Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » [Trojan] trojan + vitrumonde
Search Topic:
Uniqs:
1123		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
[Vundo] Ran all spyware software.. still have Vundo.. »
AuthorAll Replies

shiftergreen

join:2008-05-28

[Trojan] trojan + vitrumonde

For the past 36 hours I have been experiencing slow booting & loading, a weird variety of popups (many advertising 'fixers' or anti spyware) and difficulty in using the internet, especially to sites like this.

My resident AVG v7.5 has identified multiple invasions of "TrojanVNA", always 2.5Kb and with the identity or address of kb713501{1}. Have run AdAware and SpyBot multiple times in safe and normal modes. Double Click, Hit Box and Right Media were identified and cleaned and never returned. AdAware did come up with "access violation at address 00565100 in module Ad-aware.exe". SpyBot found Vitrumonde and Vitrumonde.dll (up to 8 instances / scan) several times. These were cleaned successfully and subsequent scans were OK ("congratulations!!") but only until I got on line and then the Vitrumonde's returned along with the popups and other symptoms. Vundo, run several times in safe and normal failed to find anything. Windows defender came up with "error code 0x80070422" and nothing more. Also, SpyBot has been intercepting a slew of attempted changes such as key changes in "RUNDll32.exeC:\windows\system....etc." I have denied these.

Thanking you in advance,

shiftergreen

The HJT File follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:29 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Craig\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »my.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6} - C:\WINDOWS\system32\vtUkjKBT.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5A2898A3-C4D3-4763-8691-7776DA4E6EFF} - C:\WINDOWS\system32\nnnMGyYQ.dll (file missing)
O2 - BHO: (no name) - {71837F80-0C9D-47C3-9C48-908879BE2535} - C:\WINDOWS\system32\iiffGAPj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\vtUkjGXp.dll
O2 - BHO: (no name) - {B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0} - C:\WINDOWS\system32\qoMffCsq.dll (file missing)
O2 - BHO: (no name) - {BFF194FD-F382-4E15-B97B-090177D92682} - C:\WINDOWS\system32\jkkIXNeF.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKLM\..\Run: [SupportAnyPC] "C:\DOCUME~1\Craig\LOCALS~1\Temp\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [1c4b3d6c] rundll32.exe "C:\WINDOWS\system32\aydiebww.dll",b
O4 - HKLM\..\Run: [BM1f780ef0] Rundll32.exe "C:\WINDOWS\system32\uopovura.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8607] command /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4597] cmd /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2936] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4418] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9254] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4766] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5733] command /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1318] cmd /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4028] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2604] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3684] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8395] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\View6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O20 - Winlogon Notify: vtUkjGXp - C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Web-Link Service (HAICommSrv) - Home Automation, Inc. - C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 9070 bytes
to forum · permalink · · 2008-05-28 22:25:19 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

After the HijackThis step below, please use Normal and not Safe Mode.

First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.

First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.

Malware Removal Steps
1. Open HijackThis again, System scan only. Checkmark these items:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6} - C:\WINDOWS\system32\vtUkjKBT.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5A2898A3-C4D3-4763-8691-7776DA4E6EFF} - C:\WINDOWS\system32\nnnMGyYQ.dll (file missing)
O2 - BHO: (no name) - {71837F80-0C9D-47C3-9C48-908879BE2535} - C:\WINDOWS\system32\iiffGAPj.dll (file missing)
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\vtUkjGXp.dll
O2 - BHO: (no name) - {B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0} - C:\WINDOWS\system32\qoMffCsq.dll (file missing)
O2 - BHO: (no name) - {BFF194FD-F382-4E15-B97B-090177D92682} - C:\WINDOWS\system32\jkkIXNeF.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [1c4b3d6c] rundll32.exe "C:\WINDOWS\system32\aydiebww.dll",b
O4 - HKLM\..\Run: [BM1f780ef0] Rundll32.exe "C:\WINDOWS\system32\uopovura.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8607] command /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4597] cmd /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2936] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4418] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9254] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4766] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5733] command /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1318] cmd /c del "C:\WINDOWS\SYSTEM32\xxyWpQkL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4028] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2604] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3684] command /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8395] cmd /c del "C:\WINDOWS\SYSTEM32\vtUkjKBT.dll_old"
O20 - Winlogon Notify: vtUkjGXp - C:\WINDOWS\SYSTEM32\vtUkjGXp.dll

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

3. Download -- but do not yet run -- ComboFix©

Download this file -- to your Desktop -- [/b]from any of these sources:

Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":


Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

4. Run HijackThis again, and save the log file.

Submit to the Forum:
• Your MBAM results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-05-29 01:03:15 · Reply to this

shiftergreen

join:2008-05-28

 OK...apologies if this is the second copy of my reply...thought I sent it earlier but it seems not to have arrived.

