Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

A fresh new hell

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

A fresh new hell

Unread postby DrPostman » December 11th, 2007, 4:59 am

I didn't do it this time, my GF's 16 year old son did, in
spite of me telling him not to download any exe files, EVER.
He thought he was downloading a game. The file is
Street_Legal_Racing_Redline-dm.exe and I cannot
delete it, nor remove it. Here is my HijackThis log:

---------startlog-----------
Logfile of HijackThis v1.99.1
Scan saved at 2:56:42 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Tiger Technologies\Holiday Lights\Holiday Lights.exe
C:\PROGRAM FILES\GOOGLE\GMAIL NOTIFIER\GNOTIFY.EXE
C:\PROGRAM FILES\WINDOWS DEFENDER\MSASCUI.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\JUSCHED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Holiday Lights.lnk = C:\Program Files\Tiger Technologies\Holiday Lights\Holiday Lights.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O20 - Winlogon Notify: awtrstt - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O20 - Winlogon Notify: tuvwvwt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
------------endlog---------------------

You guys helped me about a month ago and I really hate bugging you again but
I can't figure out how to get rid of this crap. I have plenty of patience so take
your time on this, and I will await your suggestions.

Thanks,
Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am
Advertisement
Register to Remove

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 11th, 2007, 10:59 am

Hi Jamie,

It's me again. :)

Have you ran any fixes by yourself?

If so, please list out what you've done.

I also don't see your antivirus running, although it's listed in the log. Have you disabled it? If so, please re-enable it back. Unless I've told you to, never disable the antivirus program.

Please also do the following:

Step 1

Please disable Winpatrol temporarily as it can interfere with the fixes. You can re-enable it back after your system is clean.

  1. Right click on the Scotty Dog near the clock and select Options.... A window will open.
  2. Select the Options tab.
  3. Uncheck (untick) this box: Automatically run Winpatrol when computer starts.
  4. Close the Winpatrol window.
  5. Right click on the Scotty Dog again and select Exit Program.

Step 2

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 3

  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
  3. The Uninstall list
  4. A summary of what you've done to remove the infections
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: A fresh new hell

Unread postby DrPostman » December 12th, 2007, 5:09 am

Well, I THOUGHT that AVG had run, but it didn't do
it's scheduled test today (because of the malware?).
Other than that I have simply followed your new
instructions.

ComboFix log:

ComboFix 07-12-12.3 - Jamie 2007-12-13 2:42:44.5 - NTFSx86
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 02:19 . 2007-12-13 02:22 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-11 00:48 . 2007-12-11 00:57 <DIR> d-------- C:\Downloads
2007-12-10 06:51 . 1999-10-28 11:26 37,888 --a------ C:\WINDOWS\system32\Holiday Lights.scr
2007-12-10 06:50 . 2007-12-10 06:50 <DIR> d-------- C:\Program Files\Tiger Technologies
2007-12-08 17:42 . 2007-12-08 17:42 <DIR> d-------- C:\Program Files\Better File Series
2007-12-08 17:39 . 2007-12-08 17:39 <DIR> d-------- C:\doublekiller
2007-12-07 22:24 . 2007-12-10 03:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 22:24 . 2007-12-07 22:24 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 22:03 . 2007-12-04 22:03 <DIR> d-------- C:\Program Files\Rockstar Games
2007-12-04 20:29 . 2007-12-04 20:30 <DIR> d-------- C:\Program Files\GameTap
2007-12-04 20:29 . 2007-12-04 20:29 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\InstallShield
2007-12-04 20:29 . 2007-12-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2007-12-02 02:53 . 2007-12-02 02:53 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-12-02 02:53 . 1998-06-17 00:00 516,173 --a------ C:\WINDOWS\system32\MSVCP60D.DLL
2007-12-02 02:53 . 1998-06-17 00:00 385,100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-02 02:53 . 1998-07-13 00:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-12-02 02:53 . 2000-10-01 20:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-12-02 02:53 . 1999-03-25 20:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-12-02 02:53 . 1998-07-13 00:00 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-12-02 02:53 . 1998-07-12 20:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-12-02 02:53 . 1998-07-13 00:00 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-12-02 02:53 . 1998-07-13 00:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-11-30 22:54 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-11-26 19:58 . 2007-11-26 19:58 2,564 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-11-18 07:10 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-18 07:09 . 2007-11-18 07:10 <DIR> d-------- C:\Program Files\Java
2007-11-18 07:09 . 2007-11-18 07:09 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-17 18:38 . 2007-11-17 18:38 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Lexmark Productivity Studio
2007-11-17 10:06 . 2007-11-17 10:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 10:06 . 2007-11-17 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 01:07 . 2007-11-17 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-17 00:51 . 2007-11-17 00:51 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Grisoft
2007-11-17 00:51 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-17 00:19 . 2007-12-10 03:03 <DIR> d-------- C:\Program Files\Lx_cats
2007-11-17 00:08 . 2007-11-17 00:08 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2007-11-17 00:08 . 2007-11-17 18:28 <DIR> d-------- C:\Program Files\Lexmark 1300 Series
2007-11-17 00:08 . 2007-05-17 07:54 323,584 --a------ C:\WINDOWS\system32\LXDChcp.dll
2007-11-17 00:08 . 2007-05-17 08:09 286,720 --a------ C:\WINDOWS\system32\LXDCinst.dll
2007-11-17 00:08 . 2006-12-05 22:19 44 --a------ C:\WINDOWS\system32\lxdcrwrd.ini
2007-11-17 00:07 . 2007-11-17 00:07 <DIR> d-------- C:\logs
2007-11-17 00:07 . 2007-11-17 18:29 132,066 --a------ C:\WINDOWS\system32\LexFiles.ulf
2007-11-17 00:06 . 2007-03-28 07:16 344,064 -ra------ C:\WINDOWS\system32\lxdccoin.dll
2007-11-17 00:06 . 2007-03-18 19:45 77,906 -ra------ C:\WINDOWS\system32\lxdccfg.dll
2007-11-17 00:06 . 2007-05-25 03:19 1,827 -ra------ C:\WINDOWS\system32\lxdc.loc
2007-11-17 00:02 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-17 00:02 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-15 07:21 . 2007-11-15 07:21 <DIR> d-------- C:\Program Files\NCH Software
2007-11-14 02:51 . 2005-09-20 17:27 10,368 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2007-11-14 02:50 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\iviaspi.sys
2007-11-14 02:49 . 2007-11-14 02:49 <DIR> d-------- C:\Program Files\Sandisk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 08:35 --------- d-----w C:\Documents and Settings\Jamie\Application Data\AVG7
2007-12-13 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-13 07:43 --------- d-----w C:\Documents and Settings\Jamie\Application Data\SiteAdvisor
2007-12-12 22:42 26,657,763 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-11 22:03 --------- d-----w C:\Documents and Settings\Jamie\Application Data\uTorrent
2007-12-09 13:13 --------- d-----w C:\Documents and Settings\Jamie\Application Data\dvdcss
2007-12-09 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-08 20:32 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-07 07:40 --------- d-----w C:\Program Files\ICE
2007-12-06 02:31 --------- d-----w C:\Program Files\Camfrog
2007-12-05 04:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 05:42 --------- d-----w C:\Documents and Settings\Jamie\Application Data\NCH Swift Sound
2007-12-02 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-02 05:33 --------- d-----w C:\Program Files\NCH Swift Sound
2007-11-28 02:04 --------- d-----w C:\Program Files\SuperWebcam
2007-11-26 08:43 148,752 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_24_16_18_42_small.dmp.zip
2007-11-19 10:36 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Registry Booster
2007-11-17 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 00:26 --------- d-----w C:\Program Files\Kermit
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 00:52 --------- d-----w C:\Program Files\Virtual Laguna Beach
2007-11-10 12:47 --------- d-----w C:\Documents and Settings\Jamie\Application Data\TrojanHunter
2007-11-10 11:14 --------- d-----w C:\Program Files\TrojanHunter 5.0
2007-11-09 07:02 208,996 ----a-w C:\WINDOWS\system32\MuteHook.dll
2007-11-09 07:00 208,997 ----a-w C:\WINDOWS\system32\MyCfHook.dll
2007-11-07 05:17 --------- d-----w C:\Program Files\VirtualDJ
