Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware infection possibly virtmonde & others


  • This topic is locked This topic is locked
22 replies to this topic

#1 AllenG

AllenG

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 26 March 2009 - 05:15 AM

Hi.

I have a virus and/or spyware infestation, and would like some help please. Something got hold of my Creditcard details. (card cancelled)

I have run and pasted a DDS log at the end of this post. I have tried to provide as much detail that may be relevent and have listed all the symptoms and steps I have tried so far below. Theres a fair bit. I will refrain from anymore untill I get some assistance....


12/3/09.....
I have Windows XP Home SP3(was up to date), networked with a Linksys WAG54P2P ADSL Router with the Router Firewall enabled with default settings. (Wireless is disabled).
I had AVGfree, Spybot S&D with resident Teatimer up to date, and windows firewall enabled (or so I thought). I made a ghost 8 backup about a month ago after my creditcard was used online in Sweden. I made the Ghost with an out of date miniPE by Digiwiz boot CD.

While searching for information on fixes for some viruses that a friend has on his laptop I downloaded & installed Malwarebytes and downloaded an updated ISO of MiniPE-XT V2K5.09.03 from megaupload.com\minipe-iso-updated-to-05012009. This iso was in several Rar files. around the time I was downloading this I got a popup asking if I wanted to save or run another file that I didn't request. I clicked cancel or the "x", can't remember which. Can't remember the filename either, maybe started with "SI" ? I didn't think much of it at the time, but now it seems suspicious.

First Question:

MiniPE: I know it contains "dodgy" utilities, and some of the "tools" register as infections, but three files that worry me are:
1: M:\I386\system32\wzcsvc.dll is detected as Virtumonde by spybot. The same file on my C drive registers as Virtumonde as well.
2: M:\.....wordpad.exe is detected as Win32:Trojan-Gen {other} by Avast
3: X:\programs\winrar\winrar.exe is detected as win32:backdoor.ceckno
I havn't used wordpad or winrar, not sure about wzcsvc (wireless zero confuration service).

Is it likely that this iso is boobytrapped? What recovery CD do you recommend, and from which site?

Symptoms in chrnological order:

1. For some time (possibly 2 years), MSpaint stopped working. My attempts to remove and reinstall it havn't helped. (may be unrelated to virus?)
2. about 50% of the time half of the icons on the system tray did not show. These include Winzip quick launch, my internet usage monitor, DYNDNS updater etc. Taskmanager shows that the processes seem to have started.
3. I had two fraudulent transactions on my Creditcard in January a few days after using my creditcard online.

On first reboot after the unexpected file download popup recently:

Spybot warned me of two attempted changes: Security Centre notification disabled, and Malwarebytes removed from startup. I denied both.
Windows Security centre shield on the systemtray warned that my firewall was disabled.
AVGfree warned that it was unable to connect to the update server.
system restore shows no restorepoints.

My attempts to restart windows firewall failed.

I have done the following to try and recover my system:

Powered off.
Booted with MiniPE.
Checked the integrity of the Ghost files.
Formatted C drive.
Restored from Ghost.
Refreshed the MBR on C
Scanned with Avast which found worms in my inbox. They were in spam emails that I'm sure I would not have opened the links.
The worms were Win32:netsky-c@UPX and win32:ZAFI-M. I removed them
The same worms were found in two locations in C:\Recycler\....
Adaware found 1 reg key & 2 reg values with win32:backdoor.ceckno, on the miniPE boot CD.

Win32.Backdoor.Ceckno Object Recognized!
Type : Regkey
Data : X:\Programs\WinRAR\WinRAR.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe

Win32.Backdoor.Ceckno Object Recognized!
Type : RegValue
Data : X:\Programs\WinRAR\WinRAR.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe
Value : Path

Win32.Backdoor.Ceckno Object Recognized!
Type : File
Data : winrar.exe
TAC Rating : 10
Category : Malware
Comment :
Object : x:\programs\winrar\

Spybot reports Virtumonde in c:\windows\system32\wzcsvc.exe. Spybot removed this.

Avira reported a JS/Dldr.Iframe.DK Javascript Virus in .....\temporary internet files\content.ie5\CIZZDM4R\Flashwrite_1_2[1].htm
I have deleted this.