Have completed the instructions. All seemed to go well except when we redid the HJT scan only, only one of the items you iterated ("R3 URLSearchHook....") was present. MBAM identified a lot of threats but was unable to clear them all until it had automatically rebooted the system.

As I rebooted my computer just now to (re)post this message, the AVG popped up and announced it had identified VUNDO in C:\windows\system32\mlJBULCU.dll

LOGS FOLLOW:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:11 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Nikon\View6\NkvMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Craig\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »my.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6} - C:\WINDOWS\system32\vtUkjKBT.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A2898A3-C4D3-4763-8691-7776DA4E6EFF} - C:\WINDOWS\system32\nnnMGyYQ.dll (file missing)
O2 - BHO: (no name) - {71837F80-0C9D-47C3-9C48-908879BE2535} - C:\WINDOWS\system32\iiffGAPj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DEF7CDF-064A-44D4-A187-CEA285CC6A5E} - C:\WINDOWS\system32\pmnmnlJB.dll (file missing)
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\vtUkjGXp.dll
O2 - BHO: (no name) - {B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0} - C:\WINDOWS\system32\qoMffCsq.dll (file missing)
O2 - BHO: (no name) - {BFF194FD-F382-4E15-B97B-090177D92682} - C:\WINDOWS\system32\jkkIXNeF.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\View6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O20 - Winlogon Notify: vtUkjGXp - C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Web-Link Service (HAICommSrv) - Home Automation, Inc. - C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 9296 bytes

Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Quick Scan
Objects scanned: 37038
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\coygcydw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\pmnmkiiH.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3485999e-7535-4839-a23d-27d4f7b3d226} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3485999e-7535-4839-a23d-27d4f7b3d226} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\SystemErrorFixerDownloader (Rogue.SystemErrorFixer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c4b3d6c (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1f780ef0 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnmkiih -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnmkiih -> No action taken.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\bkithhta.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\athhtikb.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\coygcydw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\wdycgyoc.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\dhatdmin.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\nimdtahd.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\pmnmkiiH.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\Hiikmnmp.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\Hiikmnmp.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\wkqufxdk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\kdxfuqkw.ini (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\ac (Rogue.SystemErrorFixer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\ActivationDomain (Rogue.SystemErrorFixer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\mxbvwwqw.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\khfoyxwo.dll (Trojan.Vundo) -> No action taken.