2007-11-06 12:29 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 04:36 127,116 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_27_21_01_57_small.dmp.zip
2007-10-30 04:36 120,410 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_27_11_17_08_small.dmp.zip
2007-10-30 04:29 --------- d-----w C:\Program Files\Google
2007-10-30 04:27 --------- d-----w C:\Program Files\RealArcade
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 22:10 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Camfrog
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-27 01:44 --------- d-----w C:\Program Files\WebcamMax
2007-10-27 01:38 --------- d-----w C:\Program Files\RSSoft
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 06:44 134,176 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_22_01_57_14_small.dmp.zip
2007-10-23 06:30 --------- d-----w C:\Program Files\Crocodile 2.0
2007-10-22 05:23 --------- d-----w C:\Program Files\Camfrog DJ
2007-10-20 19:39 118,557 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_20_08_08_12_small.dmp.zip
2007-10-20 11:29 120,222 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_20_06_25_35_small.dmp.zip
2007-10-20 00:54 126,792 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_18_08_09_50_small.dmp.zip
2007-10-18 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-15 11:10 117,884 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_13_21_27_00_small.dmp.zip
2007-10-15 11:09 23,125,614 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_13_18_49_11_full.dmp.zip
2007-10-12 09:44 120,421 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_11_14_12_45_small.dmp.zip
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-12_16.24.46.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-11 05:57:29 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\browseui.dll
+ 2007-10-11 05:57:29 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\cdfview.dll
+ 2007-10-11 05:57:30 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\danim.dll
+ 2007-10-11 05:57:30 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\dxtmsft.dll
+ 2007-10-11 05:57:30 205,824 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\dxtrans.dll
+ 2007-10-11 05:57:30 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\extmgr.dll
+ 2007-10-10 10:48:23 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\iedw.exe
+ 2007-10-11 05:57:31 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\iepeers.dll
+ 2007-10-11 05:57:31 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\inseng.dll
+ 2007-10-11 05:57:31 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\jsproxy.dll
+ 2007-10-30 09:55:21 3,065,856 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\mshtml.dll
+ 2007-10-11 05:57:36 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\mshtmled.dll
+ 2007-10-11 05:57:36 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\msrating.dll
+ 2007-10-11 05:57:37 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\mstime.dll
+ 2007-10-11 05:57:37 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\pngfilt.dll
+ 2007-10-11 05:57:39 1,498,112 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\shdocvw.dll
+ 2007-10-11 05:57:40 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\shlwapi.dll
+ 2007-10-11 05:57:40 617,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\urlmon.dll
+ 2007-10-11 05:57:41 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\wininet.dll
+ 2007-10-10 10:34:35 350,720 ----a-w C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942615\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942615\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-14 07:18:03 450,560 ----a-w C:\WINDOWS\$hf_mig$\KB942840\SP2QFE\jscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942840\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942840\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942840\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942840\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942840\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
- 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-10-11 06:13:44 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-10-11 06:13:44 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-10-11 06:13:44 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-08-22 13:12:16 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-22 13:12:16 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-11 06:13:44 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-22 13:12:16 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-10-11 06:13:44 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-08-22 13:12:16 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-10-11 06:13:44 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-08-22 13:12:16 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-22 13:12:17 3,058,176 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-22 13:12:17 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-22 13:12:17 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-11 06:13:45 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-22 13:12:17 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-11 06:13:45 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-22 13:12:17 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-10-11 06:13:45 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-10-11 06:13:45 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-07-18 12:42:22 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-08-22 13:12:18 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-11 06:13:45 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-22 13:12:18 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-11 06:13:45 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-12-11 08:45:14 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-12-13 08:33:06 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-30 22:38]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 06:05]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-02-22 22:15:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrstt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvwt]

