Need Help with Virus Please!!

sugarfree

New Member
My computer just got infected. I think it might be have to do with xpantivirus. Pop-ups say "spyware.iemonster.b". I think it is similar to a recent thread. Please Help. I will be back on at 9:00pm my time. Thanks!!
 
Last edited:
Post a HijackThis log:
Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.
 
Trendsecure log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:32 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvkid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvmox.dll,startup
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [142ee2a1] rundll32.exe "C:\WINDOWS\system32\idbhnpoe.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149182346828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
O24 - Desktop Component 0: (no name) - http://www.ac.wwu.edu/webmail/src/download.php?passed_id=578&mailbox=INBOX&ent_id=2&absolute_dl=true

--
End of file - 7215 bytes
 
Looks like you have a Vundo infection, among other things.

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
 
New hijack this log and combofix log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:30 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvkid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvmox.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149182346828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
O24 - Desktop Component 0: (no name) - http://www.ac.wwu.edu/webmail/src/download.php?passed_id=578&mailbox=INBOX&ent_id=2&absolute_dl=true

--
End of file - 6919 bytes

--------------------------------------------------------------------------

.
2008-02-09 19:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 19:21 4,004 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-08 01:57 --------- d-----w C:\Program Files\QuickTime
2008-01-27 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 01:35 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Sony Corporation
2007-12-31 00:50 --------- d-----w C:\Program Files\Sony
2007-12-31 00:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2005-12-05 02:36 20,480 ----a-w C:\Documents and Settings\Compaq_Owner\zzz.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48 36975]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 17:28 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 10:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 00:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-12 13:37 71328]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 16:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13 98304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"D-Link Air USB Utility"="C:\Program Files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 08:21 2695168]
"MSDrive"="C:\WINDOWS\system32\drvkid.dll" [2008-02-05 18:54 103936]
"MSDisp32"="C:\WINDOWS\system32\drvmox.dll" [2008-02-05 18:54 15872]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-31 17:58]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys [2003-04-10 02:43]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 22:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-09 19:38:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 11:37:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\drvmox.dll
-> C:\WINDOWS\system32\drvkid.dll
.
------------------------ Other Running Processes ------------------------
.
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-09 11:41:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 19:41:26
.
2008-01-10 00:25:31 --- E O F ---
 
I'm afraid there's still more to go, but your ComboFix log is cut off. Please post the entire log, which should be located at C:\ComboFix.txt. If it's too large to post here, please go to http://savefile.com and upload the file there. There is no need to register, just click the UPLOAD MY FILE button. After you upload the file, please post the link to the file. That way, anyone on the board can see the log almost as easily as if it were posted here.
 