ComboFix 08-05-29.1 - Craig 2008-05-29 11:04:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1602 [GMT -7:00]
Running from: C:\Documents and Settings\Craig\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig\Desktop\CFscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1f780ef0.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aaxwydvu.dll
C:\WINDOWS\SYSTEM32\AbLorqss.ini
C:\WINDOWS\SYSTEM32\AbLorqss.ini2
C:\WINDOWS\system32\aknwhhxa.dll
C:\WINDOWS\system32\bfxhfyux.dll
C:\WINDOWS\SYSTEM32\BJlnmnmp.ini
C:\WINDOWS\SYSTEM32\BJlnmnmp.ini2
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cfghndfs.dll
C:\WINDOWS\SYSTEM32\cKllRXbc.ini
C:\WINDOWS\SYSTEM32\cKllRXbc.ini2
C:\WINDOWS\system32\coygcydw.dll
C:\WINDOWS\system32\cqxhdlys.dll
C:\WINDOWS\system32\djimofra.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\dwrdhqsm.dll
C:\WINDOWS\system32\eakmgsud.ini
C:\WINDOWS\system32\ecbotgbu.dll
C:\WINDOWS\SYSTEM32\FeNXIkkj.ini
C:\WINDOWS\SYSTEM32\FeNXIkkj.ini2
C:\WINDOWS\system32\gbaadgsw.dll
C:\WINDOWS\system32\gpguleso.dll
C:\WINDOWS\system32\hepaqtlk.dll
C:\WINDOWS\SYSTEM32\hNpVwyxx.ini
C:\WINDOWS\SYSTEM32\hNpVwyxx.ini2
C:\WINDOWS\SYSTEM32\ibkjyixx.ini
C:\WINDOWS\system32\IRAbaJjl.ini
C:\WINDOWS\SYSTEM32\IRAbaJjl.ini2
C:\WINDOWS\system32\ixydnvbe.dll
C:\WINDOWS\system32\jlochhqm.dll
C:\WINDOWS\SYSTEM32\jPAGffii.ini
C:\WINDOWS\SYSTEM32\jPAGffii.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mxbvwwqw.dll
C:\WINDOWS\system32\qcyrjvwg.dll
C:\WINDOWS\SYSTEM32\qsCffMoq.ini
C:\WINDOWS\SYSTEM32\qsCffMoq.ini2
C:\WINDOWS\system32\qxkstruc.dll
C:\WINDOWS\SYSTEM32\QYyGMnnn.ini
C:\WINDOWS\SYSTEM32\QYyGMnnn.ini2
C:\WINDOWS\system32\rbwuvqrj.dll
C:\WINDOWS\system32\rooioasy.dll
C:\WINDOWS\system32\srhqpeye.dll
C:\WINDOWS\system32\sthiqbil.ini
C:\WINDOWS\system32\swtqsxwb.ini
C:\WINDOWS\SYSTEM32\TBKjkUtv.ini
C:\WINDOWS\SYSTEM32\TBKjkUtv.ini2
C:\WINDOWS\system32\tmsunpgv.dll
C:\WINDOWS\SYSTEM32\ufavjfys.ini
C:\WINDOWS\system32\uopovura.dll
C:\WINDOWS\system32\wicqbxks.dll
C:\WINDOWS\SYSTEM32\wuffjios.ini
C:\WINDOWS\SYSTEM32\wwbeidya.ini
C:\WINDOWS\system32\wxvbljss.ini
C:\WINDOWS\system32\ynmqpljl.dll
C:\WINDOWS\SYSTEM32\yrqqxwig.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 10:35 . 2008-05-29 10:35 d-------- C:\Documents and Settings\Craig\Application Data\Malwarebytes
2008-05-29 10:35 . 2008-05-29 10:35 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 10:35 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-29 10:35 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-28 15:57 . 2008-05-28 15:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-28 15:57 . 2008-05-28 15:57 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-27 23:41 . 2008-05-29 09:19 dr-h----- C:\$VAULT$.AVG
2008-05-27 19:35 . 2008-05-27 19:45 d-------- C:\Program Files\EsetOnlineScanner
2008-05-27 19:22 . 2008-05-27 19:22 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 17:33 . 2008-05-27 17:33 d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 16:22 . 2008-05-27 16:22 d-------- C:\VundoFix Backups
2008-05-27 16:12 . 2008-05-27 16:12 d-------- C:\Documents and Settings\Craig\Application Data\Talkback
2008-05-27 15:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-27 15:53 . 2008-05-27 15:54 d-------- C:\Program Files\Java
2008-05-27 15:53 . 2008-05-27 15:53 d-------- C:\Program Files\Common Files\Java
2008-05-27 10:14 . 2008-05-27 18:18 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 10:08 . 2008-05-27 19:23 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-26 08:04 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2008-05-24 22:25 . 2008-05-25 09:11 d-------- C:\WINDOWS\SYSTEM32\vntiho06
2008-05-24 22:25 . 2008-05-27 11:21 d-------- C:\Temp
2008-05-24 22:25 . 2008-05-24 22:25 26,384 --a------ C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 16:09 --------- d-----w C:\Documents and Settings\Craig\Application Data\AVG7
2008-05-27 23:35 --------- d-----w C:\Program Files\Google
2008-05-27 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 22:24 --------- d-----w C:\Program Files\Kaiser
2008-05-27 15:13 --------- d-----w C:\Program Files\Brother
2008-05-27 15:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6}]
C:\WINDOWS\system32\vtUkjKBT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A2898A3-C4D3-4763-8691-7776DA4E6EFF}]
C:\WINDOWS\system32\nnnMGyYQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71837F80-0C9D-47C3-9C48-908879BE2535}]
C:\WINDOWS\system32\iiffGAPj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DEF7CDF-064A-44D4-A187-CEA285CC6A5E}]
C:\WINDOWS\system32\pmnmnlJB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]
2008-05-24 22:25 26384 --a------ C:\WINDOWS\system32\vtUkjGXp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0}]
C:\WINDOWS\system32\qoMffCsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFF194FD-F382-4E15-B97B-090177D92682}]
C:\WINDOWS\system32\jkkIXNeF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]
@={b75ab0c8-03d5-4592-9821-a48d54d66b14}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 17:04 155648]
"bacstray"="BacsTray.exe" [2003-05-14 17:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 20:00 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 18:44 610304]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 00:01 86016]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05 122939]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-11 11:51 26112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 19:05 323584]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-10-08 09:49 53248]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 13:38 286720]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-23 19:53 98304]
"MaxBackSchedule"="C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 11:22 172032]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 10:22 57344]
"mssSort"="C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 15:29 1335296]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 11:22 579584]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 09:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 01:52:00 217195]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-23 10:54:28 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-01-11 11:31:51 24576]
Kaiser VPN Client.lnk.disabled [2005-02-04 12:45:11 1798]
NkvMon.exe.lnk - D:\Program Files\Nikon\View6\NkvMon.exe [2005-01-22 14:58:05 233472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B1A64443-6FCA-41CE-8D51-5F8991257555}"= C:\WINDOWS\system32\vtUkjGXp.dll [2008-05-24 22:25 26384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjGXp]
vtUkjGXp.dll 2008-05-24 22:25 26384 C:\WINDOWS\SYSTEM32\vtUkjGXp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SystemErrorFixer"=C:\Program Files\SystemErrorFixer\SysRep.exe
"cwriter"=C:\Program Files\SystemErrorFixer\ucookw.exe
"BM1f780ef0"=Rundll32.exe "C:\WINDOWS\system32\dwrdhqsm.dll",s
"SBI"=C:\Documents and Settings\Craig\Local Settings\Temporary Internet Files\Content.IE5\[u]0[/u]LKRO7SZ\setup_sbd_en[1].exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"C:\\Program Files\\Microsoft Money\\System\\msmoney.exe"=
"C:\\Program Files\\Maxtor\\Maxtor Quick Start\\mssManager.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=