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe -service
R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys
R3 PAC207;PC Camer@;C:\WINDOWS\system32\DRIVERS\PFC027.SYS
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 gkmixern;gkmixern;\??\C:\DOCUME~1\Jamie\LOCALS~1\Temp\gkmixern.sys
S4 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 08:33:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 02:51:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 2:54:17
C:\ComboFix2.txt ... 2007-12-12 16:29
C:\ComboFix3.txt ... 2007-11-14 16:04
.
2007-12-13 08:27:22 --- E O F ---


HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:06:05 AM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O20 - Winlogon Notify: awtrstt - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O20 - Winlogon Notify: tuvwvwt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Uninstall list:

Sansa Media Converter
µTorrent
ACDSee 7.0 PowerPack
Aces High II
Ad-Aware SE Personal
Adobe Stock Photos 1.0
Age of Sail II
AVG 7.5
AVG Anti-Spyware 7.5
Bazooka Scanner
Bejeweled 2 Deluxe
Belarc Advisor 7.0
BellSouth FastAccess DSL Help Center
Better File Series 5.1
Broadcom Management Programs
Camfrog DJ
CCleaner (remove only)
CO2 Saver
Crocodile 2.0
DAEMON Tools
DawnOfWar
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 3.1
Demolition Racer
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Dragons Abode
EA downloader
EA SPORTS online 2007
Express Burn Uninstall
Express Rip Uninstall
Fire Ice Scopes OpenGL Plug-in (remove only)
Foxit Reader
Free Mp3 Wma Converter V 1.6.3
GameTap
Google Earth
Google Gmail Notifier
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Video Player
GT Interactive - Driver
GTA2
HijackThis 1.99.1
Holiday Lights 5.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
HPS Campaign Waterloo
HPS Tsushima
Ice Camfrog Extension
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrisAPE 1.0
IsoBuster 1.9.1
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
Java(TM) 6 Update 3
Kaspersky Online Scanner
Kermit
Learn2 Player (Uninstall Only)
Lexmark 1300 Series
Lizardtech DjVu Control
Lottso! de Luxe
Macromedia Flash Player
Macromedia Flash Player 8
Macromedia Shockwave Player
Madden NFL 07
ManyCam 2.1 (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Combat Flight Simulator 2
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Midnight Club II Demo
Miss Piggy
Modem Event Monitor
Monopoly 3
Monopoly by Parker Brothers
Mozilla Firefox (2.0.0.11)
MrRobot 1.05
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MTV's Virtual Worlds (remove only)
Multilingual Speaking Clock 2.5
Musicmatch® Jukebox
MySpaceIM
Natural Color
Nero 7 Ultra Edition
neroxml
Neverwinter Nights Platinum Edition
Opera 9.23
PC CIF Camer@
PeerGuardian 2.0
PGIII Scorched Earth
PhoTags Express
Photo Click
PowerDVD 5.5
QuickTime
RarZilla Free Unrar 1.00
RealArcade
RealPlayer
RecordPad Sound Recorder Uninstall
Red Ace Squadron
Rhapsody Player Engine
SBNews: News Robot v 10.2
Security Task Manager 1.7e
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Serious Sam: The First Encounter
Serious Sam: The Second Encounter
Spybot - Search & Destroy 1.4
Starscape V1.5c
Steel Panthers World At War v8.20
Super Webcam
Switch
The Operational Art of War III
The Operational Art of War: Century of Warfare
TrojanHunter 5.0
Uniblue Registry Booster
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Virtual DJ - Atomix Productions
Vongo
War Plan Orange
WD Diagnostics
WebCyberCoach 3.2 Dell
WinAce Archiver
Winamp (remove only)
WinAVI Video Converter
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinPatrol
WinPatrol 2007 Restore/Remove First
WinPatrol 2007 Step 2
WinRAR archiver
WinSPMBT
WinSPWW2 Ver 1.1B Upgrade
WinSPWW2v1 DL Edition
WinZip
Yahtzee Download Edition
ZoneAlarm Pro

That's it for now. Thanks again for your assistance, and sorry I
didn't get this done until now. The holidays have me busy as
hell.

