\WINDOWS\system32\CTsvcCDA.exe
I:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
I:\PROGRA~1\AVG\AVG8\avgtray.exe
I:\WINDOWS\ALCWZRD.EXE
I:\WINDOWS\ALCMTR.EXE
I:\WINDOWS\AGRSMMSG.exe
I:\WINDOWS\system32\ctfmon.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\PROGRA~1\AVG\AVG8\avgemc.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\system32\notepad.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] I:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182873638453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - I:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5521 bytes


" i:\windows\system32\user32.dll ... is infected !! " That doesnt sound good :)
Please advice on how to proceed ? and thanks again for your advice. :thumbsup:

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 17 January 2009 - 02:37 PM

Hi there,

........Im easily distracted by new (and or) shiny things.......

Well I'm guilty of that too, so I require no apology. :thumbsup:

We can take care of that a couple of ways......up to you. :) ComboFix *should* repair the file when you get the Recovery Console installed. Or, you can get a clean copy from i386 and replace the infected file, if you're confident enough to do so. If you have any apprehension at all, then please wait for the Recovery Console. You said you were going to do that manually, so let me know when you have. :)

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 18 January 2009 - 12:31 PM

Hello Again :)
I had problems installing the Recovery Console manually as I have Service pack 3. The only thing I could think to do is download ComboFix again which I did and it installed the Recovery Panel this time. It automaticlaly set off running a scan and restarted my computer when it had finished (possibly to implement a fix ?)
It looks like ComboFix has gotten that pesky user32.dll infection in a headlock and made it say Uncle :thumbsup:
Yeah ComboFix :) or am I celebrating too soon ?? :)
Here are my current ComboFix and HJT logs

ComboFix

ComboFix 09-01-17.04 - gareth gates 2009-01-18 16:34:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.266 [GMT 0:00]
Running from: i:\documents and settings\gareth gates\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-06 20:24 . 2009-01-16 03:44 267,152 --a------ i:\program files\zaSetup_en.exe
2009-01-06 20:18 . 2008-06-19 17:24 28,544 --a------ i:\windows\system32\drivers\pavboot.sys
2009-01-04 18:38 . 2009-01-17 05:04 <DIR> d-------- i:\program files\Avira
2009-01-03 00:21 . 2009-01-03 00:21 <DIR> d-------- i:\program files\Trend Micro
2009-01-03 00:21 . 2009-01-03 00:21 812,344 --a------ i:\program files\HJTInstall.exe
2008-12-31 22:07 . 2009-01-04 18:35 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2008-12-31 22:05 . 2008-12-31 22:06 15,083,520 --a------ i:\program files\spybotsd160.exe
2008-12-31 22:02 . 2009-01-16 02:44 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2008-12-31 22:02 . 2008-12-31 22:02 <DIR> d-------- i:\documents and settings\gareth gates\Application Data\Malwarebytes
2008-12-31 22:02 . 2008-12-31 22:02 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 22:02 . 2009-01-14 16:11 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 22:02 . 2009-01-14 16:11 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2008-12-31 22:01 . 2008-12-31 22:01 2,539,400 --a------ i:\program files\mbam-setup.exe
2008-12-31 17:40 . 2001-08-17 13:48 12,160 --a------ i:\windows\system32\drivers\mouhid.sys
2008-12-31 17:40 . 2001-08-17 13:48 12,160 --a--c--- i:\windows\system32\dllcache\mouhid.sys
2008-12-31 17:40 . 2008-04-13 19:45 10,368 --a------ i:\windows\system32\drivers\hidusb.sys
2008-12-31 17:40 . 2008-04-13 19:45 10,368 --a--c--- i:\windows\system32\dllcache\hidusb.sys
2008-12-22 23:18 . 2009-01-02 23:09 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 03:08 2,266,624 ----a-w i:\windows\Internet Logs\xDB2A.tmp
2008-12-11 10:57 333,952 ----a-w i:\windows\system32\drivers\srv.sys
2008-12-04 02:30 2,247,168 ----a-w i:\windows\Internet Logs\xDB29.tmp
2008-12-02 00:34 578,560 ----a-w i:\windows\system32\user32.DLL
2008-11-14 09:48 2,222,080 ----a-w i:\windows\Internet Logs\xDB28.tmp
2008-11-13 19:39 10,318,683 ----a-w i:\windows\Internet Logs\tvDebug.zip
2008-11-03 10:11 2,186,752 ----a-w i:\windows\Internet Logs\xDB27.tmp
2008-10-23 18:24 10,520 ----a-w i:\windows\system32\avgrsstx.dll
2008-10-23 12:36 286,720 ----a-w i:\windows\system32\gdi32.dll
2008-07-30 00:55 7,680 --sha-w i:\program files\Thumbs.db
2008-07-11 19:13 46,829,456 ----a-w i:\program files\zlsSetup_70_483_000_en.exe
2008-05-05 02:34 16,500,592 ----a-w i:\program files\DivXInstaller.exe
2008-03-31 00:17 35,960 ----a-w i:\documents and settings\gareth gates\Application Data\GDIPFONTCACHEV1.DAT
2008-01-15 21:49 125,892,318 ----a-w i:\program files\OOo_2.3.1_Win32Intel_install_wJRE_en-US.exe
2008-01-14 21:21 7,878 ----a-w i:\documents and settings\gareth gates\Application Data\wklnhst.dat
2008-07-11 20:53 32,768 --sha-w i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071120080712\index.dat
2008-10-17 20:03 19,695,648 --sha-w i:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_ 5.41.30.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w i:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="i:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Microsoft Works Portfolio"="i:\program files\Microsoft Works\WksSb.exe" [2004-06-24 729088]
"AVG8_TRAY"="i:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 i:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 i:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 i:\windows\AGRSMMSG.exe]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - i:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk.disabled]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk.disabled
backup=i:\windows\pss\InterVideo WinCinema Manager.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 i:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 i:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=i:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"TkBellExe"="i:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"i:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 pavboot;pavboot;i:\windows\system32\drivers\pavboot.sys [2009-01-06 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;i:\windows\system32\drivers\avgldx86.sys [2008-10-23 97928]
R4 AvgTdiX;AVG Free8 Network Redirector;i:\windows\system32\drivers\avgtdix.sys [2008-10-23 76040]
S3 SDTHOOK;SDTHOOK;i:\windows\system32\drivers\SDTHOOK.SYS [2008-01-20 44928]
S4 avg8emc;AVG Free8 E-mail Scanner;i:\progra~1\AVG\AVG8\avgemc.exe [2008-10-23 875288]
S4 avg8wd;AVG Free8 WatchDog;i:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-23 231704]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/