R2 HAICommSrv;Web-Link Service;C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE [2007-03-12 21:50]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 12:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f8ef208-76e7-11d9-81c9-0011436598d9}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 18:12:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-05-29 11:11:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\vtUkjGXp.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\ApntEx.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
.
**************************************************************************
.
Completion time: 2008-05-29 11:16:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 18:16:03

Pre-Run: 15,264,276,480 bytes free
Post-Run: 15,149,305,856 bytes free

243 --- E O F --- 2008-05-16 14:27:57
to forum · permalink · · 2008-05-29 15:58:45 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

reply to shiftergreen
Lets clear up some confusion.

Both MBAM and Combofix will do a log of work through a reboot process. Most of these infections can only be truely deleted when they are not active. The way to do this is to instruct XP to delete the files on restart.

Next, you have at least one prominent rootkit. We were able to remove one of its protections -- a malware service -- that was protecting it. In the steps below we will make the registry changes to expose it fully for deletion.

Further confusion that is important: in my instructions for MBAM I stated that you had to checkmark every entry found prior to asking it to remove the problems. Your log results state that no checkmarks were made, and therefore MBAM was told to do nothing about the many issues it found.

So, lets proceed:

1. Run MBAM again, this time checkmark every item found.

2. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":


Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

3. Run HijackThis again, and save the log file.

Submit to the Forum:
• Your new MBAM log results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-05-29 16:40:55 · Reply to this

shiftergreen

join:2008-05-28

 I am just about positive that all the boxes on MBAM were checked...there were 40, I believe. Have run MBAM again. No infected files / threats were identified. It is possible that somehow I sent the wrong log. I have stopped at this point so you can see the new MBAM log incase that may alter the next steps. Will await futher direction.

Thanks!

Most recent MBAM log follows:

Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Quick Scan
Objects scanned: 36624
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
to forum · permalink · · 2008-05-29 20:07:36 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:		reply to shiftergreen
Please keep going with the Combofix step. This is critical because Vundo can quickly rebuild itself. We need to remove the rootkit elements of this infection ASAP.

Post back the contents of C:\Combofix.txt
to forum · permalink · · 2008-05-29 21:46:35 · Reply to this

shiftergreen

join:2008-05-28

 Roger! Have completed the second ComboFix run.