Thanks,
Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 12th, 2007, 7:11 am

Hi Jamie,

uTorrent is installed on your computer and I see that it's running. While uTorrent is a clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using it while cleaning your computer to prevent getting more infections.

A list of clean and infected P2P programs can be found at Malware Removal and Spyware Info.

The risks of using a P2P program are stated in this Sourceforge website and Information Week article.

Please also read Malware Removal's Guide on P2P Programs.

Step 1

  1. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  2. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  3. On the left hand side, click on Tools.
  4. Check (tick) this box if it is not yet ticked: Resident.
  5. You will notice that Resident is now added under Tools. Click on Resident.
  6. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  7. Exit Spybot Search & Destroy.
  8. Restart your computer for the changes to take effect.

Step 2

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrstt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvwt]

DirLook:
C:\logs


Warning: The above script is only for DrPostman. If you are not DrPostman, do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the image below, drag CFScript.txt into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: A fresh new hell

Unread postby DrPostman » December 12th, 2007, 12:40 pm

ComboFix log:

ComboFix 07-12-12.3 - Jamie 2007-12-13 10:23:37.6 - NTFSx86
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 02:19 . 2007-12-13 02:22 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-11 00:48 . 2007-12-11 00:57 <DIR> d-------- C:\Downloads
2007-12-10 06:51 . 1999-10-28 11:26 37,888 --a------ C:\WINDOWS\system32\Holiday Lights.scr
2007-12-10 06:50 . 2007-12-10 06:50 <DIR> d-------- C:\Program Files\Tiger Technologies
2007-12-08 17:42 . 2007-12-08 17:42 <DIR> d-------- C:\Program Files\Better File Series
2007-12-08 17:39 . 2007-12-08 17:39 <DIR> d-------- C:\doublekiller
2007-12-07 22:24 . 2007-12-10 03:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 22:24 . 2007-12-07 22:24 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 22:03 . 2007-12-04 22:03 <DIR> d-------- C:\Program Files\Rockstar Games
2007-12-02 02:53 . 2007-12-02 02:53 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-12-02 02:53 . 1998-06-17 00:00 516,173 --a------ C:\WINDOWS\system32\MSVCP60D.DLL
2007-12-02 02:53 . 1998-06-17 00:00 385,100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-02 02:53 . 1998-07-13 00:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-12-02 02:53 . 2000-10-01 20:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-12-02 02:53 . 1999-03-25 20:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-12-02 02:53 . 1998-07-13 00:00 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-12-02 02:53 . 1998-07-12 20:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-12-02 02:53 . 1998-07-13 00:00 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-12-02 02:53 . 1998-07-13 00:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-11-30 22:54 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-11-26 19:58 . 2007-11-26 19:58 2,564 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-11-18 07:10 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-18 07:09 . 2007-11-18 07:10 <DIR> d-------- C:\Program Files\Java
2007-11-18 07:09 . 2007-11-18 07:09 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-17 18:38 . 2007-11-17 18:38 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Lexmark Productivity Studio
2007-11-17 10:06 . 2007-11-17 10:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 10:06 . 2007-11-17 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 01:07 . 2007-11-17 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-17 00:51 . 2007-11-17 00:51 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Grisoft
2007-11-17 00:51 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-17 00:19 . 2007-12-10 03:03 <DIR> d-------- C:\Program Files\Lx_cats
2007-11-17 00:08 . 2007-11-17 00:08 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2007-11-17 00:08 . 2007-11-17 18:28 <DIR> d-------- C:\Program Files\Lexmark 1300 Series
2007-11-17 00:08 . 2007-05-17 07:54 323,584 --a------ C:\WINDOWS\system32\LXDChcp.dll
2007-11-17 00:08 . 2007-05-17 08:09 286,720 --a------ C:\WINDOWS\system32\LXDCinst.dll
2007-11-17 00:08 . 2006-12-05 22:19 44 --a------ C:\WINDOWS\system32\lxdcrwrd.ini
2007-11-17 00:07 . 2007-11-17 00:07 <DIR> d-------- C:\logs
2007-11-17 00:07 . 2007-11-17 18:29 132,066 --a------ C:\WINDOWS\system32\LexFiles.ulf
2007-11-17 00:06 . 2007-03-28 07:16 344,064 -ra------ C:\WINDOWS\system32\lxdccoin.dll