Powered off/on
Security centre still popped up a notification that the firewall is disable. Again attempts to restart result in "windows cannot start windows firewall/internet security"
I ran "sfc/scannow".
Still can't start windows firewall.

2nd question:

I was not getting any firewall warnings a month ago when I created the ghost, whats up here? more evidence that my minipe CD is infected and reinfecting the HDD?

---------------------------------

On 16th march I posted this update.....

I have unplugged from the network and restarted Windows.
I have installed and run Malwarebytes, and it found nothing.
I have installed and run Superantispyware, and it found nothing.
I also tried both in safe mode, and found nothing. However Superantispyware screen behaves strangely during scanning of some files especially EXE files in safe mode. The digits for the number of modules, registry items, and files scanned and threats found flicker on screen as if they are being overwritten, but don't actually change? This doesn't happen for every file.

Since installing Malwarebytes, when I reboot spybot reports that something is trying to remove malwarebytes from startup.

Also, last time I started windows I connected it to the net for a short period and did a netstat. I got the following suspicious connection:
TCP 1082 xxxx.xxxxx.llnw.net (xxxx details omitted) Port 1082 is listed on virus sites as Winhole aka Backgate/Wingate.
The llnw.net is a domain of Limelight Networks Inc, Arizona, United States. Is this a legit ISP It seems to be part of the windows update network?

----------------------

26/3/09

I have now done the following.

Clean scan with Malwarebytes
Clean scan with Superantispyware
Clean scan with Blacklight
Ran Kapersky onlin scanner which required me to installed Java update: Clean
Installed Zonealarm security suite. 15 day trial. Installed OK.

Later that evening Windows security centre shows that Zonealarm firewall is off even though Zonealarm thinks it is enabled.
I roved the Zonealarm security suite, and installed just the firewall. This seems to still be running OK. It is prompting me for the things that I expect.

I removed two apps from my system. Tomtom Home GPS software, and DYNDNS updater.

Windows update reinstalled SP3 which had lost when I restored the Ghost.

I am no longer getting spybot warnings for Malwarebytes startup, or Windows Security notification.

Trend Housecall fails to run. I gets to the screen Updating and starting, and nothing further happens.

ESET online scanner found nothing.

Bitdefender reported a software patch that I had downloaded as a Backdoor.Generic 136468
Also reported C:\windows\system32\tools\restart.exe as Virtool.18853. This file listed in a readme in the same folder as part of the setup files for my second soundcard.

Strangely, all of my system tray icons have been present from about the time I loaded Zonealarm etc.

So far I don't think I have found the main infection.

DDS Log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Allen Goodhue at 22:13:07.54 on Thu 26/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.1535.859 [GMT 13:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xnet Usage Monitor\XNetUsage.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Allen Goodhue\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.nzcity.co.nz/tvnow/tvguide.asp?
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [VGAUtil] c:\windows\system32\G-VGA.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRunServices: [SchedulingAgent] c:\windows\system32\mstask.exe
mRunServicesOnce: [washindex] c:\program files\washer\washidx.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alleng~1\startm~1\programs\startup\xnetus~1.lnk - c:\program files\xnet usage monitor\XNetUsage.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VIA RAID TOOL.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bankdirect.co.nz\vault
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.8582638889
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {F26AF275-AFE4-4373-91CA-5A2F06B2788B} = 58.28.4.2,58.28.6.2
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-6-9 77056]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-25 11840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-29 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-29 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-29 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-21 353680]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-6 574808]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-25 68865]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\drivers\hcwPVRP2.sys [2004-7-1 796064]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 CX88XBAR;Conexant 2388x Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2004-6-12 11625]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-6-4 9344]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-25 52032]
S3 dTVdrvNT;dTVdrvNT;\??\c:\program files\home media networks limited\showshifter\dtvdrvnt.sys --> c:\program files\home media networks limited\showshifter\dTVdrvNT.sys [?]
S4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-25 151297]

=============== Created Last 30 ================

2009-03-25 23:21 <DIR> --d----- c:\program files\Avira
2009-03-25 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-22 18:56 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-21 02:53 <DIR> --d----- c:\windows\system32\scripting
2009-03-21 02:53 <DIR> --d----- c:\windows\system32\en
2009-03-21 02:53 <DIR> --d----- c:\windows\l2schemas
2009-03-21 01:46 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-03-21 01:46 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-03-21 01:46 348,371 a------- c:\windows\system32\vsconfig.xml
2009-03-20 23:25 0 a------- C:\rollback.ini
2009-03-19 21:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-19 21:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-15 23:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-15 23:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-15 23:49 <DIR> --d----- c:\docume~1\alleng~1\applic~1\SUPERAntiSpyware.com
2009-03-15 23:24 <DIR> --d----- c:\docume~1\alleng~1\applic~1\Malwarebytes
2009-03-15 23:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-15 23:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 23:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 23:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-13 23:14 397,502 ac------ c:\windows\system32\dllcache\vpctcom.sys
2009-03-13 23:13 24,660 ac------ c:\windows\system32\dllcache\spxupchk.dll
2009-03-13 23:12 3,840 ac------ c:\windows\system32\dllcache\rpfun.sys
2009-03-13 23:11 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys
2009-03-13 23:10 7,424 ac------ c:\windows\system32\dllcache\mammoth.sys
2009-03-13 23:09 154,496 ac------ c:\windows\system32\dllcache\icam4usb.sys
2009-03-13 23:08 22,090 ac------ c:\windows\system32\dllcache\fem556n5.sys
2009-03-13 23:07 86,016 ac------ c:\windows\system32\dllcache\dc240usd.dll
2009-03-13 23:06 66,082 ac------ c:\windows\system32\dllcache\c_10005.nls
2009-03-13 23:05 101,888 ac------ c:\windows\system32\dllcache\adpu160m.sys
2009-03-13 23:04 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll

==================== Find3M ====================

2009-03-26 22:13 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-21 02:56 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-19 07:24 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-19 07:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-19 07:24 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-10 00:13 1,846,784 a------- c:\windows\system32\win32k.sys
2004-06-09 17:45 32 a--sh--- c:\windows\{7E23EA2A-8247-4B4A-9754-8AF5B56D8A7B}.dat
2005-12-22 21:10 56 ---shr-- c:\windows\system32\7247105F1A.sys
2008-08-11 08:52 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys
2004-06-09 17:45 32 a--sh--- c:\windows\system32\{915EB416-7598-410A-A1ED-AA03B160AC68}.dat

============= FINISH: 22:13:43.64 ===============


I have the attach.txt if required. The file said not to attach it unless requested.

Regards, Allen

Edited by AllenG, 26 March 2009 - 05:21 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 04 April 2009 - 06:31 PM

Hello Allen,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 04 April 2009 - 11:45 PM

Thanks for the reply "tea".

The only (obvious) symptoms that I still have are that Trend Housecall won't run. It gets to the "Updating & starting housecall" page and does nothing further. Also, I'm running Zonealarm because I couldn't get Windows firewall to run.

I think the only things I have done since last posting are download and scan with Spyware doctor.

I don't think I have found the infection that grabbed my creditcard number, unless the XP Servicepack 3 install has replaced the infected file(s). I would appreciate your expertese.

Also, I now have a multitude of malware checkers on my PC after this excersize , and would like advice on which ones play nicely together.
AVGfree 8,
Spybot incl Resident Teatimer
Zonealarm Free
Superantispyware,
Avira Antivir Personal
PCtools Spyware doctor (scanner enabled only)
Malwarebytes Anti malware.

I've also possibly still got old versions of Adaware & Window Washer installed.

Would like to use Threatfire, and maybe Sandboxie but I'm not sure if these will work with Spybot Teatimer.

Regards, Allen.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:07 p.m., on 5/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xnet Usage Monitor\XNetUsage.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.nzcity.co.nz/tvnow/tvguide.asp?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xnet Usage Monitor.lnk = C:\Program Files\Xnet Usage Monitor\XNetUsage.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: VIA RAID TOOL.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26AF275-AFE4-4373-91CA-5A2F06B2788B}: NameServer = 58.28.4.2,58.28.6.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9604 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 05 April 2009 - 12:01 AM

Hi Allen,

Let's pare down first, then we'll see what might be left on your system. :)

The following is my opinion and my experience, except for the AntiVirus programs. You should only have one of those so as not to cause even more problems in the system.