Logs follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:12 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Nikon\View6\NkvMon.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Craig\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »my.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6} - C:\WINDOWS\system32\vtUkjKBT.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A2898A3-C4D3-4763-8691-7776DA4E6EFF} - C:\WINDOWS\system32\nnnMGyYQ.dll (file missing)
O2 - BHO: (no name) - {71837F80-0C9D-47C3-9C48-908879BE2535} - C:\WINDOWS\system32\iiffGAPj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DEF7CDF-064A-44D4-A187-CEA285CC6A5E} - C:\WINDOWS\system32\pmnmnlJB.dll (file missing)
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\vtUkjGXp.dll
O2 - BHO: (no name) - {B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0} - C:\WINDOWS\system32\qoMffCsq.dll (file missing)
O2 - BHO: (no name) - {BFF194FD-F382-4E15-B97B-090177D92682} - C:\WINDOWS\system32\jkkIXNeF.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\View6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O20 - Winlogon Notify: vtUkjGXp - C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Web-Link Service (HAICommSrv) - Home Automation, Inc. - C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 9137 bytes

ComboFix 08-05-29.1 - Craig 2008-05-29 21:17:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1646 [GMT -7:00]
Running from: C:\Documents and Settings\Craig\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig\Desktop\CFscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-29 10:35 . 2008-05-29 10:35 d-------- C:\Documents and Settings\Craig\Application Data\Malwarebytes
2008-05-29 10:35 . 2008-05-29 10:35 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 10:35 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-29 10:35 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-28 15:57 . 2008-05-28 15:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-28 15:57 . 2008-05-28 15:57 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-27 23:41 . 2008-05-29 21:10 dr-h----- C:\$VAULT$.AVG
2008-05-27 19:35 . 2008-05-27 19:45 d-------- C:\Program Files\EsetOnlineScanner
2008-05-27 19:22 . 2008-05-27 19:22 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 17:33 . 2008-05-27 17:33 d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 16:22 . 2008-05-27 16:22 d-------- C:\VundoFix Backups
2008-05-27 16:12 . 2008-05-27 16:12 d-------- C:\Documents and Settings\Craig\Application Data\Talkback
2008-05-27 15:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-27 15:53 . 2008-05-27 15:54 d-------- C:\Program Files\Java
2008-05-27 15:53 . 2008-05-27 15:53 d-------- C:\Program Files\Common Files\Java
2008-05-27 10:14 . 2008-05-27 18:18 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 10:08 . 2008-05-27 19:23 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-26 08:04 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2008-05-24 22:25 . 2008-05-25 09:11 d-------- C:\WINDOWS\SYSTEM32\vntiho06
2008-05-24 22:25 . 2008-05-27 11:21 d-------- C:\Temp
2008-05-24 22:25 . 2008-05-24 22:25 26,384 --a------ C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awrtpd.sys
2008-04-14 12:33 . 2008-04-14 12:33 568 --a------ C:\WINDOWS\HCWPNP.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 19:49 --------- d-----w C:\Documents and Settings\Craig\Application Data\AVG7
2008-05-27 23:35 --------- d-----w C:\Program Files\Google
2008-05-27 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 22:24 --------- d-----w C:\Program Files\Kaiser
2008-05-27 15:13 --------- d-----w C:\Program Files\Brother
2008-05-27 15:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_11.15.29.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 18:08:51 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-30 04:21:50 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-05-29 18:12:38 214,474 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-05-30 04:20:44 214,476 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6}]
C:\WINDOWS\system32\vtUkjKBT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A2898A3-C4D3-4763-8691-7776DA4E6EFF}]
C:\WINDOWS\system32\nnnMGyYQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71837F80-0C9D-47C3-9C48-908879BE2535}]
C:\WINDOWS\system32\iiffGAPj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DEF7CDF-064A-44D4-A187-CEA285CC6A5E}]
C:\WINDOWS\system32\pmnmnlJB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]
2008-05-24 22:25 26384 --a------ C:\WINDOWS\system32\vtUkjGXp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0}]
C:\WINDOWS\system32\qoMffCsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFF194FD-F382-4E15-B97B-090177D92682}]
C:\WINDOWS\system32\jkkIXNeF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]
@={b75ab0c8-03d5-4592-9821-a48d54d66b14}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 17:04 155648]
"bacstray"="BacsTray.exe" [2003-05-14 17:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 20:00 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 00:01 86016]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05 122939]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-11 11:51 26112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 19:05 323584]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-10-08 09:49 53248]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 13:38 286720]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-23 19:53 98304]
"MaxBackSchedule"="C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 11:22 172032]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 10:22 57344]
"mssSort"="C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 15:29 1335296]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 11:22 579584]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 09:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 01:52:00 217195]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-23 10:54:28 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-01-11 11:31:51 24576]
Kaiser VPN Client.lnk.disabled [2005-02-04 12:45:11 1798]
NkvMon.exe.lnk - D:\Program Files\Nikon\View6\NkvMon.exe [2005-01-22 14:58:05 233472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B1A64443-6FCA-41CE-8D51-5F8991257555}"= C:\WINDOWS\system32\vtUkjGXp.dll [2008-05-24 22:25 26384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjGXp]
vtUkjGXp.dll 2008-05-24 22:25 26384 C:\WINDOWS\SYSTEM32\vtUkjGXp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SystemErrorFixer"=C:\Program Files\SystemErrorFixer\SysRep.exe
"cwriter"=C:\Program Files\SystemErrorFixer\ucookw.exe
"BM1f780ef0"=Rundll32.exe "C:\WINDOWS\system32\dwrdhqsm.dll",s
"SBI"=C:\Documents and Settings\Craig\Local Settings\Temporary Internet Files\Content.IE5\[u]0[/u]LKRO7SZ\setup_sbd_en[1].exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"C:\\Program Files\\Microsoft Money\\System\\msmoney.exe"=
"C:\\Program Files\\Maxtor\\Maxtor Quick Start\\mssManager.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=