2007-11-17 00:06 . 2007-03-18 19:45 77,906 -ra------ C:\WINDOWS\system32\lxdccfg.dll
2007-11-17 00:06 . 2007-05-25 03:19 1,827 -ra------ C:\WINDOWS\system32\lxdc.loc
2007-11-17 00:02 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-17 00:02 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-15 07:21 . 2007-11-15 07:21 <DIR> d-------- C:\Program Files\NCH Software
2007-11-14 02:51 . 2005-09-20 17:27 10,368 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2007-11-14 02:50 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\iviaspi.sys
2007-11-14 02:49 . 2007-11-14 02:49 <DIR> d-------- C:\Program Files\Sandisk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-13 16:08 --------- d-----w C:\Documents and Settings\Jamie\Application Data\uTorrent
2007-12-13 16:02 --------- d-----w C:\Documents and Settings\Jamie\Application Data\SiteAdvisor
2007-12-13 15:39 --------- d-----w C:\Documents and Settings\Jamie\Application Data\AVG7
2007-12-13 09:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-12 22:42 26,657,763 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-09 13:13 --------- d-----w C:\Documents and Settings\Jamie\Application Data\dvdcss
2007-12-09 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-08 20:32 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-07 07:40 --------- d-----w C:\Program Files\ICE
2007-12-06 02:31 --------- d-----w C:\Program Files\Camfrog
2007-12-02 05:42 --------- d-----w C:\Documents and Settings\Jamie\Application Data\NCH Swift Sound
2007-12-02 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-02 05:33 --------- d-----w C:\Program Files\NCH Swift Sound
2007-11-28 02:04 --------- d-----w C:\Program Files\SuperWebcam
2007-11-26 08:43 148,752 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_24_16_18_42_small.dmp.zip
2007-11-19 10:36 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Registry Booster
2007-11-17 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 00:26 --------- d-----w C:\Program Files\Kermit
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 00:52 --------- d-----w C:\Program Files\Virtual Laguna Beach
2007-11-10 12:47 --------- d-----w C:\Documents and Settings\Jamie\Application Data\TrojanHunter
2007-11-10 11:14 --------- d-----w C:\Program Files\TrojanHunter 5.0
2007-11-09 07:02 208,996 ----a-w C:\WINDOWS\system32\MuteHook.dll
2007-11-09 07:00 208,997 ----a-w C:\WINDOWS\system32\MyCfHook.dll
2007-11-07 05:17 --------- d-----w C:\Program Files\VirtualDJ
2007-11-06 12:29 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 04:36 127,116 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_27_21_01_57_small.dmp.zip
2007-10-30 04:36 120,410 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_27_11_17_08_small.dmp.zip
2007-10-30 04:29 --------- d-----w C:\Program Files\Google
2007-10-30 04:27 --------- d-----w C:\Program Files\RealArcade
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 22:10 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Camfrog
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-27 01:44 --------- d-----w C:\Program Files\WebcamMax
2007-10-27 01:38 --------- d-----w C:\Program Files\RSSoft
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 06:44 134,176 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_22_01_57_14_small.dmp.zip
2007-10-23 06:30 --------- d-----w C:\Program Files\Crocodile 2.0
2007-10-22 05:23 --------- d-----w C:\Program Files\Camfrog DJ
2007-10-20 19:39 118,557 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_20_08_08_12_small.dmp.zip
2007-10-20 11:29 120,222 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_20_06_25_35_small.dmp.zip
2007-10-20 00:54 126,792 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_18_08_09_50_small.dmp.zip
2007-10-18 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-15 11:10 117,884 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_13_21_27_00_small.dmp.zip
2007-10-15 11:09 23,125,614 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_13_18_49_11_full.dmp.zip
2007-10-12 09:44 120,421 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_11_14_12_45_small.dmp.zip
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-13_ 2.51.51.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-13 08:33:06 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-12-13 16:16:15 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2007-12-11 15:01:38 7,118,972 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-12-13 16:01:49 7,134,578 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-30 22:38]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 06:05]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-02-22 22:15:49]

