Need help with malware on computer

[Ken_from_MD]

Hello everyone. My daughter's computer is infected with a number of things that I cannot get rid of. I believe the cause to be her recent download installation of Limewire and DIVx programs. Anyway, here is what I can identify as being running on her computer:

Virtumonde
prunnet.exe
gadcom.exe
winloggn.exe
mwsoemon.exe

There may be more but those are the ones I've been able to confirm are on there.

I've tried running AVG, Ad-aware and Spybot. The browser redirections seem to have stopped. One problem I have is that I cannot update any of these programs as access to their webpages is being blocked. Even from a browser I cannot get to Lavasoft, Grisoft or even Microsoft to install updates. IE and Firefox are affected, as is each account on the machine. The Windows Firewall and Auto Update services have been turned off (not by me). I've managed to turn the firewall back on, but cannot get the update service to run.

I've run DDS and the output is listed here. I've attached the Attach file as well as the Ark file. I had trouble running GMER and had to rename the file in order for it to run. I did get Rootkit activity warnings when it ran.

Hopefully the formatting of these is OK. I am having trouble getting files off of that computer. I am avoiding using thumb drives as I do not want the viruses to spread. In order to email the files I have to copy them into the email, as I am being blocked from attaching files to emails (even in Comcast's web mail), and then paste them back into a Notepad file.

Anyway, thanks any help you can provide.

DDS log file:

DDS (Version 1.1.0) - NTFSx86
Run by Amanda at 12:57:29.59 on Sat 12/27/2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.414 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\AIM6\aim6.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\AIM6\aolsoftware.exe
H:\PROGRA~1\Grisoft\AVG7\avgw.exe
H:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
H:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\WINDOWS\system32\HPZinw12.exe
H:\WINDOWS\system32\rundll32.exe
H:\Documents and Settings\Amanda\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - h:\program files\aol\aim
toolbar 5.0\aoltb.dll
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - h:\program
files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} -
h:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - h:\program
files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
BHO: BHO Class: {15421b84-3488-49a7-ad18-cbf84a3efaf6} - h:\program
files\webtools\webtools.dll
BHO: {3c51f30a-5627-464c-8045-7e71527ac20b} - h:\windows\system32\byXQIBtu.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - h:\program files\spybot - search &
destroy\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - h:\windows\system32\vtUlKArR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program
files\java\jre1.6.0_07\bin\ssv.dll
BHO: {5b7361a0-2ae2-ce9b-b114-91f2a5a17708}:
{80771a5a-2f19-411b-b9ec-2ea20a1637b5} - h:\windows\system32\gisgrb.dll
BHO: {918642b4-b419-4870-8400-40217d7a7884} - h:\windows\system32\rqRKAtut.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - h:\program
files\aol\aim toolbar 5.0\aoltb.dll
uRun: [Aim6] "h:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background
uRun: [MyWebSearch Email Plugin] h:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [prunnet] "h:\windows\system32\prunnet.exe"
uRun: [gadcom] "h:\documents and settings\amanda\application
data\gadcom\gadcom.exe"
61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [jsf8j34rgfght] h:\docume~1\amanda\locals~1\temp\winloggn.exe
uRun: [Jnskdfmf9eldfd] h:\docume~1\amanda\locals~1\temp\csrssc.exe
uRun: [Twain] h:\documents and settings\amanda\application data\twain\Twain.exe
mRun: [AVG7_CC] h:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HP Software Update] h:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader
8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "h:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [000000af] rundll32.exe "h:\windows\system32\isimerly.dll",b
dRun: [AVG7_Run] h:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk -
h:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk -
h:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk -
h:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AIM Search - h:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: &Search -
http://edits.mywebsearch.com/toolbar...tml?p=ZKfox000
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program
files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - h:\program
files\java\jre1.6.0_07\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} -
{DE9C389F-3316-41A7-809B-AA305ED9D922} - h:\program files\aol\aim toolbar
5.0\aoltb.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - h:\program files\common
files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: vtUlKArR - vtUlKArR.dll
AppInit_DLLs: gisgrb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
h:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - h:\windows\system32\vtUlKArR.dll
LSA: Authentication Packages = msv1_0 h:\windows\system32\byXQIBtu

================= FIREFOX ===================

FF - ProfilePath -
h:\docume~1\amanda\applic~1\mozilla\firefox\profiles\fedl1srj.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL -
hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=y
esab&query=
FF - component: h:\program files\mozilla firefox\components\srff.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;h:\windows\system32\drivers\avg7core.sys [2007-11-12
821856]
R1 Avg7RsW;AVG7 Wrap Driver;h:\windows\system32\drivers\avg7rsw.sys [2007-11-12
4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;h:\windows\system32\drivers\avg7rsxp.sys
[2007-11-12 27776]
R1 AvgClean;AVG7 Clean Driver;h:\windows\system32\drivers\avgclean.sys
[2007-11-12 10760]
R2 aawservice;Lavasoft Ad-Aware Service;"h:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;h:\progra~1\grisoft\avg7\avgamsvr.exe
[2007-11-12 418816]
R2 Avg7UpdSvc;AVG7 Update Service;h:\progra~1\grisoft\avg7\avgupsvc.exe
[2007-11-12 49664]
R2 AVGEMS;AVG E-mail Scanner;h:\progra~1\grisoft\avg7\avgemc.exe [2007-11-12
406528]
R2 AvgTdi;AVG Network Redirector;h:\windows\system32\drivers\avgtdi.sys
[2007-11-12 4960]
S2 MyWebSearchService;My Web Search
Service;h:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"h:\program
files\viewpoint\common\ViewpointService.exe" [2007-11-14 24652]

=============== Created Last 30 ================

2008-12-26 21:04 4,803 a--sh---
h:\windows\system32\utBIQXyb.ini2
2008-12-26 21:04 4,803 a--sh--- h:\windows\system32\utBIQXyb.ini
2008-12-26 21:04 293,376 a------- h:\windows\system32\byXQIBtu.dll
2008-12-26 20:59 45,056 a------- h:\windows\system32\khfDwXrS.dll
2008-12-26 17:49 <DIR> --d----- h:\program files\common files\Wise Installation Wizard
2008-12-25 19:14 <DIR> --d-----
h:\docume~1\amanda\applic~1\SpeedRunner
2008-12-25 17:58 <DIR> --d----- h:\program files\Webtools
2008-12-24 18:04 1,745,930 a--sh---
h:\windows\system32\ylremisi.ini
2008-12-24 18:04 94,208 a------- h:\windows\system32\isimerly.dll
2008-12-24 18:02 15,000 a-------
h:\windows\system32\tyshb36rfjdf.old
2008-12-24 18:02 58,368 a------- h:\windows\system32\hgGvwuvS.old
2008-12-24 18:01 136,192 a------- h:\windows\system32\gisgrb.old
2008-12-24 18:01 136,192 a------- h:\windows\system32\cvvelpys.old
2008-12-24 17:56 57,856 a------- h:\windows\system32\byXRjjkL.old
2008-12-24 17:52 1,219 a--sh---
h:\windows\system32\tutAKRqr.ini2
2008-12-24 17:52 1,219 a--sh--- h:\windows\system32\tutAKRqr.ini
2008-12-24 17:52 292,352 a------- h:\windows\system32\rqRKAtut.old
2008-12-24 17:47 58,880 a------- h:\windows\system32\vtUlKArR.dll
2008-12-24 17:47 70,656 a-------
h:\windows\system32\prunnet.old.exe
2008-12-24 17:18 21,504 ac------ h:\windows\system32\dllcache\hidserv.dll
2008-12-24 17:18 21,504 a------- h:\windows\system32\hidserv.dll
2008-12-24 17:18 59,264 ac------
h:\windows\system32\dllcache\usbaudio.sys
2008-12-24 17:18 59,264 a-------
h:\windows\system32\drivers\USBAUDIO.sys
2008-12-23 10:29 <DIR> --d-----
h:\docume~1\amanda\applic~1\GameInvest

==================== Find3M ====================

2008-10-23 08:01 283,648 a------- h:\windows\system32\gdi32.dll
2008-10-16 05:37 659,456 a------- h:\windows\system32\wininet.dll
2008-10-03 05:15 247,326 a------- h:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a-------
h:\windows\system32\msxml4.dll

============= FINISH: 13:00:58.76 ===============

[Ried]

Hello Ken_from_MD,

You are correct in your suspicions as to how this nasty infection got on your system. Uninstall Limewire and any other P2P programs. Show this link to your daughter.


It is safe to transfer via USB--the infection will not travel via that medium.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix.exe from here

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






---------------------------------------------------------------------

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the H:\ComboFix.txt for further review.

[Ken_from_MD]

I've downloaded the files as instructed and transferred them to the infected computer via USB drive. The Microsoft file is named WindowsXP-KB310994-SP2-Home-Bootdisk-ENU.exe

WHen I drag the Microsoft file over and drop it on the ComboFix icon nothing happens.

Ken

[Ried]

Make sure you don't let go until it is right on top of ComboFix.exe

If it still will not run, right click ComboFix.exe, rename it to combofxx.exe and try again.

[Ken_from_MD]

Still nothing, tried renaming as instructed.

I drag the MS file over until the name of the ComboFix icon is highlighted.

Ken

[Ried]

Double click on combofxx and tell me if it begins to run. If it does, click NO at the disclaimer to exit combofix.

[Ken_from_MD]

Does not run on its own, original name or new.

[Ried]

Boot into Safe Mode and try. Let me know if it runs in Safe Mode.

[Ken_from_MD]

When I boot into Safe mode all I get is a black screen with the words Safe Mode in each corner. There is no desktop or any icons visible.

[Ried]

When you double clicked on Combofix to run it in Normal Mode, did it do anything at all? Did you see small box pop up that had a green progress bar?

[Ken_from_MD]

No, nothing happened. The hour glass appeared for about second then nothing.

[Ried]

Alright, one more try, then we'll find other means.

Look on the H:\ drive and if there is a ComboFix folder, delete it.

Using another computer, download ComboFix again, but rename it before you save it. Rename it Ken.exe

Transfer to the desktop of the infected computer and try again.

----------------------------------------------

If it still will not run, then I'll need a more detailed log.

Download Rsit.exe and save it to your desktop.

• Double click on RSIT.exe to run it.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post only the log.txt

[Ken_from_MD]

The combofix finally ran. I got several errors about not fully turning off AVG. The program rebooted the machine several times as it detected rootkit activity.

Here is the log file from Combofix:

ComboFix 08-12-26.03 - Amanda 2008-12-27 18:34:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.655 [GMT -5:00]
Running from: h:\documents and settings\Amanda\Desktop\ken.exe
Command switches used :: h:\documents and settings\Amanda\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
h:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
h:\documents and settings\Amanda\Application Data\FunWebProducts
h:\documents and settings\Amanda\Application Data\SpeedRunner
h:\documents and settings\Amanda\Application Data\SpeedRunner\config.cfg
h:\documents and settings\Amanda\Local Settings\Temporary Internet Files\bestwiner.stt
h:\documents and settings\Amanda\Local Settings\Temporary Internet Files\CPV.stt
h:\documents and settings\Amanda\Local Settings\Temporary Internet Files\fbk.sts
h:\documents and settings\Ken\Local Settings\Temporary Internet Files\CPV.stt
h:\windows\system32\byXQIBtu.dll
h:\windows\system32\drivers\TDSSpcuu.sys
h:\windows\system32\isimerly.dll
h:\windows\system32\TDSSktkl.dll
h:\windows\system32\TDSSlmjf.dll
h:\windows\system32\TDSSocum.dll
h:\windows\system32\TDSSqrwn.log
h:\windows\system32\TDSSurxb.dll
h:\windows\system32\TDSSweat.dat
h:\windows\system32\TDSSxehj.dll
h:\windows\system32\tutAKRqr.ini
h:\windows\system32\tutAKRqr.ini2
h:\windows\system32\utBIQXyb.ini
h:\windows\system32\utBIQXyb.ini2
h:\windows\system32\vtUlKArR.dll
h:\windows\system32\ylremisi.ini

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-26 20:59 . 2008-12-26 20:59 45,056 --a------ h:\windows\system32\khfDwXrS.dll
2008-12-26 17:50 . 2008-12-26 17:52 <DIR> d-------- h:\documents and settings\All Users\Application Data\Lavasoft
2008-12-26 17:49 . 2008-12-26 17:49 <DIR> d-------- h:\program files\Common Files\Wise Installation Wizard
2008-12-25 17:58 . 2008-12-25 17:58 <DIR> d-------- h:\program files\Webtools
2008-12-24 18:02 . 2008-12-24 18:02 58,368 --a------ h:\windows\system32\hgGvwuvS.old
2008-12-24 18:02 . 2008-12-24 18:02 15,000 --a------ h:\windows\system32\tyshb36rfjdf.old
2008-12-24 18:01 . 2008-12-24 18:01 136,192 --a------ h:\windows\system32\gisgrb.old
2008-12-24 18:01 . 2008-12-24 18:01 136,192 --a------ h:\windows\system32\cvvelpys.old
2008-12-24 17:56 . 2008-12-24 17:56 57,856 --a------ h:\windows\system32\byXRjjkL.old
2008-12-24 17:52 . 2008-12-24 17:52 292,352 --a------ h:\windows\system32\rqRKAtut.old
2008-12-24 17:47 . 2008-12-24 17:47 70,656 --a------ h:\windows\system32\prunnet.old.exe
2008-12-24 17:18 . 2004-08-03 23:07 59,264 --a------ h:\windows\system32\drivers\USBAUDIO.sys
2008-12-24 17:18 . 2004-08-03 23:07 59,264 --a--c--- h:\windows\system32\dllcache\usbaudio.sys
2008-12-24 17:18 . 2004-08-04 00:56 21,504 --a------ h:\windows\system32\hidserv.dll
2008-12-24 17:18 . 2004-08-04 00:56 21,504 --a--c--- h:\windows\system32\dllcache\hidserv.dll
2008-12-23 10:29 . 2008-12-23 10:29 <DIR> d-------- h:\documents and settings\Amanda\Application Data\GameInvest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 22:39 --------- d-----w h:\documents and settings\Amanda\Application Data\U3
2008-12-27 22:29 --------- d-----w h:\documents and settings\Amanda\Application Data\AVG7
2008-12-27 01:59 --------- d-----w h:\documents and settings\Chris\Application Data\AVG7
2008-12-27 01:41 --------- d-----w h:\documents and settings\Ken\Application Data\AVG7
2008-12-26 22:50 --------- d-----w h:\program files\Lavasoft
2008-12-26 22:50 --------- d-----w h:\documents and settings\Ken\Application Data\Lavasoft
2008-12-23 15:29 --------- d-----w h:\program files\Yahoo! Games
2008-12-20 17:36 67,688 ----a-w h:\program files\mozilla firefox\components\jar50.dll
2008-12-20 17:36 54,368 ----a-w h:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 17:36 34,944 ----a-w h:\program files\mozilla firefox\components\myspell.dll
2008-12-20 17:36 46,712 ----a-w h:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 00:14 73,728 ----a-w h:\program files\mozilla firefox\components\srff.dll
2008-12-20 17:36 172,136 ----a-w h:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "h:\program files\AOL\AIM Toolbar 5.0\aoltb.dll" [2008-03-07 1090912]

[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2008-12-25 17:58 90624 --a------ h:\program files\Webtools\webtools.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="h:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="h:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-21 590848]
"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="h:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 h:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="h:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-12 219136]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - h:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - h:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gisgrb.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"h:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"h:\\WINDOWS\\system32\\spoolsv.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\AIM6\\aim6.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgvv.exe"=
"h:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"h:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-14 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee3337f9-d3bf-11dd-8f3d-00192156bffa}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-27 h:\windows\Tasks\fgzfpdmf.job
- h:\windows\system32\rundll32.exe [2006-02-28 07:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0D8E36A0-1E7A-4124-9744-C39E7F7B231E} - h:\windows\system32\byXQIBtu.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - h:\windows\system32\vtUlKArR.dll
BHO-{80771a5a-2f19-411b-b9ec-2ea20a1637b5} - h:\windows\system32\gisgrb.dll
BHO-{918642B4-B419-4870-8400-40217D7A7884} - h:\windows\system32\rqRKAtut.dll
HKCU-Run-prunnet - h:\windows\system32\prunnet.exe
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - h:\windows\system32\vtUlKArR.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - h:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZKfox000
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

h:\windows\Downloaded Program Files\popcaploader.dll - O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
hxxp://l.yimg.com/jh/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
h:\windows\Downloaded Program Files\popcaploader.inf
FF - ProfilePath - h:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\fedl1srj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: h:\program files\Mozilla Firefox\components\srff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 18:41:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
h:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
h:\windows\system32\ati2evxx.exe
h:\program files\Lavasoft\Ad-Aware\aawservice.exe
h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\windows\system32\HPZipm12.exe
h:\windows\system32\wscntfy.exe
h:\windows\system32\ati2evxx.exe
h:\program files\iPod\bin\iPodService.exe
h:\program files\HP\Digital Imaging\bin\hpqimzone.exe
h:\program files\AIM6\aolsoftware.exe
h:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
h:\program files\HP\Digital Imaging\bin\hpqste08.exe
h:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2008-12-27 18:42:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 23:42:56

Pre-Run: 307,698,532,352 bytes free
Post-Run: 307,808,620,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

216 --- E O F --- 2008-12-19 08:00:45

[Ried]

Ready for round 2?

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/328362-need-help-malware-computer-post1881076.html#post1881076

Collect::
h:\windows\Tasks\fgzfpdmf.job
h:\windows\system32\khfDwXrS.dll
h:\windows\system32\tyshb36rfjdf.old
h:\windows\system32\gisgrb.old
h:\windows\system32\byXRjjkL.old
h:\windows\system32\rqRKAtut.old


File::
h:\windows\system32\cvvelpys.old
h:\windows\system32\prunnet.old.exe
h:\windows\system32\hgGvwuvS.old

Folder::
h:\program files\Webtools

DDS::
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZKfox000

Firefox::
FF - component: h:\program files\Mozilla Firefox\components\srff.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

Please return with the H:\ComboFix.txt and an update on system behavior.

[Ken_from_MD]

The file from ComboFix has been sent as instructed.

Here are the contents of the Combofix log:

ComboFix 08-12-26.03 - Amanda 2008-12-27 22:16:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.552 [GMT -5:00]
Running from: h:\documents and settings\Amanda\Desktop\ken.exe
Command switches used :: h:\documents and settings\Amanda\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)
* Created a new restore point

FILE ::
h:\windows\system32\cvvelpys.old
h:\windows\system32\hgGvwuvS.old
h:\windows\system32\prunnet.old.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\program files\Webtools
h:\program files\Webtools\webtools.dll
h:\windows\system32\byXRjjkL.old
h:\windows\system32\cvvelpys.old
h:\windows\system32\gisgrb.old
h:\windows\system32\hgGvwuvS.old
h:\windows\system32\khfDwXrS.dll
h:\windows\system32\prunnet.old.exe
h:\windows\system32\rqRKAtut.old
h:\windows\system32\tyshb36rfjdf.old
h:\windows\Tasks\fgzfpdmf.job

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-26 17:50 . 2008-12-26 17:52 <DIR> d-------- h:\documents and settings\All Users\Application Data\Lavasoft
2008-12-26 17:49 . 2008-12-26 17:49 <DIR> d-------- h:\program files\Common Files\Wise Installation Wizard
2008-12-24 17:18 . 2004-08-03 23:07 59,264 --a------ h:\windows\system32\drivers\USBAUDIO.sys
2008-12-24 17:18 . 2004-08-03 23:07 59,264 --a--c--- h:\windows\system32\dllcache\usbaudio.sys
2008-12-24 17:18 . 2004-08-04 00:56 21,504 --a------ h:\windows\system32\hidserv.dll
2008-12-24 17:18 . 2004-08-04 00:56 21,504 --a--c--- h:\windows\system32\dllcache\hidserv.dll
2008-12-23 10:29 . 2008-12-23 10:29 <DIR> d-------- h:\documents and settings\Amanda\Application Data\GameInvest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 22:39 --------- d-----w h:\documents and settings\Amanda\Application Data\U3
2008-12-27 22:29 --------- d-----w h:\documents and settings\Amanda\Application Data\AVG7
2008-12-27 01:59 --------- d-----w h:\documents and settings\Chris\Application Data\AVG7
2008-12-27 01:41 --------- d-----w h:\documents and settings\Ken\Application Data\AVG7
2008-12-26 22:50 --------- d-----w h:\program files\Lavasoft
2008-12-26 22:50 --------- d-----w h:\documents and settings\Ken\Application Data\Lavasoft
2008-12-23 15:29 --------- d-----w h:\program files\Yahoo! Games
2008-10-23 13:01 283,648 ----a-w h:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w h:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w h:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w h:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w h:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w h:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w h:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w h:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w h:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w h:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w h:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w h:\windows\system32\msxml4.dll
2008-12-20 17:36 67,688 ----a-w h:\program files\mozilla firefox\components\jar50.dll
2008-12-20 17:36 54,368 ----a-w h:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 17:36 34,944 ----a-w h:\program files\mozilla firefox\components\myspell.dll
2008-12-20 17:36 46,712 ----a-w h:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 00:14 73,728 ----a-w h:\program files\mozilla firefox\components\srff.dll
2008-12-20 17:36 172,136 ----a-w h:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_18.42.35.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 23:46:48 16,384 ----atw h:\windows\temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="h:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="h:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-21 590848]
"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="h:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 h:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="h:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-12 219136]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - h:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - h:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"h:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"h:\\WINDOWS\\system32\\spoolsv.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\AIM6\\aim6.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgvv.exe"=
"h:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"h:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-14 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e5b1f6f-214a-11dd-8f21-00192156bffa}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee3337f9-d3bf-11dd-8f3d-00192156bffa}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - h:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\fedl1srj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: h:\program files\Mozilla Firefox\components\srff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 22:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
h:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-27 22:17:41
ComboFix-quarantined-files.txt 2008-12-28 03:17:37
ComboFix2.txt 2008-12-27 23:42:59

Pre-Run: 307,837,620,224 bytes free
Post-Run: 307,824,996,352 bytes free

161 --- E O F --- 2008-12-19 08:00:45

[Ried]

Files received, thank you.

One more time, close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

DDS::
FF - component: h:\program files\Mozilla Firefox\components\srff.dll

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at H:\ComboFix.txt

-------------------------------------------------

Next, it's important to run an online scan to search for remnants. It can take some time to complete, so be sure to let it run the full course.

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along the the H:\ComboFix.txt

[Ken_from_MD]

Sorry about the delay, real life interferes.

I've run the script you sent and the kaspersky scan. Both reports are attached. The infected computer is still blocking access to certain web sites, including this one.

Combofix report:

ComboFix 08-12-26.03 - Amanda 2008-12-28 13:03:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.553 [GMT -5:00]
Running from: h:\documents and settings\Amanda\Desktop\ken.exe
Command switches used :: h:\documents and settings\Amanda\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-26 17:50 . 2008-12-26 17:52 <DIR> d-------- h:\documents and settings\All Users\Application Data\Lavasoft
2008-12-26 17:49 . 2008-12-26 17:49 <DIR> d-------- h:\program files\Common Files\Wise Installation Wizard
2008-12-24 17:18 . 2004-08-03 23:07 59,264 --a------ h:\windows\system32\drivers\USBAUDIO.sys
2008-12-24 17:18 . 2004-08-03 23:07 59,264 --a--c--- h:\windows\system32\dllcache\usbaudio.sys
2008-12-24 17:18 . 2004-08-04 00:56 21,504 --a------ h:\windows\system32\hidserv.dll
2008-12-24 17:18 . 2004-08-04 00:56 21,504 --a--c--- h:\windows\system32\dllcache\hidserv.dll
2008-12-23 10:29 . 2008-12-23 10:29 <DIR> d-------- h:\documents and settings\Amanda\Application Data\GameInvest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 18:02 --------- d-----w h:\documents and settings\Amanda\Application Data\AVG7
2008-12-27 22:39 --------- d-----w h:\documents and settings\Amanda\Application Data\U3
2008-12-27 01:59 --------- d-----w h:\documents and settings\Chris\Application Data\AVG7
2008-12-27 01:41 --------- d-----w h:\documents and settings\Ken\Application Data\AVG7
2008-12-26 22:50 --------- d-----w h:\program files\Lavasoft
2008-12-26 22:50 --------- d-----w h:\documents and settings\Ken\Application Data\Lavasoft
2008-12-23 15:29 --------- d-----w h:\program files\Yahoo! Games
2008-10-23 13:01 283,648 ----a-w h:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w h:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w h:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w h:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w h:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w h:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w h:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w h:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w h:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w h:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w h:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w h:\windows\system32\msxml4.dll
2008-12-20 17:36 67,688 ----a-w h:\program files\mozilla firefox\components\jar50.dll
2008-12-20 17:36 54,368 ----a-w h:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 17:36 34,944 ----a-w h:\program files\mozilla firefox\components\myspell.dll
2008-12-20 17:36 46,712 ----a-w h:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 00:14 73,728 ----a-w h:\program files\mozilla firefox\components\srff.dll
2008-12-20 17:36 172,136 ----a-w h:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_18.42.35.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 23:46:48 16,384 ----atw h:\windows\temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="h:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="h:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-21 590848]
"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="h:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 h:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="h:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-12 219136]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - h:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - h:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"h:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"h:\\WINDOWS\\system32\\spoolsv.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\AIM6\\aim6.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgvv.exe"=
"h:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"h:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-14 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee3337f9-d3bf-11dd-8f3d-00192156bffa}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - h:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\fedl1srj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: h:\program files\Mozilla Firefox\components\srff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 13:04:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
h:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-28 13:05:08
ComboFix-quarantined-files.txt 2008-12-28 18:04:56
ComboFix2.txt 2008-12-28 03:17:42
ComboFix3.txt 2008-12-27 23:42:59

Pre-Run: 307,816,857,600 bytes free
Post-Run: 307,805,671,424 bytes free

142 --- E O F --- 2008-12-19 08:00:45


Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 15:58:18
Records in database: 1524935
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
G:\
H:\
I:\
J:\
Z:\

Scan statistics:
Files scanned: 40474
Threat name: 13
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 0122


File name / Threat name / Threats count
H:\Documents and Settings\Amanda\My Documents\LimeWire\Incomplete\Preview-T-3515161-hello paramore - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
H:\Documents and Settings\Amanda\My Documents\LimeWire\Incomplete\Preview-T-3877629-hello paramore.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
H:\Documents and Settings\Amanda\My Documents\LimeWire\Incomplete\T-3515161-hello paramore - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
H:\Documents and Settings\Amanda\My Documents\LimeWire\Incomplete\T-460090-6 months hey monday sexy girl has shaking orgasm during sex.mp3 Infected: Trojan-Downloader.WMA.Wimad.o 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\drivers\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\hgGvwuvS.old.vir Infected: Trojan.Win32.Monderb.aake 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\isimerly.dll.vir Infected: Trojan.Win32.Monder.afjq 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\prunnet.old.exe.vir Infected: Trojan-Clicker.Win32.VB.cqq 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\TDSSktkl.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\TDSSlmjf.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\TDSSocum.dll.vir Infected: Trojan.Win32.Agent.arvz 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\TDSSurxb.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
H:\Qoobox\Quarantine\H\WINDOWS\system32\vtUlKArR.dll.vir Infected: Trojan.Win32.Monder.afdk 1
H:\Qoobox\Quarantine\[4]-Submit_2008-12-27@22.16.zip Infected: Trojan.Win32.Monderb.aaiq 1

The selected area was scanned.

[Ried]

Hi Ken. No worries about the delay.

Download HostsXpert.

• Unzip HostsXpert to it's own folder.
• Run HostsXpert.exe
• Click 'Read Only' to toggle it to show "Make Writable?" in the upper left corner.
• Click "Restore MS Hosts file" and then click OK.
• Close HostsXpert.
• Note: If a custom Hosts file was in place, you'll have to edit those entries back in.

==================================

Click Start>My Computer

Navigate to, and delete the following file:

h:\program files\mozilla firefox\components\srff.dll


Now navigate to the following folder and delete any files within it:

H:\Documents and Settings\Amanda\My Documents\LimeWire\Incomplete <delete contents of this folder.

*If Limewire has been uninstalled, you may simply delete the entire LimeWire folder

** Again, I highly recommend uninstalling LimeWire if you haven't already. Review the Kaspersky report and you will see the culprit of the serious rootkitted infection this system has undergone.

=======================

Reboot the system and let me know if you are now able to access all sites from this computer.

[Ken_from_MD]

When I run the HostsXpert program I get an error when I click on the "Restore MS Hosts file" and then click OK. The error is:

Cannot create H:\WINDOWS\system32\DRIVERS\ETC\hosts

[Ried]

My apologies, it looks as though my instructions were a bit 'backwards'. Click 'Make Writeable' button--so it toggles to Read Only.