R2 HAICommSrv;Web-Link Service;C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE [2007-03-12 21:50]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 12:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f8ef208-76e7-11d9-81c9-0011436598d9}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 04:25:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-05-29 21:24:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\TMP000000292D7EBA7187DEABB9 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\vtUkjGXp.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
.
**************************************************************************
.
Completion time: 2008-05-29 21:28:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 04:28:45
ComboFix2.txt 2008-05-29 18:16:15

Pre-Run: 15,133,818,880 bytes free
Post-Run: 15,119,089,664 bytes free

192 --- E O F --- 2008-05-16 14:27:57

For what it is worth, AVG continues to warn of Vundo threats

THANKS!
to forum · permalink · · 2008-05-30 00:44:34 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

1 edit		reply to shiftergreen
1. Combofix is reporting that your CFScript.txt file was empty of any entries.

Please try to create it again. Using your mouse, highlight and then Right-click |Copy the the bolded text below:

KILLALL::

File::
C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
C:\WINDOWS\system32\dwrdhqsm.dll

RootKit::
C:\WINDOWS\SYSTEM32\vtUkjGXp.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A2898A3-C4D3-4763-8691-7776DA4E6EFF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71837F80-0C9D-47C3-9C48-908879BE2535}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DEF7CDF-064A-44D4-A187-CEA285CC6A5E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFF194FD-F382-4E15-B97B-090177D92682}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B1A64443-6FCA-41CE-8D51-5F8991257555}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjGXp]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SystemErrorFixer"=-
"cwriter"=-
"BM1f780ef0"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

As before, open a new Notepad document and do a Right-click, Paste. The Notepad document should now match the bolded text above. Save as "CFScript.txt" and then do the drag and drop like the earlier picture showed.

2. Now, lets do a double check. Hopefully, Avenger will have nothing to do, as the issues should have been dealt with by now.

Download The Avenger by Swandog46 from

• Unzip/extract it to a folder on your desktop.
• Double click on Avenger.exe.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Using your mouse, Copy all of the bolded text Highlighting it and then pressing Ctrl+C.

Files to delete:
C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
C:\WINDOWS\system32\dwrdhqsm.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6}]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5A2898A3-C4D3-4763-8691-7776DA4E6EFF}]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{71837F80-0C9D-47C3-9C48-908879BE2535}]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{7DEF7CDF-064A-44D4-A187-CEA285CC6A5E}]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0}]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{BFF194FD-F382-4E15-B97B-090177D92682}]
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjGXp

Registry values to delete:
hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{B1A64443-6FCA-41CE-8D51-5F8991257555}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|SystemErrorFixer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|cwriter
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|BM1f780ef0

• In the avenger window, click the Paste Script from Clipboard icon, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at C:\avenger.tx.
• Please post this log, along with the contents of C:\Combofix.txt, and a new HijackThis log in your next reply.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-05-30 04:56:34 · Reply to this

shiftergreen

join:2008-05-28

 This seemed to go smoothly. Logs follow:

Logfile of The Avenger Version 2.0, (c) by Swandog46
»swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\SYSTEM32\vtUkjGXp.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\vtUkjGXp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\dwrdhqsm.dll" not found!
Deletion of file "C:\WINDOWS\system32\dwrdhqsm.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5151A2EB-5137-4E7F-A3A9-4DA55AE5EDF6}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5A2898A3-C4D3-4763-8691-7776DA4E6EFF}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5A2898A3-C4D3-4763-8691-7776DA4E6EFF}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{71837F80-0C9D-47C3-9C48-908879BE2535}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{71837F80-0C9D-47C3-9C48-908879BE2535}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{7DEF7CDF-064A-44D4-A187-CEA285CC6A5E}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{7DEF7CDF-064A-44D4-A187-CEA285CC6A5E}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{B7B62A95-2022-4E6C-8F9A-F0A07D47ACA0}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{BFF194FD-F382-4E15-B97B-090177D92682}]" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{BFF194FD-F382-4E15-B97B-090177D92682}]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjGXp" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjGXp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{B1A64443-6FCA-41CE-8D51-5F8991257555}"
Deletion of registry value "hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{B1A64443-6FCA-41CE-8D51-5F8991257555}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|SystemErrorFixer"
Deletion of registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|SystemErrorFixer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|cwriter"
Deletion of registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|cwriter" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|BM1f780ef0"
Deletion of registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|BM1f780ef0" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

ComboFix 08-05-29.1 - Craig 2008-05-30 10:30:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1602 [GMT -7:00]
Running from: C:\Documents and Settings\Craig\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig\Desktop\CFscript.txt

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE ::
C:\WINDOWS\system32\dwrdhqsm.dll
C:\WINDOWS\SYSTEM32\vtUkjGXp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\vtUkjGXp.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-29 10:35 . 2008-05-29 10:35 d-------- C:\Documents and Settings\Craig\Application Data\Malwarebytes
2008-05-29 10:35 . 2008-05-29 10:35 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 10:35 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-29 10:35 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-28 15:57 . 2008-05-28 15:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-28 15:57 . 2008-05-28 15:57 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-27 23:41 . 2008-05-30 10:14 dr-h----- C:\$VAULT$.AVG
2008-05-27 19:35 . 2008-05-27 19:45 d-------- C:\Program Files\EsetOnlineScanner
2008-05-27 19:22 . 2008-05-27 19:22 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 17:33 . 2008-05-27 17:33 d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 16:22 . 2008-05-27 16:22 d-------- C:\VundoFix Backups
2008-05-27 16:12 . 2008-05-27 16:12 d-------- C:\Documents and Settings\Craig\Application Data\Talkback
2008-05-27 15:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-27 15:53 . 2008-05-27 15:54 d-------- C:\Program Files\Java
2008-05-27 15:53 . 2008-05-27 15:53 d-------- C:\Program Files\Common Files\Java
2008-05-27 10:14 . 2008-05-27 18:18 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 10:08 . 2008-05-27 19:23 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-26 08:04 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2008-05-24 22:25 . 2008-05-25 09:11 d-------- C:\WINDOWS\SYSTEM32\vntiho06
2008-05-24 22:25 . 2008-05-27 11:21 d-------- C:\Temp
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Awrtpd.sys
2008-04-14 12:33 . 2008-04-14 12:33 568 --a------ C:\WINDOWS\HCWPNP.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 17:09 --------- d-----w C:\Documents and Settings\Craig\Application Data\AVG7
2008-05-27 23:35 --------- d-----w C:\Program Files\Google
2008-05-27 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 22:24 --------- d-----w C:\Program Files\Kaiser
2008-05-27 15:13 --------- d-----w C:\Program Files\Brother
2008-05-27 15:12 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_11.15.29.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 18:08:51 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-30 17:36:00 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-05-29 18:12:38 214,474 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-05-30 17:36:13 214,477 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-05-30 17:36:11 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_1d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 17:04 155648]
"bacstray"="BacsTray.exe" [2003-05-14 17:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 20:00 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 00:01 86016]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05 122939]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-11 11:51 26112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 19:05 323584]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-10-08 09:49 53248]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 13:38 286720]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-23 19:53 98304]
"MaxBackSchedule"="C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 11:22 172032]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 10:22 57344]
"mssSort"="C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 15:29 1335296]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 11:22 579584]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 09:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 01:52:00 217195]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-23 10:54:28 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-01-11 11:31:51 24576]
Kaiser VPN Client.lnk.disabled [2005-02-04 12:45:11 1798]
NkvMon.exe.lnk - D:\Program Files\Nikon\View6\NkvMon.exe [2005-01-22 14:58:05 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SBI"=C:\Documents and Settings\Craig\Local Settings\Temporary Internet Files\Content.IE5\[u]0[/u]LKRO7SZ\setup_sbd_en[1].exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"C:\\Program Files\\Microsoft Money\\System\\msmoney.exe"=
"C:\\Program Files\\Maxtor\\Maxtor Quick Start\\mssManager.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=