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe -service
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys
R3 PAC207;PC Camer@;C:\WINDOWS\system32\DRIVERS\PFC027.SYS
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 gkmixern;gkmixern;\??\C:\DOCUME~1\Jamie\LOCALS~1\Temp\gkmixern.sys
S4 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 16:18:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 10:32:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-13 10:35:43
C:\ComboFix2.txt ... 2007-12-13 02:54
C:\ComboFix3.txt ... 2007-12-12 16:29
.
2007-12-13 08:27:22 --- E O F ---

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:49 AM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BTW, when I ran ComboFix it didn't restart the computer. I hope that's not a
problem. It showed the log and that was it after running.

Thanks,
Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby DrPostman » December 12th, 2007, 12:51 pm

BTW, I just noticed that AVG didn't start when I rebooted
my computer after making the Spybot changes. That's
a bit troubling since I have never had that problem before.

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 12th, 2007, 12:57 pm

Hi Jamie,

I noticed that when you first posted the log. AVG Antivirus wasn't loaded at startup. We'll try fixing this when your computer is clean.

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
dir /s C:\logs > C:\dirlook.txt
start notepad C:\dirlook.txt


Click on File > Save As....

In the File Name box, copy and paste in dir.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on dir.bat to run it. Command Prompt will open and close quickly; this is normal. Notepad will open shortly afterwards. Please post the contents of this Notepad file in your next reply.

Please post back the contents of this Notepad file in your next reply (C:\dirlook.txt).
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: A fresh new hell

Unread postby DrPostman » December 12th, 2007, 1:12 pm

done:

Volume in drive C has no label.
Volume Serial Number is B0A5-9936

Directory of C:\logs

11/17/2007 12:07 AM <DIR> .
11/17/2007 12:07 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 7,531,089,920 bytes free



Thanks,
Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 12th, 2007, 2:01 pm

Hi Jamie,

Step 1

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  3. Now click on the Scanner button at the top.
  4. Select the Settings tab.
  5. Under How to act?, click on Recommended actions and select Quarantine.
  6. Under How to scan?, check (tick) all the boxes.
  7. Under Possibly unwanted software:, check (tick) all the boxes.
  8. Under Reports:, uncheck (untick) the Only if threats were found box and select Do not automatically generate report.
  9. Under What to scan?, select Scan every file.

Do not run a scan yet. You will run a scan later.

Step 2

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Step 3

Please print out or save this set of instructions as you will not have internet access during the fix.

Reboot into Safe Mode by following the instructions below:

  • When you see BIOS screen, start pressing F8.
  • A boot menu will appear shortly.
  • Using the up down arrows, select Safe Mode and press the Enter key.
  • Windows will now load.
  • Log in to your usual account.

Step 4

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. Click on the Scanner button at the top.
  3. Select the Scan tab.
  4. Click on Complete System Scan to start the scan.
  5. When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  6. When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  7. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Restart your computer in Normal Mode.

Step 5

Please open HijackThis and select Do a system scan only. Put a check (tick) next to these lines:

    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

Click Fix checked. Close HijackThis.

In your next reply, please post:

  1. AVG Antispyware scan report
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: A fresh new hell

Unread postby DrPostman » December 13th, 2007, 4:23 am

Bear with me please. My printer has run out of ink and it will
be about 15 hours before I get a new cartridge.