i:\windows\KingComIE.dll - O16 -: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1}
hxxp://www.king.com/ctl/kingcomie.cab
i:\windows\Downloaded Program Files\KingComIE.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 16:36:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
i:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-18 16:38:24
ComboFix-quarantined-files.txt 2009-01-18 16:38:10
ComboFix2.txt 2009-01-18 16:16:26
ComboFix3.txt 2009-01-17 05:43:03

Pre-Run: 185,071,435,776 bytes free
Post-Run: 185,058,951,168 bytes free

128 --- E O F --- 2009-01-16 04:37:53


Here is my HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:58, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\CTsvcCDA.exe
I:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\ALCWZRD.EXE
I:\WINDOWS\AGRSMMSG.exe
I:\WINDOWS\system32\ctfmon.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] I:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182873638453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - I:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5329 bytes


Thank you again for your assistance. You are well on the way to earning yourself a chocolate mouse :)

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 18 January 2009 - 08:06 PM

Hello,

You're welcome. :thumbsup: Uncle indeed! Looks like it did exactly what it was supposed to do. How is it running now?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 19 January 2009 - 12:30 AM

Hi Tea
Its my own fault I jinxed us by using the Cheering Smiley too soon :thumbsup: (must learn to curb my enthusiasm)
I should have known it wouldnt be that simple. After downloading the recovery console and running ComboFix I appear to now have even more problems. When I run a Panda activescan I get the following new entries
Malware ID (01185375) Description (Application/Psexec.A) Type HackTools Location ( I:\System Volume Information\_restore{03DF27CF-F2F8-4823-B92F-BF827993E824}\RP4\A0002250.EXE
Malware ID (02885963) Description (Rootkit/Booto.C) Type Virus/Worm Location ( I:\System Volume Information\_restore{03DF27CF-F2F8-4823-B92F-BF827993E824}\RP4\A0002233.sys

What are they? they are not ComboFix entry misidentifications by Panda are they?

Also whilst panda is noting that some of the infected user32.dll files are in Combofixes quarantine Qoobox it is still showing the following lines.