R2 HAICommSrv;Web-Link Service;C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE [2007-03-12 21:50]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 12:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f8ef208-76e7-11d9-81c9-0011436598d9}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 17:39:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-05-30 10:36:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\ApntEx.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
.
**************************************************************************
.
Completion time: 2008-05-30 10:40:37 - machine was rebooted [Craig]
ComboFix-quarantined-files.txt 2008-05-30 17:40:35
ComboFix2.txt 2008-05-30 04:28:56
ComboFix3.txt 2008-05-29 18:16:15

Pre-Run: 15,056,883,712 bytes free
Post-Run: 15,041,032,192 bytes free

163 --- E O F --- 2008-05-30 14:16:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:04 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Nikon\View6\NkvMon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Craig\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »my.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\View6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Web-Link Service (HAICommSrv) - Home Automation, Inc. - C:\Program Files\HAI\Web-Link\HAICOMMSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8432 bytes

Will await additional instructions...THANKS!
to forum · permalink · · 2008-05-30 13:54:32 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

reply to shiftergreen
Once we had Combofix remove the protecting driver service, that last infector was fairly easily removed.

We are finished.

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Please download OTMoveIt2 by OldTimer to your Desktop (only):


• Please double-click OTMoveIt.exe to run it.
• Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
• After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes".
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

Download and Install Windows Defender by Microsoft (free):

Download and install Comodo BOClean (free):

Download, install, and keep updated Spyware Blaster (free):

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-05-30 18:32:50 · Reply to this

shiftergreen

join:2008-05-28

 THANK YOU for your help and patience. Am in progress of completing the above recommendations. I feel as if I have just exited a doctor's office having been cured of an unpleasant, arcane malady. I am curious to know what "I had" and, possibly, how I got it. Why didn't AVG identify it and why, when AVG was telling me I had a Vundo infestation did Vundo Scanner come up clean multiple times? I am sure you could write a book...several books. It has been an interesting and educational experience. Thanks again for guiding me through (very) unfamiliar territory.

Sadder but Wiser.
to forum · permalink · · 2008-05-30 21:49:22 · Reply to this


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL

 You had several Vundo forms, the hardest to remove was a variant usually called "SPYADS". It uses some rootkit techniques to make its removal more troublesome that regular Vundo.

Vundo morphs all the time. That is why general purpose Vundo scanners often miss quite a bit of it. And, Vundo if you just delete files, just rebuilds itself aggressively; the case with your infection.

Vundo comes from many sources. Viewing Flash videos and banner ads on web pages is one of the more commmon ways.

Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · · 2008-05-30 23:27:47 · Reply to this

shiftergreen

join:2008-05-28

 All of your recommendations have been implemented and it seems that my machine is back to normal. There have been no further signs of extant malware over the past 24 hours. I know that you folks that staff this website do so on a volunteer basis and you should know how much your presence and service is appreciated by someone like me. Without your guidance I would never have threaded my way through the steps required to clean my system. More aware and better protected, I hope that I will not require your help again but it is reassuring to know that you are available.

Again, a MOST SINCERE THANK YOU!
to forum · permalink · · 2008-06-01 14:20:16 · Reply to this
Forums » Up and Running » Security » Security Cleanup[Vundo] Ran all spyware software.. still have Vundo.. »

Saturday, 28-Nov 22:41:16 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [122] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [96] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [80] TiVo Sees Record Customer Losses
· [71] Weekend Open Thread
· [70] Verizon CEO: Hulu Will Be Dead Soon
· [69] In-Flight Internet Headed For Bumpy Landing?
· [62] Thanksgiving Open Thread
· [40] EFF Wages War On Fine Print
Most people now reading
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· Anyone have a problem [Software]
· Windows 7 boot manager editing questions [Microsoft Help]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Why would I want an e reader? [General Questions]
· [ Classes] Druid tanking: rotation and glyphs [World of Warcraft]
· HOW-TO: QoS and Tomato (fixes "choppy voice") [MagicJack]
· Using DIR-615 C1/3.01 with Trendnet TEW-652BRP in N Mode [D-Link]
· Idiotic neighbour [Canadian Chat]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]