Combo Fix Log

ComboFix 08-02.05.3 - Compaq_Owner 2008-02-09 11:28:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.105 [GMT -8:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\khfcaxv.dll
C:\WINDOWS\system32\teqcdaxx.dll
C:\Program Files\Common Files\download
C:\Program Files\msupdate
C:\SpyGuardPro
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dldnlxmk.dll
C:\WINDOWS\system32\drvkidr.dll
C:\WINDOWS\system32\eopnhbdi.ini
C:\WINDOWS\system32\hhejvwuu.ini
C:\WINDOWS\system32\idbhnpoe.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jyuevwst.dll
C:\WINDOWS\system32\khfcaxv.dll
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\pmnmnlj.dll
C:\WINDOWS\system32\rjncqhgb.dll
C:\WINDOWS\system32\scvrmddc.dll
C:\WINDOWS\system32\ssqpqpm.dll
C:\WINDOWS\system32\teqcdaxx.dll
C:\WINDOWS\system32\teqcdaxx.dllbox
C:\WINDOWS\system32\twfacyfl.ini
C:\WINDOWS\system32\winjjq32.dll
C:\WINDOWS\system32\winupdate.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 21:51 . 2008-02-08 21:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 19:13 . 2008-02-05 20:09 <DIR> d-------- C:\SDFix
2008-02-07 18:46 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-07 18:16 . 2008-02-07 18:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-07 17:59 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vtuyrmkqdnbp.sys
2008-02-07 17:55 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-02-07 16:54 . 2008-02-07 18:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 16:54 . 2008-02-07 17:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 16:54 . 2008-02-07 17:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 16:54 . 2008-02-07 17:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 23:15 . 2008-02-06 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 23:14 . 2008-02-07 16:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-06 23:14 . 2008-02-07 16:45 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-02-06 20:59 . 2004-08-11 19:40 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-06 20:59 . 2004-08-12 03:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-06 20:59 . 2004-08-11 20:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-06 20:59 . 2004-08-11 19:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-06 19:51 . 2008-02-06 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 21:58 . 2008-02-05 21:58 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft
2008-02-05 21:58 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 19:16 . 2008-02-05 19:16 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-05 19:11 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-05 19:11 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-05 18:58 . 2008-02-05 18:58 0 --a------ C:\WINDOWS\system32\wscmp.dll.tmp
2008-02-05 18:58 . 2008-02-05 18:58 0 --a------ C:\WINDOWS\system32\update32.exe.tmp
2008-02-05 18:56 . 2008-02-05 18:56 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-02-05 18:55 . 2008-02-05 18:55 0 --a------ C:\WINDOWS\system32\sex1.ico.tmp
2008-02-05 18:54 . 2008-02-05 18:54 103,936 --a------ C:\WINDOWS\system32\drvkid.dll
2008-02-05 18:54 . 2008-02-05 18:54 15,872 --a------ C:\WINDOWS\system32\drvmox.dll
2008-02-03 10:12 . 2008-02-03 10:12 23,552 --a------ C:\WINDOWS\system32\winbug32.dll
2008-02-03 10:11 . 2008-02-03 10:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 10:11 . 2008-02-03 10:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-26 16:25 . 2008-01-26 16:25 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-26 16:25 . 2008-01-26 16:30 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Intuit
2008-01-26 16:24 . 2008-01-26 16:24 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-01-26 16:24 . 2008-01-26 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-26 16:24 . 2007-10-22 18:58 1,721,712 --a------ C:\WINDOWS\system32\InetClnt.dll
2008-01-26 16:18 . 2008-01-26 16:18 <DIR> d-------- C:\Program Files\TurboTax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 19:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 19:21 4,004 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-08 01:57 --------- d-----w C:\Program Files\QuickTime
2008-01-27 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 01:35 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Sony Corporation
2007-12-31 00:50 --------- d-----w C:\Program Files\Sony
2007-12-31 00:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2005-12-05 02:36 20,480 ----a-w C:\Documents and Settings\Compaq_Owner\zzz.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48 36975]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 17:28 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 10:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 00:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-12 13:37 71328]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 16:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13 98304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"D-Link Air USB Utility"="C:\Program Files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 08:21 2695168]
"MSDrive"="C:\WINDOWS\system32\drvkid.dll" [2008-02-05 18:54 103936]
"MSDisp32"="C:\WINDOWS\system32\drvmox.dll" [2008-02-05 18:54 15872]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-31 17:58]
R3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys [2003-04-10 02:43]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 22:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-09 19:38:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 11:37:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\drvmox.dll
-> C:\WINDOWS\system32\drvkid.dll
.
------------------------ Other Running Processes ------------------------
.
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-09 11:41:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 19:41:26
.
2008-01-10 00:25:31 --- E O F ---
 
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
    C:\WINDOWS\system32\pavas.ico
    C:\WINDOWS\system32\Uninstall.ico
    C:\WINDOWS\system32\Help.ico
    C:\WINDOWS\system32\wscmp.dll.tmp
    C:\WINDOWS\system32\update32.exe.tmp
    C:\WINDOWS\system32\sex2.ico.tmp
    C:\WINDOWS\system32\sex1.ico.tmp
    C:\WINDOWS\system32\drvkid.dll
    C:\WINDOWS\system32\drvmox.dll
    C:\WINDOWS\system32\winbug32.dll
    C:\WINDOWS\viassary-hp.reg
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSDrive"=-
    "MSDisp32"=-
    "AlcxMonitor"=-
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

C:\Documents and Settings\Compaq_Owner\zzz.exe

Then click Send File. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://virusscan.jotti.org.