Malware ID (03491464) Description (W32/Patched.D) Type Virus Location (I:\WINDOWS\system32\dllcache\user32.dll)
Malware ID (03491464) Description (W32/Patched.D) Type Virus Location (I:\WINDOWS\system32\rgaeidlv)

In normal start up mode nearly all my services have the status of stopped and do not show up in the windows tray eg AVG, Windows security centre notification, zone alarm etc. Not sure why this is or how to change it.
Any thoughts on where to go from here?
Much appreciated NN

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 19 January 2009 - 12:43 AM

No no! That's perfectly all right....those are stuck in system restore and not a threat to you. We'll clear all that now :

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Now run your scan again and let me know how you come out. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 19 January 2009 - 08:03 PM

Hi Tea
I have done as you advised in your last message.
As of last night ie even before carrying out the most recent advice pretty much all of my services have been stopped as shown in winconfig except for a few microsoft ones. AVG has disappeared from my tray and opens for a commandline scan on start up as if it was in safe mode. The whole environment is akin to a safe mode/ diagnostic startup one except I dont have a safemode desktop background. My firewall, AVG, microsoft update and security centre messages have all been removed from start up or stopped along with most of my other services. Checking or unchecking /enable all ,disable all in msconfig seems to make no difference, cant start windows firewall through security centre it says windows cannot start the service. If I start some processes and see that they have gone into task manager processes list this is the only sign I have that it is running I have nothing in taskbar and no graphical interface and one program reports that it cannot be run in Win32 mode.
Also spybot S+D gives me loads of messages when teatimer is put back on eg Disable Cmdline or Disable Registrytool value added.
Dont know how to bring the services back up and computer is completely naked without them in terms of going online pressuming I can still do so. Hopefully its just me being a noob and there is some simple way to bring the services back rather than eg it being a problem from the recent changes to the user32 files.
Any ideas on what has happened and how to fix it???

Thank you NN

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 19 January 2009 - 08:19 PM

I'm kind of at a loss right now. :thumbsup:

Your last HijackThis log shows AVG running in the tray, and nothing looked amiss in the last ComboFix log. Can you please run a new HijackThis log? Did you do anything at all other than what I asked you to do? Not blaming you at all, but I need to know all I can about what was happening at the time. I can't see what you see, so I'm relying on you to tell me. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 21 January 2009 - 02:44 AM

Hi Tea
I see I have managed to confuse you. I have a talent for doing that to people. ;P Just think of the damage I could do to my computer if I was actually tring lol. Despite wrestling with it for the last few hours I cannot connect to the internet at all now from the afflicted computer. I will try to post the HJT log and give a fuller reply from a different point later on if possible.
Thank you for your patience

NN

Edited by NocturnalNewt, 21 January 2009 - 02:45 AM.


#14 NocturnalNewt

NocturnalNewt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 21 January 2009 - 10:01 PM

Please find attached a HJT log
The only things I can think of in terms of deviating from instructions are: I download combofix again so I had the option of installing windows recovery console and then after the fix
when I was hoping everything was clear I checked with panda activescan. Upon seeing there were still a few problems I started in safe mode and ran a few scans. When I came to get rid of combofix I uninstalled it rather than just right click deleting it. After that I tried a number of things
eg logging on as admin rather than normal log-in with admin privelages and later selecting tea timer just to see if anything was still working from memory it was already struggling before either of these last things though. I cant swear that I didnt do anthing else but these are the things I remember.
Below is a current HJT log ( TeaTimer does show in the taskmanager at start up even though it is deselected in the
SBSD tools resident area) I killed it through task manager so that it didnt interfere with the HJT
scan but it is one of the processes which starts up.
Please tell me the changes are indicative of explorer being in some paired down protective mode that I am too noobish to realize rather than of the user32 file being corrupted or of a virus disabling my programs and deleting them from startup.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:03:12, on 1/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\WINDOWS\ALCWZRD.EXE
I:\WINDOWS\AGRSMMSG.exe
I:\WINDOWS\system32\taskmgr.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - I:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] I:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182873638453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - I:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5141 bytes


I have some ideas I can try if we are stumped or if the worst comes to the worst I can always format and reinstall.

Thank you for any assistance.

Edited by NocturnalNewt, 21 January 2009 - 10:05 PM.


#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:05 AM

Posted 21 January 2009 - 10:40 PM

Hi there,

I see this : O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Go back into msconfig and click on normal startup, reboot and see if that makes a difference. :) It may be slower with everything starting up, but you may also get your services back. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users