Tweaks.com Forum / Windows & System Security / HiJack This Logs / Firefox Hangs & Various Programs Will Not Update (Trojan Infection) / Latest Posts

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

RichieUK — Mon, 07 Jul 2008 15:21:25 GMT

Your log is clean:)
You should now take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

[b][color="blue"]Simple and easy ways to keep your computer safe and secure on the Internet[/color][/b]:
[url]http://www.bleepingcomputer.com/tutorials/tutorial82.html[/url]

[b][color="blue"]How to prevent Malware[/color][/b]:
[url]http://users.telenet.be/bluepatchy/miekiemoes/prevention.html[/url]

[B][color="blue"]So how did I get infected in the first place[/color][/B]:
[URL]http://forums.spybot.info/showthread.php?t=279[/URL]

[B][color="blue"]Malware Cleanup Programs and Preventative Procedures[/color][/B]:
[URL]http://russelltexas.com/malware/allclear.htm[/URL]

[B][color="blue"]How to Set Security Options in the Firefox Browser[/color][/B]:
[URL]http://websearch.about.com/od/firefox/ss/firefoxoptions.htm[/URL]

[B][color="blue"]Internet Explorer 7 Desktop Security Guide[/color][/B]:
[URL]http://www.microsoft.com/downloads/details.aspx?FamilyID=6aa4c1da-6021-468e-a8cf-af4afe4c84b2&DisplayLang=en[/URL]

[B][color="blue"]Working with Internet Explorer 6 Security Settings[/color][/B]:
[URL]http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx[/URL]

[b][color="blue"]Hardening Windows Security - Part 1[/color][/b]:
[url]http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html[/url]

[b][color="blue"]Hardening Windows Security - Part 2[/color][/b]:
[url]http://www.malwarehelp.org/malware-prevention-hardening-windows-security2.html[/url]

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

knight1fox3 — Mon, 07 Jul 2008 13:35:58 GMT

The Autoplay Repair Wizard fixed the autoplay issues I was having. Thank you for all your help once again RichieUK.

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

RichieUK — Thu, 03 Jul 2008 02:40:51 GMT

Download and run the [b]Autoplay Repair Wizard[/b].
The Microsoft AutoPlay Repair Wizard scans your computer devices to find defective AutoPlay settings, and attempts to fix those it finds.
[url]http://www.microsoft.com/downloads/details.aspx?FamilyID=c680a7b6-e8fa-45c4-a171-1b389cfacdad&displaylang=en[/url]

If the above didn't help,double click on the registry backup file you created earlier when running CCleaner and agree to merge the imformation into the registry.
[b]Restart your pc[/b].
Now see if Autoplay now works correctly as it did before running these programs.
Now you [b]must[/b] run Malwarebytes Anti-Malware again with you restoring the registry.

Let me know how you get on.

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

knight1fox3 — Wed, 02 Jul 2008 23:07:47 GMT

[b]MBAM Log:[/b]

Malwarebytes' Anti-Malware 1.19
Database version: 916
Windows 5.1.2600 Service Pack 2

7:43:25 PM 7/2/2008
mbam-log-7-2-2008 (19-43-25).txt

Scan type: Quick Scan
Objects scanned: 37914
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultUrl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\824223 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Beau Venne\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Beau Venne\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Beau Venne\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

[b]New Hijackthis Log:[/b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:34 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file:///D:/LTOCX14N.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3794 bytes

Computer and Firefox is running great. The websites I couldn't access before I now can. Program updates are working as well. The only minor thing I noticed is that when I pop a CD in or a flash drive, I don't get the "What would you like to do prompt" for the Autoplay. I've checked the Autoplay properties and the "always prompt" is checked. This is very minor though. I'm just glad I am able to access the websites I couldn't before. Thanks for all your help RichieUK.

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

RichieUK — Wed, 02 Jul 2008 03:11:45 GMT

Click on Start/Run,copy and paste [b]ComboFix /u[/b] into the '[u]O[/u]pen:' space,then press OK [see image below]
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore.