Thanks again for the assistance.

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 13th, 2007, 6:13 am

No problems. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: A fresh new hell

Unread postby DrPostman » December 14th, 2007, 4:08 am

I finally got the time to follow the most recent set of
instructions. I'm afraid it didn't seem to go well, as
AVG Anit-virus gave me an error after it finished it's
2 hour run of scanning. It couldn't delete all the
tracking cookies it found. Here is the report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:41:54 AM 12/15/2007

+ Scan result:



:mozilla.179:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Adjuggler : Error during cleaning.
:mozilla.190:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Adtech : Error during cleaning.
:mozilla.191:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Adtech : Error during cleaning.
:mozilla.13:C:\Program Files\Support.com\backup\co\cookies.txt\3124_5bdf5deee_/cookies.txt -> TrackingCookie.Bluestreak : Error during cleaning.
:mozilla.224:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Bridgetrack : Error during cleaning.
:mozilla.225:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Bridgetrack : Error during cleaning.
:mozilla.86:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Doubleclick : Error during cleaning.
:mozilla.34:C:\Program Files\Support.com\backup\co\cookies.txt\3046_57fb375e6_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning.
:mozilla.35:C:\Program Files\Support.com\backup\co\cookies.txt\3046_57fb375e6_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning.
:mozilla.35:C:\Program Files\Support.com\backup\co\cookies.txt\3124_5bdf5deee_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning.
:mozilla.36:C:\Program Files\Support.com\backup\co\cookies.txt\3124_5bdf5deee_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning.
:mozilla.37:C:\Program Files\Support.com\backup\co\cookies.txt\3124_5bdf5deee_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning.
:mozilla.91:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning.
:mozilla.114:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning.
:mozilla.115:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning.
:mozilla.218:C:\Program Files\Support.com\backup\co\cookies.txt\20591_588b50be3_/cookies.txt -> TrackingCookie.Real : Error during cleaning.
:mozilla.31:C:\Program Files\Support.com\backup\co\cookies.txt\3046_57fb375e6_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.32:C:\Program Files\Support.com\backup\co\cookies.txt\3124_5bdf5deee_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.33:C:\Program Files\Support.com\backup\co\cookies.txt\3124_5bdf5deee_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.33:C:\Program Files\Support.com\backup\co\cookies.txt\3046_57fb375e6_/cookies.txt -> TrackingCookie.Tribalfusion : Error during cleaning.
:mozilla.17:C:\Program Files\Support.com\backup\co\cookies.txt\3046_57fb375e6_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning.
:mozilla.18:C:\Program Files\Support.com\backup\co\cookies.txt\3046_57fb375e6_/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning.


::Report end



And my most recent HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:55:29 AM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: awtrstt - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O20 - Winlogon Notify: tuvwvwt - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again,
Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 14th, 2007, 5:02 am

Hi Jamie,

No worries about the cookies. They can be cleared with a temp file cleaner. :)

Open HijackThis and select Do a system scan only. Put a check (tick) next to these lines:

    O20 - Winlogon Notify: awtrstt - C:\WINDOWS\
    O20 - Winlogon Notify: ssttr - C:\WINDOWS\
    O20 - Winlogon Notify: tuvwvwt - C:\WINDOWS\

Click Fix checked. Close HijackThis.

Download AVG Antivirus and save it to your desktop.

Uninstall your AVG Antivirus and restart your computer.

After restarting, run the AVG Antivirus installation file that you've downloaded earlier, then restart your computer again.

Please post back a new HijackThis log after reinstalling AVG Antivirus.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: A fresh new hell

Unread postby DrPostman » December 14th, 2007, 6:01 am

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:59:39 AM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BTW, that exe file that I mention at the start of this thread
is still undeletable. The bastard tasks me ;)

Thanks,
Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: A fresh new hell

Unread postby ndmmxiaomayi » December 14th, 2007, 6:40 am

May I know where is this file located? I could try some tools to remove it.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 498 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware