Tech Support Forum banner
Status
Not open for further replies.

Logs/Reports, Please Help When Available! -details inside-

2K views 8 replies 2 participants last post by  tetonbob 
#1 · (Edited)
Having a TON of problems with popup ads here the last week or so.

Seems to be OuterInfo and SetTheTrend or something majorly.

Sometimes I'll get a Visual C++ buffer overrun error which shuts down my desktop (goes blank) and forces a reboot.

Getting this error on startup also, if it matters:
c:\windows\system32\ddayv.exe (errors with path/registry/etc)

Running WindowsXP (w/ all updates) and AVG (paid edition).

Here are the logs:

[Panda Active SCAN]:

Incident Status Location
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advancedcleaner[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Owner\Desktop\vvqq.exe[ism.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
Adware:Adware/Adband Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HSFQAHH\vvqq[1].exe[ism.exe]
Hacktool:Hacktool/AngryScan Not disinfected C:\Documents and Settings\Owner\My Documents\Control4\Misc\C4 Toolbox.zip[C4 Toolbox/ipscan.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\My Documents\My Received Files\ComboFix.exe[ComboFixT\nircmd.exe]
Adware:Adware/Startpage.ACY Not disinfected C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\L9A21.tmp



[DSS SCAN]:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-29 01:43:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-29 06:43:30 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:58 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.195.246.83:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayv.exe
O2 - BHO: 0 - {0487D578-CA72-48B0-BBAD-60019A899D82} - C:\Program Files\MSN\laduxaruj.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E4F930-6ED4-1B03-F248-19E34F96F29B} - C:\WINDOWS\system32\idluvd.dll (file missing)
O2 - BHO: (no name) - {4360C8B7-5905-71AA-5710-5300CCCD88ED} - C:\WINDOWS\system32\tekwovsz.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqrolkl.dll
O2 - BHO: (no name) - {A6D7CA41-BB21-4DF8-9357-527CA9553F89} - C:\WINDOWS\system32\ddayv.dll
O2 - BHO: (no name) - {B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C} - C:\Program Files\Messenger\horefoq.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qjpluhws] C:\WINDOWS\?ecurity\?poolsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aqg] "C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://camserver.cookcams.net/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://74.94.178.163/activex/AMC.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://control4.webex.com/client/T25L/training/ieatgpc.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: rqrolkl - C:\WINDOWS\SYSTEM32\rqrolkl.dll
O20 - Winlogon Notify: urqqnmn - urqqnmn.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6710 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 VVBackd5 - c:\windows\system32\drivers\vvbackd5.sys
R1 papycpu2 - c:\windows\system32\drivers\papycpu2.sys
R1 papyjoy - c:\windows\system32\drivers\papyjoy.sys
R2 SIODRV - c:\windows\system32\drivers\siodrv.sys <Not Verified; Intel Corporation; Intel(R) Active Monitor>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>
R3 smbusp (Intel(R) SMBus 2.0 Driver) - c:\windows\system32\drivers\smb.sys <Not Verified; Intel Corporation; Intel(R) SMBus Controller>
R3 tap0801 (TAP-Win32 Adapter V8) - c:\windows\system32\drivers\tap0801.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>

S3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - c:\program files\executive software\diskeeperlite\dkservice.exe <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter>
R2 imonNT (Intel(R) Active Monitor) - c:\program files\intel\intel(r) active monitor\imonnt.exe <Not Verified; Intel Corp.; Intel(R) Active Monitor>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\868686012B300
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\868686012B300
Service: NIC1394


-- Files created between 2007-12-29 and 2008-01-29 -----------------------------

2008-01-29 01:44:48 0 d-------- C:\Program Files\Trend Micro
2008-01-29 00:14:03 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 00:10:02 0 d-------- C:\Program Files\SpywareBlaster
2008-01-29 00:03:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 00:03:09 0 d-------- C:\WINDOWS\LastGood
2008-01-28 17:25:10 3584 --a------ C:\WINDOWS\system32\ddayv.exe
2008-01-28 16:41:05 60928 --a------ C:\WINDOWS\system32\tekwovsz.dll
2008-01-27 17:24:15 472774 --ahs---- C:\WINDOWS\system32\vyadd.ini2
2008-01-27 17:24:11 327168 --a------ C:\WINDOWS\system32\ddayv.dll
2008-01-27 16:18:04 41984 --a------ C:\WINDOWS\system32\rqrolkl.dll
2008-01-27 16:17:27 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-01-23 15:46:32 0 d-------- C:\Program Files\ZOC5
2008-01-20 16:53:06 0 d-------- C:\Program Files\MioNet
2008-01-20 16:49:36 21504 --a------ C:\WINDOWS\jestertb.dll
2008-01-17 03:51:59 0 d-------- C:\Program Files\MediaMonkey
2008-01-17 03:44:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 00:59:07 0 d-------- C:\Program Files\Smartwizard Discovery
2008-01-17 00:51:20 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield


-- Find3M Report ---------------------------------------------------------------

2008-01-28 23:05:48 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-01-28 14:20:52 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-28 08:51:50 0 d-------- C:\Program Files\Steam
2008-01-28 08:51:50 0 d-------- C:\Program Files\PowerStrip
2008-01-27 17:24:16 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-01-27 16:50:50 0 d-------- C:\Program Files\Common Files
2008-01-17 00:51:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-16 23:46:24 0 d-------- C:\Program Files\mIRC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
C:\Program Files\MSN\laduxaruj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
C:\WINDOWS\system32\idluvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4360C8B7-5905-71AA-5710-5300CCCD88ED}]
01/28/2008 11:29 AM 60928 --a------ C:\WINDOWS\system32\tekwovsz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
01/27/2008 04:18 PM 41984 --a------ C:\WINDOWS\system32\rqrolkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6D7CA41-BB21-4DF8-9357-527CA9553F89}]
01/27/2008 05:24 PM 327168 --a------ C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
C:\Program Files\Messenger\horefoq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Aim6"="" []
"Qjpluhws"="C:\WINDOWS\?ecurity\?poolsv.exe" []
"Steam"="c:\program files\steam\steam.exe" []
"Aqg"="C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe" [01/28/2008 11:29 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\rqrolkl.dll [01/27/2008 04:18 PM 41984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/18/2007 10:56 PM 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrolkl]
rqrolkl.dll 01/27/2008 04:18 PM 41984 C:\WINDOWS\system32\rqrolkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]
urqqnmn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3405494-412d-11dc-931f-0011111faa1e}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe

*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - WVAWIUHCVHHW



-- End of Deckard's System Scanner: finished at 2008-01-29 01:45:50 ------------
 

Attachments

See less See more
#3 ·
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
 
#4 · (Edited)
Already seems better since the reboot, no errors or popups so far......



ComboFix 08-02.02.4 - Owner 2008-02-02 0:36:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1579 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\rqrolkl.dll
C:\Documents and Settings\Owner\My Documents\SKS~1
C:\Documents and Settings\Owner\My Documents\SKS~1\n?lookup.exe
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\mcroso~1.net\M?crosoft.NET\
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rqrolkl.dll
C:\WINDOWS\system32\tekwovsz.dll
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 09:45 . 2008-02-01 09:45 3,584 --a------ C:\WINDOWS\system32\ddayv.exe
2008-01-31 00:50 . 2008-01-31 00:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 00:50 . 2008-01-31 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 00:48 . 2008-01-31 00:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 01:44 . 2008-01-29 01:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 01:41 . 2008-01-29 01:41 <DIR> d-------- C:\Deckard
2008-01-29 00:14 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-29 00:10 . 2008-01-30 23:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-29 00:03 . 2008-01-29 00:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 00:03 . 2008-01-29 00:03 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-27 16:17 . 2008-01-27 16:17 270,698 --a------ C:\WINDOWS\system32\L222.tmp
2008-01-27 16:17 . 2008-01-27 16:17 181,965 --a------ C:\WINDOWS\system32\L9A21.tmp
2008-01-26 08:40 . 2008-01-26 08:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-26 08:40 . 2008-01-26 08:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 15:46 . 2008-01-23 15:50 <DIR> d-------- C:\Program Files\ZOC5
2008-01-20 16:53 . 2008-01-21 17:04 <DIR> d-------- C:\Program Files\MioNet
2008-01-20 16:49 . 2008-01-20 16:49 21,504 --a------ C:\WINDOWS\jestertb.dll
2008-01-17 03:51 . 2008-01-31 00:35 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-17 03:44 . 2008-01-17 03:52 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 00:59 . 2008-01-17 00:59 <DIR> d-------- C:\Program Files\Smartwizard Discovery
2008-01-17 00:51 . 2008-01-17 00:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 06:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-01 05:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-31 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-31 05:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-31 05:34 --------- d-----w C:\Program Files\Axis Communications
2008-01-28 13:51 --------- d-----w C:\Program Files\Steam
2008-01-28 13:51 --------- d-----w C:\Program Files\PowerStrip
2008-01-17 05:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 04:46 --------- d-----w C:\Program Files\mIRC
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
C:\Program Files\MSN\laduxaruj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
C:\WINDOWS\system32\idluvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
C:\Program Files\Messenger\horefoq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Aim6"="" []
"Qjpluhws"="C:\WINDOWS\?ecurity\?poolsv.exe" [ ]
"Steam"="c:\program files\steam\steam.exe" [ ]
"Aqg"="C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-05-18 22:55 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
InterVideo Scheduler server.lnk - C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe [2004-08-27 14:17:54 135168]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-08-27 14:17:59 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-05-18 22:56 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]
urqqnmn.dll

R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2003-01-20 05:21]
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2006-09-30 04:35]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2007-10-30 00:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 00:58:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-02-02 1:00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 06:00:38
ComboFix2.txt 2007-05-20 15:49:49
.
2008-01-09 04:50:39 --- E O F ---






Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-02 01:08:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:54 AM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.195.246.83:8080
O2 - BHO: 0 - {0487D578-CA72-48B0-BBAD-60019A899D82} - C:\Program Files\MSN\laduxaruj.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E4F930-6ED4-1B03-F248-19E34F96F29B} - C:\WINDOWS\system32\idluvd.dll (file missing)
O2 - BHO: (no name) - {B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C} - C:\Program Files\Messenger\horefoq.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qjpluhws] C:\WINDOWS\?ecurity\?poolsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aqg] "C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://camserver.cookcams.net/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://74.94.178.163/activex/AMC.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://control4.webex.com/client/T25L/training/ieatgpc.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: urqqnmn - urqqnmn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6311 bytes

-- Files created between 2008-01-02 and 2008-02-02 -----------------------------

2008-02-02 00:34:01 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-02 00:34:01 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-02 00:34:01 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-02 00:34:01 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-01 09:45:25 3584 --a------ C:\WINDOWS\system32\ddayv.exe
2008-01-31 00:50:31 0 d-------- C:\Program Files\Lavasoft
2008-01-31 00:50:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 00:48:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 01:44:48 0 d-------- C:\Program Files\Trend Micro
2008-01-29 00:14:03 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 00:10:02 0 d-------- C:\Program Files\SpywareBlaster
2008-01-29 00:03:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-23 15:46:32 0 d-------- C:\Program Files\ZOC5
2008-01-20 16:53:06 0 d-------- C:\Program Files\MioNet
2008-01-20 16:49:36 21504 --a------ C:\WINDOWS\jestertb.dll
2008-01-17 03:51:59 0 d-------- C:\Program Files\MediaMonkey
2008-01-17 03:44:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 00:59:07 0 d-------- C:\Program Files\Smartwizard Discovery
2008-01-17 00:51:20 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield


-- Find3M Report ---------------------------------------------------------------

2008-02-02 00:37:30 0 d-------- C:\Program Files\Common Files
2008-02-01 01:49:18 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-01 00:41:24 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-31 00:41:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-31 00:34:26 0 d-------- C:\Program Files\Axis Communications
2008-01-28 08:51:50 0 d-------- C:\Program Files\Steam
2008-01-28 08:51:50 0 d-------- C:\Program Files\PowerStrip
2008-01-17 00:51:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-16 23:46:24 0 d-------- C:\Program Files\mIRC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
C:\Program Files\MSN\laduxaruj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
C:\WINDOWS\system32\idluvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
C:\Program Files\Messenger\horefoq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Aim6"="" []
"Qjpluhws"="C:\WINDOWS\?ecurity\?poolsv.exe" []
"Steam"="c:\program files\steam\steam.exe" []
"Aqg"="C:\Documents and Settings\Owner\My Documents\??sks\n?lookup.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/18/2007 10:56 PM 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]
urqqnmn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"





-- End of Deckard's System Scanner: finished at 2008-02-02 01:09:06 ------------
 
#5 ·
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

This machine does not have the Windows XP Recovery Console installed. Did you encounter troubles with that part of the instructions?

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Please do this:

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




For you, it's Microsoft Windows XP Home Edition Service Pack 2

http://www.microsoft.com/downloads/...07-99F7-4A2D-983D-81C2137FF464&displaylang=en

Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
 
#6 ·
This machine does not have the Windows XP Recovery Console installed. Did you encounter troubles with that part of the instructions?