[IMG]http://img.photobucket.com/albums/v624/29wood/comu.gif[/IMG]

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
[b]R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
O8 - Extra context menu item: &Search - ?p=ZKfox000[/b]

Find and delete:
C:\WINDOWS\system32\[b]247880[/b]

Download and scan with [b][color="red"]CCleaner[/color][/b]:
[url]http://www.ccleaner.com/download/builds[/url]
1. Starting with v1.27.260, CCleaner started installing the [b]Yahoo Toolbar[/b] as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free 'Slim' version instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK [b]"Only delete files in Windows Temp folder older than 48 hours"[/b]

3. Then select the items you wish to clean up.

[b]In the Windows Tab:[/b]
* Clean all entries in the "Internet Explorer" section except Cookies.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.

[b]In the Applications Tab:[/b]
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.

* Now click on the '[b]Registry[/b]' tab/button on the left.
* Then click on the 'Scan for issues' button at the bottom.
* If CCleaner displays any issues,click on 'Fix selected issues'.
* You'll then be asked 'Do you want to backup changes to the registry',you [b]must[/b] click '[b]YES[/b]'.
* Save the backup somewhere safe,your desktop is a good a place as any.
* Then click 'Fix Issues',then click 'Close'.
* Exit CCleaner.

Please download [b][color="red"]Malwarebytes Anti-Malware[/color][/b]:
[url]http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html[/url]
[url]http://www.besttechie.net/tools/mbam-setup.exe[/url]

Double Click mbam-setup.exe to install the application.
(If using Windows Vista,be sure to [b][url=http://windowshelp.microsoft.com/Windows/en-US/Help/fb464905-31d5-4427-89a2-ed5322327fc21033.mspx][color="blue"]"Run As Administrator"[/color][/url][/b]).

* Make sure a checkmark is placed next to [b]Update Malwarebytes' Anti-Malware[/b] and [b]Launch Malwarebytes' Anti-Malware[/b], then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* [b]Copy and paste the entire report into your next reply[/b].

Extra Note:
[b][color="green"]If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.[/color][/b]

[b]Also post a new Hijackthis log,let me know how your pc is running now.[/b]

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

knight1fox3 — Tue, 01 Jul 2008 21:56:08 GMT

Here you go and thanks again for the assistance:

[b]New ComboFix Log:[/b]