Please post
  • The ComboFix log
  • A new HijackThis log
  • The VirusTotal or Jotti results
  • An update on how your system is running
 
New Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:30 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149182346828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
O24 - Desktop Component 0: (no name) - http://www.ac.wwu.edu/webmail/src/download.php?passed_id=578&mailbox=INBOX&ent_id=2&absolute_dl=true

--
End of file - 8162 bytes
 
Combo Fix Log

ComboFix 08-02.05.3 - Compaq_Owner 2008-02-11 15:47:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.119 [GMT -8:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drvkid.dll
C:\WINDOWS\system32\drvmox.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\update32.exe.tmp
C:\WINDOWS\system32\winbug32.dll
C:\WINDOWS\system32\wscmp.dll.tmp
C:\WINDOWS\viassary-hp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvkid.dll
C:\WINDOWS\system32\drvmox.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\update32.exe.tmp
C:\WINDOWS\system32\winbug32.dll
C:\WINDOWS\system32\wscmp.dll.tmp
C:\WINDOWS\viassary-hp.reg

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-09 14:16 . 2008-02-09 14:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-09 14:16 . 2008-02-09 14:16 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\PC Tools
2008-02-09 14:16 . 2008-02-11 15:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 14:16 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-09 14:16 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-09 14:16 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-09 14:16 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-09 13:50 . 2008-02-09 13:50 <DIR> d-------- C:\Program Files\Picasa2
2008-02-09 13:32 . 2008-02-09 13:32 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-02-09 13:27 . 2008-02-09 13:27 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-02-09 13:06 . 2008-02-10 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-09 11:25 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-08 21:51 . 2008-02-08 21:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 18:46 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-07 18:16 . 2008-02-07 18:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-07 17:59 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vtuyrmkqdnbp.sys
2008-02-07 17:55 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-02-07 16:54 . 2008-02-07 18:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 23:15 . 2008-02-06 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 23:14 . 2008-02-07 16:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-06 23:14 . 2008-02-07 16:45 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-02-06 20:59 . 2004-08-11 19:40 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-06 20:59 . 2004-08-12 03:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-06 20:59 . 2004-08-11 20:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-06 20:59 . 2004-08-11 19:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-06 19:51 . 2008-02-06 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 21:58 . 2008-02-05 21:58 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft
2008-02-05 21:58 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-05 19:16 . 2008-02-05 19:16 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-05 19:11 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-05 19:11 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-03 10:11 . 2008-02-03 10:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 10:11 . 2008-02-03 10:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-26 16:25 . 2008-01-26 16:25 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-26 16:25 . 2008-01-26 16:30 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Intuit
2008-01-26 16:24 . 2008-01-26 16:24 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-01-26 16:24 . 2008-01-26 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-26 16:24 . 2007-10-22 18:58 1,721,712 --a------ C:\WINDOWS\system32\InetClnt.dll
2008-01-26 16:18 . 2008-01-26 16:18 <DIR> d-------- C:\Program Files\TurboTax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 22:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 22:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 22:05 --------- d-----w C:\Program Files\Google
2008-02-08 01:57 --------- d-----w C:\Program Files\QuickTime
2008-01-27 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 01:35 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Sony Corporation
2007-12-31 00:50 --------- d-----w C:\Program Files\Sony
2007-12-31 00:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2005-12-05 02:36 20,480 ----a-w C:\Documents and Settings\Compaq_Owner\zzz.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48 36975]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 17:28 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 10:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 00:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-12 13:37 71328]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 16:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"D-Link Air USB Utility"="C:\Program Files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 08:21 2695168]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-11 19:51:38 16423]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-09 13:06:24 125624]

R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-31 17:58]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys [2003-04-10 02:43]
Start Pending2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 22:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-09 21:27:26 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-02-11 23:48:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 15:50:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 15:52:05
ComboFix-quarantined-files.txt 2008-02-11 23:51:54
ComboFix2.txt 2008-02-09 19:41:37
.
2008-01-10 00:25:31 --- E O F ---
 
Excellent, your logfile appears to be clean. Please tell me if the popups reappear.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it:
    javaicon.gif

    Select it and click Remove.
  • Then Download and install the newest version from here:

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

I notice you are running AVG Antispyware, which is good. You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs, and will work alongside AVG Antispyware to protect you:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
Ceewi1! Ceewi1! Ceewi1! Thanks for all the help and easy to follow instructions. You saved me so much time. My computer is running like normal again. Thank you
 
Back
Top