AVGfree 8, <----not as light or friendly as Avira. I would uninstall it.
Spybot incl Resident Teatimer<-----great! Keep it.
Zonealarm Free<-----heavy firewall, but better than none at all, and infinitely better than Windows firewall.
Superantispyware,<-------not as good or friendly as MBAM, but can be kept as an on demand antimalware scanner.
Avira Antivir Personal<-----Excellent product. Keep it.
PCtools Spyware doctor (scanner enabled only) <----If you mean on demand scanning only, then fine. Otherwise uninstall it so as not to over do the antimalware programs on board.
Malwarebytes Anti malware.<----Definitely worth keeping.

I see entries for AdAware also. It isn't necessary, and I would uninstall it, if you haven't already.

As for Bit Defender not running.....well, that actually pretty common and does not necessarily indicate a problem with your system.

Let me know if you have any problems getting those rearranged. :thumbup2:

I don't think I have found the infection that grabbed my creditcard number, unless the XP Servicepack 3 install has replaced the infected file(s)

It is possible that's what happened, but if nothing else is showing it, then let's use the big gun to see if anything is left. Only after you pare those down, do the following, please:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 April 2009 - 04:18 AM

Hi Tea,

I have uninstalled AVG Free, an old copy of Adaware, An old copy of Window Washer.

I have Zonealarm, Avira, Spybot incl Resident teatimer, Superantispyware (on demand scanner only), Spyware Doctor (on demand scanner only) & Malwarebytes Free (without protection module).

Should I enable Spyware Doctor Immunization or Intelligard, or SuperAntispyware realtime protection, or is this covered by Spybot Teatimer? I don't appear to have any email scanner now that I've removed AVG?

Also, would threatfire be useful, or would it conflict with Spybot teatimer?

I ran combofix, and it had two errors while running. Both of them were an error about IPconfig failing because of missing wzcsvc.dll. This file was detected as infected with Virtumonde and deleted by Spybot some weeks back. I'm not sure how I should restore this file (I thought system file checker would have restored it?). I believe it is the wireless zero configuration service. I'm not using wireless on this PC.

regards, Allen.

ComboFix 09-04-04.01 - Allen Goodhue 2009-04-06 20:42:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1075 [GMT 12:00]
Running from: c:\documents and settings\Allen Goodhue\My Documents\Downloads\Combofix\ComboFix.exe
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-05 16:24 . 2009-04-05 16:24 <DIR> d-------- c:\program files\Trend Micro
2009-03-31 21:56 . 2008-12-11 07:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-31 21:56 . 2009-03-06 15:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-31 21:56 . 2008-12-18 11:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-31 21:55 . 2009-04-06 19:47 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-31 21:55 . 2009-03-31 21:57 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-31 21:55 . 2009-03-31 21:55 <DIR> d-------- c:\documents and settings\Allen Goodhue\Application Data\PC Tools
2009-03-31 21:55 . 2009-04-06 20:45 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 21:55 . 2009-03-31 21:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-31 21:55 . 2008-12-10 11:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-25 22:21 . 2009-03-25 22:21 <DIR> d-------- c:\program files\Avira
2009-03-25 22:21 . 2009-03-25 22:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-22 20:07 . 2009-03-22 23:49 <DIR> d-------- c:\windows\BDOSCAN8
2009-03-22 17:56 . 2009-03-22 19:33 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-21 01:53 . 2009-03-21 01:53 <DIR> d-------- c:\windows\system32\scripting
2009-03-21 01:53 . 2009-03-21 01:53 <DIR> d-------- c:\windows\system32\en
2009-03-21 01:53 . 2009-03-21 01:53 <DIR> d-------- c:\windows\l2schemas
2009-03-21 00:46 . 2009-03-21 00:47 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-03-21 00:46 . 2008-11-13 14:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-03-21 00:46 . 2009-04-06 20:22 348,371 --a------ c:\windows\system32\vsconfig.xml
2009-03-20 22:25 . 2009-03-20 22:25 0 --a------ C:\rollback.ini
2009-03-20 22:00 . 2009-03-20 22:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-03-19 20:11 . 2009-03-19 20:11 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-19 20:11 . 2009-03-19 20:11 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-15 22:49 . 2009-03-28 20:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-15 22:49 . 2009-03-15 22:49 <DIR> d-------- c:\documents and settings\Allen Goodhue\Application Data\SUPERAntiSpyware.com
2009-03-15 22:49 . 2009-03-15 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-15 22:24 . 2009-04-04 20:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 22:24 . 2009-03-15 22:24 <DIR> d-------- c:\documents and settings\Allen Goodhue\Application Data\Malwarebytes
2009-03-15 22:24 . 2009-03-15 22:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-15 22:24 . 2009-03-26 15:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 22:24 . 2009-03-26 15:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-13 22:14 . 2001-08-17 12:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-03-13 22:13 . 2001-08-17 21:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2009-03-13 22:12 . 2001-08-17 12:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2009-03-13 22:11 . 2001-08-17 11:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys
2009-03-13 22:10 . 2001-08-17 12:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2009-03-13 22:09 . 2001-08-17 13:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-03-13 22:08 . 2001-08-17 11:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2009-03-13 22:07 . 2001-08-17 11:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2009-03-13 22:06 . 2001-08-17 12:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2009-03-13 22:05 . 2001-08-17 12:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2009-03-13 22:04 . 2001-08-17 13:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 08:18 --------- d-----w c:\program files\Lavasoft
2009-04-06 08:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-27 05:38 --------- d-----w c:\documents and settings\Allen Goodhue\Application Data\HouseCall 6.6
2009-03-20 12:20 --------- d-----w c:\documents and settings\Allen Goodhue\Application Data\uTorrent
2009-03-20 10:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-19 08:10 --------- d-----w c:\program files\Java
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2004-06-09 04:45 32 --sha-w c:\windows\{7E23EA2A-8247-4B4A-9754-8AF5B56D8A7B}.dat
2005-12-22 08:10 56 --sh--r c:\windows\system32\7247105F1A.sys
2008-08-10 19:52 12,208 --sha-w c:\windows\system32\KGyGaAvL.sys
2004-06-09 04:45 32 --sha-w c:\windows\system32\{915EB416-7598-410A-A1ED-AA03B160AC68}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"VGAUtil"="c:\windows\System32\G-VGA.exe" [2003-10-08 544768]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2003-04-02 12288]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 136600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 c:\windows\soundman.exe]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Allen Goodhue\Start Menu\Programs\Startup\
Xnet Usage Monitor.lnk - c:\program files\Xnet Usage Monitor\XNetUsage.exe [2007-09-18 2241536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2004-07-01 102455]
VIA RAID TOOL.lnk.disabled [2004-06-09 763]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-06-12 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg20.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_04\bin\jusched.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PowerS"=c:\windows\PowerS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\DVICO\\TViXNetShare\\TViXNetShare.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-31 130424]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-06-09 77056]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 348752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S2 CX88XBAR;Conexant 2388x Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2004-06-12 11625]
S3 dTVdrvNT;dTVdrvNT;\??\c:\program files\Home Media Networks Limited\ShowShifter\dTVdrvNT.sys --> c:\program files\Home Media Networks Limited\ShowShifter\dTVdrvNT.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\Mythbusters.job
- c:\progra~1\WinTV\WinTV2K.EXE [2004-02-02 17:28]

2007-07-22 c:\windows\Tasks\shutdown.job
- c:\documents and settings\Allen Goodhue\My Documents\Shutdown.bat [2004-07-12 21:11]

2009-03-29 c:\windows\Tasks\Top Gear.job
- c:\progra~1\WinTV\WinTV2K.EXE [2004-02-02 17:28]

2009-04-04 c:\windows\Tasks\{863BDF41-FA99-4D2F-8981-DA93AB3CB1A9}_ALLEN_Allen Goodhue.job
- c:\windows\system32\mobsync.exe [2008-04-14 12:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\HOMERunner.exe
HKLM-RunServicesOnce-washindex - c:\program files\Washer\washidx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.nzcity.co.nz/tvnow/tvguide.asp?
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bankdirect.co.nz\vault
TCP: {F26AF275-AFE4-4373-91CA-5A2F06B2788B} = 58.28.4.2,58.28.6.2
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 20:46:06
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1584)
c:\program files\Spyware Doctor\pctgmhk.dll
.
Completion time: 2009-04-06 20:49:20
ComboFix-quarantined-files.txt 2009-04-06 08:48:51

Pre-Run: 84,496,650,240 bytes free
Post-Run: 84,584,390,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

192 --- E O F --- 2009-03-22 07:36:01


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:04 p.m., on 6/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xnet Usage Monitor\XNetUsage.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.nzcity.co.nz/tvnow/tvguide.asp?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xnet Usage Monitor.lnk = C:\Program Files\Xnet Usage Monitor\XNetUsage.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: VIA RAID TOOL.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26AF275-AFE4-4373-91CA-5A2F06B2788B}: NameServer = 58.28.4.2,58.28.6.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8372 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 06 April 2009 - 06:38 PM

Hi Allen,

Those both look good. Nothing malicious in them. :thumbup2: Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Should I enable Spyware Doctor Immunization or Intelligard, or SuperAntispyware realtime protection, or is this covered by Spybot Teatimer?

Tea Timer has it covered, so no need. I don't have any firsthand experience with ThreatFire, so I can't honestly advise you on that.

So you did run System File Checker? It didn't ask you for the disk to fix anything? Have a search for it with Windows and see if there's a copy somewhere, since it is a system file.

Don't worry about Trend's scan. Like I said, it's not uncommon for this to happen, and there is nothing else at all indicating there's anything bad still lurking. If you really want to do an online scan to check, just let me know and I'll give you a couple to choose from. Beyond that, I think we're done here. We can see about getting that file replaced, but other than the error it threw with ComboFix you aren't having any problems, correct?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 07 April 2009 - 04:16 AM

Thanks for the help Teacup61,

So you did run System File Checker? It didn't ask you for the disk to fix anything? Have a search for it with Windows and see if there's a copy somewhere, since it is a system file.

System file checker did ask for the disk, but didn't replace wzcsvc.dll. Does it create a log? Should it not have used the service pack 3 files?

Don't worry about Trend's scan. Like I said, it's not uncommon for this to happen, and there is nothing else at all indicating there's anything bad still lurking. If you really want to do an online scan to check, just let me know and I'll give you a couple to choose from.

I have run the Trend housecall ok in the past?. I sucessfully run the Eset, Kaspersky & Bit Defender online scanners.

Beyond that, I think we're done here. We can see about getting that file replaced, but other than the error it threw with ComboFix you aren't having any problems, correct?

There are no symptoms, but I also had no symptoms at the time my Creditcard number was pinched. I didn't have any symptoms untill I started browsing for information on viruses that I was trying to clean off a friends laptop.

The remaining "damage" from the infection(s) are:

Missing file wzcsvc.dll, which I will have a hunt for on the XP CD,
[Edit: found the file in servicepackfiles/I386
Should I rerun Combofix with this file restored?]

Windows firewall wouldn't start, I'm running Zonealarm now, so I guess that doesn't matter too much?
[Edit: I just tried enabling windows firewall, and it starts now. Disabled it again and left Zonealarm enabled]
Malwarebytes doesn't appear to have any resident module running. If I remember, one of the Spybot warnings during the cleanup process was trying to remove the startup entry for MBAM. I will try uninstalling and reinstalling it.
[Edit: removed and reinstalled, still nothing resident for MBAM, should there be?]

I no longer have an email scanner.

What is the entry in Combofix log for "catchme":
"detected NTDLL code modification:
ZwClose"

I guess the thing that concerns me the most is that whatever I got infected with got past windows firewall, AVGfree, and Spybot. I want to be sure that it doesn't happen again?

[Edit: This morning while editing this, I have had 15 or 20 popups (in groups of about 3) from Zonealarm for The "Firewall has blocked Internet access to your computer [TCP Port 2869] from 192.168.1.1 [192.168.1.1][TCP Port 1058 [TCP Flags: S]" etc. The "From" port increasing by one each time. 192.168.1.1 is my Linksys ADSL Router. I havn't had any popups like this before. Should I be concerned or is this just Zonealarm doing it's job, and should I just select "not to see this dialog again"?]
What recommendations do you have for securing IE (Should I switch to an alternative browser eg Firefox?), and for securing my Linksys WAG54GP2 Router firewall?

Regards, Allen.

Edited by AllenG, 07 April 2009 - 02:26 PM.


#8 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 08 April 2009 - 04:54 AM

Hi Teacup61

An update to my previous post: RE Zonealarm RCP port 2869 messages. The UPnP framework uses UDP port 1900 and TCP port 2869. UPnP on my Linksys router looks like the source of the mesages that Zonealarm is blocking. I have been unplugging the network cable from my PC while virus scanning etc, and I think these messages are occurring after I reconnect the network.

I have a single PC, a Topfield PVR, and a TViX media jukebox all with fixed IP addresses. what are the consequences of blocking these Upnp messages from the Router? I will have a look at the Zonealarm setings and see if there are exceptions for UPnP.

Regards, Allen.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 08 April 2009 - 07:59 AM

Hello,

Try resetting your router, and if you didn't have a username and password on it before, then do set one now. Sounds to me like ZA is just doing its job. If things were messed up before, and now they're straight, then it has a lot of catching up to do as far as you "training" it. :thumbup2:

Let me know how you come out on the rest. :) Looks like you made quite a bit of progress.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 08 April 2009 - 02:46 PM

Hi Tea, Did you have any thoughts on the other remaining questions?

Found the wzcsvc.dll file in servicepackfiles/I386
Should I rerun Combofix with this file restored?

Malwarebytes doesn't appear to have any resident module running. If I remember, one of the Spybot warnings during the cleanup process was trying to remove the startup entry for MBAM. I have tried uninstalling and reinstalling it, still nothing resident for MBAM, should there be?

I no longer have an email scanner. is this an issue as long as I scan any attachments?

What is the entry in Combofix log for "catchme":
"detected NTDLL code modification:
ZwClose"

What recommendations do you have for securing IE (Should I switch to an alternative browser eg Firefox?), and for securing my Linksys WAG54GP2 Router firewall?


Regards, Allen.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 08 April 2009 - 04:02 PM

Found the wzcsvc.dll file in servicepackfiles/I386
Should I rerun Combofix with this file restored?

I don't think that's necessary.

I no longer have an email scanner. is this an issue as long as I scan any attachments?

Nope.....you should always get the option to scan when you right click on any file, folder, or even drive. :thumbup2:

What is the entry in Combofix log for "catchme":
"detected NTDLL code modification:
ZwClose"

http://msdn.microsoft.com/en-us/library/ms804356.aspx

I have tried uninstalling and reinstalling it,

MBAM or Spybot?

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 08 April 2009 - 08:27 PM

Hi Tea, I'm at work at present. Will check out the links later. Thanks.

RE: zwclose http://msdn.microsoft.com/en-us/library/ms804356.aspx

OK. Will check it out.
[Edit] have checked out the link, it explains the dll, but not why the code would have been modified. This looks suspicious to me?

I have tried uninstalling and reinstalling it. MBAM or Spybot?

MBAM. I may post a query on the MBAM forums.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. .... You should also turn on the Windows automatic update feature.

Automatic update is on, why would I need to manually download updates as well?

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

Will check it out.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Am using spybot already. How well does spywareblaster & spywareguard play with Spybot?

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic

Will do. I have used Firefox before.

Edited by AllenG, 09 April 2009 - 04:46 PM.


#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 09 April 2009 - 05:52 PM

This looks suspicious to me?

It's perfectly fine......did we not make a lot of modifications while cleaning the computer? Changes made, even good ones, are going to be reported. :)

Automatic update is on, why would I need to manually download updates as well?

Sometimes people don't turn the auto updates on anyway, so making both suggestions is simply practical on our part. Besides.....sometimes good to doublecheck to be sure, right? MS is not infallible. :thumbup2:

Am using spybot already. How well does spywareblaster & spywareguard play with Spybot?

Actually those are just choices so you know you aren't stuck with just one program. You have good and free choices. These programs do play well with Spybot, if you choose to run one of them. Just don't overdo.....you already have enough protection.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 09 April 2009 - 06:20 PM

Thanks for the help Tea. :thumbup2:

I have now disabled uPnP on my router (and changed the password). the Zonealarm messages about blocking incoming messages from my router to port 2869 seem to have stopped.

I am following up on the MBAM resident process query on the Malwarebytes forum.

Should I run a registry cleaner? what do you recommend, "CCleaner"?

I think you can close this thread.

If my machine is actually now clean, it was mostly by brute force and good luck. How does one learn how to analyze the Hijackthis and Combofix logs? I'd love to be able to help out others.

Best Regards, Allen.

Edited by AllenG, 09 April 2009 - 06:23 PM.


#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:02 PM

Posted 09 April 2009 - 06:24 PM

Hi Allen,

You can apply to the Classroom here, if you're serious. :) You'll have to deal with me some more though. :thumbup2: I think you'd be good at it, if you were to stick to it and graduate.

I'll close the thread in a few days. I like to give it time, just in case. :step4:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users