When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
 
#7 · (Edited)
Good job. You can reboot as required.

It seems as though your machine has been infected with the latest version of the Vundo infection. It is a file infector, and replaces many legit exe files in startup. It's possible these applications will need to be reinstalled.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.techsupportforum.com/security-center/hijackthis-log-help/216343-logs-reports-please-help-when-available-details-inside.html

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qjpluhws"=-
"Aqg"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]

Collect::
C:\WINDOWS\system32\ddayv.exe
C:\WINDOWS\system32\L222.tmp
C:\WINDOWS\system32\L9A21.tmp
C:\Documents and Settings\Owner\Desktop\vvqq.exe
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------
 
#8 ·
When it came up asking me to submit the file for malware analysis, it didn't give me file path below to copy to send. Do, I just need to send a copy of this same file/log below?


ComboFix 08-02.02.4 - Owner 2008-02-05 20:30:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1539 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktop\vvqq.exe
C:\WINDOWS\system32\L222.tmp
C:\WINDOWS\system32\L9A21.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-02 10:43 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-02 10:43 . 2006-08-19 19:46 211 --a------ C:\Boot.bak
2008-02-02 03:09 . 2008-02-02 03:09 <DIR> d-------- C:\WINDOWS\048298C9A4D3490B9FF9AB023A9238F3.TMP
2008-01-31 00:50 . 2008-01-31 00:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 00:50 . 2008-01-31 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 00:48 . 2008-01-31 00:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 01:44 . 2008-01-29 01:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 01:41 . 2008-01-29 01:41 <DIR> d-------- C:\Deckard
2008-01-29 00:14 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-29 00:10 . 2008-01-30 23:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-29 00:03 . 2008-01-29 00:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 00:03 . 2008-01-29 00:03 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-26 08:40 . 2008-01-26 08:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-26 08:40 . 2008-01-26 08:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 15:46 . 2008-01-23 15:50 <DIR> d-------- C:\Program Files\ZOC5
2008-01-20 16:53 . 2008-01-21 17:04 <DIR> d-------- C:\Program Files\MioNet
2008-01-20 16:49 . 2008-01-20 16:49 21,504 --a------ C:\WINDOWS\jestertb.dll
2008-01-17 03:51 . 2008-01-31 00:35 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-17 03:44 . 2008-01-17 03:52 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-17 00:59 . 2008-01-17 00:59 <DIR> d-------- C:\Program Files\Smartwizard Discovery
2008-01-17 00:51 . 2008-01-17 00:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 23:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-05 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-02 08:09 --------- d-----w C:\Program Files\Steam
2008-02-01 05:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-31 05:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-31 05:34 --------- d-----w C:\Program Files\Axis Communications
2008-01-28 13:51 --------- d-----w C:\Program Files\PowerStrip
2008-01-17 05:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 04:46 --------- d-----w C:\Program Files\mIRC
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0487D578-CA72-48B0-BBAD-60019A899D82}]
C:\Program Files\MSN\laduxaruj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E4F930-6ED4-1B03-F248-19E34F96F29B}]
C:\WINDOWS\system32\idluvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B0B90A-A20E-495D-BDD2-C3D075B1AD6C}]
C:\Program Files\Messenger\horefoq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Aim6"="" []
"Steam"="c:\program files\steam\steam.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-05-18 22:55 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
InterVideo Scheduler server.lnk - C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe [2004-08-27 14:17:54 135168]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-08-27 14:17:59 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-05-18 22:56 9216 C:\WINDOWS\system32\avgwlntf.dll

R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2003-01-20 05:21]
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2006-09-30 04:35]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2007-10-30 00:54]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 20:32:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 20:33:09
ComboFix-quarantined-files.txt 2008-02-06 01:33:01
ComboFix2.txt 2008-02-02 06:00:41
ComboFix3.txt 2007-05-20 15:49:49
.
2008-01-09 04:50:39 --- E O F ---
 
#9 · (Edited)
There should be on your desktop a file named similar to this:

[4]-Submit_2008-02-05@20:30.zip

There should also be a file, CF-Submit.htm it will look like your default browser icon. If it's present, doubleclick on it, and follow the instructions on that page.

If it's not present, locate the zip file on your desktop, and submit it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in your submission.

Also post a new HijackThis log.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top