ComboFix 08-06-30.2 - ********** 2008-07-01 21:38:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1089 [GMT -5:00]
Running from: C:\Documents and Settings\**********\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\**********\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\bcmwltrytmp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9b97b920.txt
C:\WINDOWS\system32\atikvmag.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-06-27 22:29 . 2008-06-27 22:29d--------C:\Program Files\SUPERAntiSpyware
2008-06-27 22:29 . 2008-06-27 22:29d--------C:\Documents and Settings\**********\Application Data\SUPERAntiSpyware.com
2008-06-27 22:29 . 2008-06-27 22:29d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 21:59 . 2008-06-27 21:59d--------C:\Program Files\Trend Micro
2008-06-25 20:24 . 2008-06-25 21:59d--------C:\Program Files\XoftSpySE
2008-06-24 22:17 . 2008-06-24 22:17230--a------C:\WINDOWS\system32\spupdsvc.inf
2008-06-24 22:15 . 2008-06-25 18:321,374--a------C:\WINDOWS\imsins.BAK
2008-06-24 21:34 . 2008-07-01 21:43847,904--ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-24 21:34 . 2008-07-01 21:4010,916--ahs----C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-24 21:27 . 2008-06-24 21:27d--------C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-24 21:27 . 2008-06-24 21:294,212---h-----C:\WINDOWS\system32\zllictbl.dat
2008-06-24 21:26 . 2008-04-02 20:0775,248--a------C:\WINDOWS\zllsputility.exe
2008-06-24 21:26 . 2004-04-27 04:4011,264--a------C:\WINDOWS\system32\SpOrder.dll
2008-06-24 21:25 . 2008-06-24 21:26d--------C:\WINDOWS\system32\ZoneLabs
2008-06-24 21:25 . 2008-06-24 21:25d--------C:\Program Files\Zone Labs
2008-06-24 21:25 . 2008-04-02 20:071,086,952--a------C:\WINDOWS\system32\zpeng24.dll
2008-06-24 21:25 . 2008-07-01 21:43352,918--a------C:\WINDOWS\system32\vsconfig.xml
2008-06-24 21:22 . 2008-07-01 21:43d--------C:\WINDOWS\Internet Logs
2008-06-22 11:24 . 2008-06-24 20:59d--------C:\Program Files\Piolet
2008-06-22 11:24 . 2008-06-22 11:24662,288--a------C:\WINDOWS\system32\MSCOMCT2.OCX
2008-06-22 11:24 . 2008-06-22 11:24416,528--a------C:\WINDOWS\system32\COMCT332.OCX
2008-06-22 11:24 . 2008-06-22 11:24152,848--a------C:\WINDOWS\system32\COMDLG32.OCX
2008-06-22 11:24 . 2008-06-22 11:24132,880--a------C:\WINDOWS\system32\MSINET.OCX
2008-06-22 11:24 . 2008-06-22 11:24124,688--a------C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-22 10:42 . 2008-06-22 13:35d--------C:\Program Files\Spybot - Search & Destroy
2008-06-22 10:36 . 2008-06-28 13:06d--h-----C:\$AVG8.VAULT$
2008-06-22 10:14 . 2008-06-24 19:24d--------C:\WINDOWS\system32\drivers\Avg
2008-06-22 10:14 . 2008-06-22 10:1496,520--a------C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-22 10:14 . 2008-06-22 10:1475,272--a------C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-22 10:14 . 2008-06-22 10:1410,520--a------C:\WINDOWS\system32\avgrsstx.dll
2008-06-22 10:13 . 2008-06-22 13:35d--------C:\Program Files\AVG
2008-06-22 10:13 . 2008-06-22 13:35d--------C:\Documents and Settings\All Users\Application Data\avg8
2008-06-19 03:02 . 2008-06-19 03:02118--a------C:\WINDOWS\system32\MRT.INI
2008-06-18 03:52 . 2008-06-13 08:10272,128---------C:\WINDOWS\system32\drivers\bthport.sys
2008-06-18 03:52 . 2008-06-13 08:10272,128-----c---C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 09:20 . 2008-06-22 13:35d--------C:\WINDOWS\system32\247880

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 03:29---------d-----wC:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 03:15---------d-----wC:\Program Files\Google
2008-06-25 02:59---------d-----wC:\Documents and Settings\**********\Application Data\Apple Computer
2008-06-25 01:54---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 16:241,376,528----a-wC:\WINDOWS\system32\msvbvm60.dll
2008-05-29 09:000----a-wC:\Program Files\uninstall.dat
2008-05-08 12:28202,752----a-wC:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:181,287,680----a-wC:\WINDOWS\system32\quartz.dll
2008-04-21 07:04659,456----a-wC:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_20.34.21.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 01:31:272,048--s-a-wC:\WINDOWS\bootstat.dat
+ 2008-07-02 02:41:442,048--s-a-wC:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-22 10:14 1177368]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 22:05 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
-ra------ 2000-10-16 10:37 32768 C:\WINDOWS\system32\rmctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-01 16:52 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-04-02 20:07 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Piolet\\piolet.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-22 10:14]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-22 10:14]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-22 10:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-22 10:14]

.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Broadcom Wireless Manager UI - C:\WINDOWS\system32\WLTRAY
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 21:42:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-01 21:45:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 02:45:29
ComboFix2.txt 2008-07-01 01:34:52

Pre-Run: 43,476,889,600 bytes free
Post-Run: 43,453,673,472 bytes free

156--- E O F ---2008-06-25 23:33:08

[b]New Hijackthis Log:[/b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:43 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file:///D:/LTOCX14N.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4008 bytes

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

RichieUK — Tue, 01 Jul 2008 01:51:05 GMT

[url=http://www.webmasternow.com/copyandpaste.html][color="blue"]Copy and paste[/color][/url] ALL the following text in the code box below into [b]Notepad[/b].
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: [b]CFScript[/b] to your desktop.

[quote]KILLALL::

File::
C:\WINDOWS\bcmwltrytmp.reg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46069f17-adcc-4ebf-95e7-a3fd42c155bc}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHWQKb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98a48abc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9b97b920]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor][/quote]
Now drag then drop the [b]CFScript[/b] file onto [b]ComboFix.exe[/b] as seen in the image below.

[img]http://img.photobucket.com/albums/v624/29wood/CFScript.gif[/img]

This will start ComboFix again.
After reboot, (in case it asks to reboot), [b]post the contents of Combofix.txt in your next reply along with a new HijackThis log.[/b]

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

knight1fox3 — Mon, 30 Jun 2008 21:35:35 GMT

Thanks for the help RichieUK. Here is what you requested:

ComboFix 08-06-20.4 - ********** 2008-06-30 20:21:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1084 [GMT -5:00]
Running from: C:\Documents and Settings\**********\desktop\combofix.exe
Command switches used :: /killall

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9b97b920.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cdeddfhk.ini
C:\WINDOWS\system32\cdeddfhk.ini2
C:\WINDOWS\system32\dmjfibcq.dll
C:\WINDOWS\system32\evdfyjjw.dll
C:\WINDOWS\system32\hivotuon.dll
C:\WINDOWS\system32\jfistyia.ini
C:\WINDOWS\system32\mosbkdcs.dll
C:\WINDOWS\system32\noutovih.ini
C:\WINDOWS\system32\xlusgall.ini
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 20:33 . 1,893C:\WINDOWS\bcmwltrytmp.reg
2008-06-27 22:29 . 2008-06-27 22:29d--------C:\Program Files\SUPERAntiSpyware
2008-06-27 22:29 . 2008-06-27 22:29d--------C:\Documents and Settings\**********\Application Data\SUPERAntiSpyware.com
2008-06-27 22:29 . 2008-06-27 22:29d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 21:59 . 2008-06-27 21:59d--------C:\Program Files\Trend Micro
2008-06-25 20:24 . 2008-06-25 21:59d--------C:\Program Files\XoftSpySE
2008-06-24 22:17 . 2008-06-24 22:17230--a------C:\WINDOWS\system32\spupdsvc.inf
2008-06-24 22:15 . 2008-06-25 18:321,374--a------C:\WINDOWS\imsins.BAK
2008-06-24 21:34 . 2008-06-30 20:33794,656--ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-24 21:34 . 2008-06-30 20:3010,244--ahs----C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-24 21:27 . 2008-06-24 21:27d--------C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-24 21:27 . 2008-06-24 21:294,212---h-----C:\WINDOWS\system32\zllictbl.dat
2008-06-24 21:26 . 2008-04-02 20:0775,248--a------C:\WINDOWS\zllsputility.exe
2008-06-24 21:26 . 2004-04-27 04:4011,264--a------C:\WINDOWS\system32\SpOrder.dll
2008-06-24 21:25 . 2008-06-24 21:26d--------C:\WINDOWS\system32\ZoneLabs
2008-06-24 21:25 . 2008-06-24 21:25d--------C:\Program Files\Zone Labs
2008-06-24 21:25 . 2008-04-02 20:071,086,952--a------C:\WINDOWS\system32\zpeng24.dll
2008-06-24 21:25 . 2008-06-30 20:33352,918--a------C:\WINDOWS\system32\vsconfig.xml
2008-06-24 21:22 . 2008-06-30 20:33d--------C:\WINDOWS\Internet Logs
2008-06-22 11:24 . 2008-06-24 20:59d--------C:\Program Files\Piolet
2008-06-22 11:24 . 2008-06-22 11:24662,288--a------C:\WINDOWS\system32\MSCOMCT2.OCX
2008-06-22 11:24 . 2008-06-22 11:24416,528--a------C:\WINDOWS\system32\COMCT332.OCX
2008-06-22 11:24 . 2008-06-22 11:24152,848--a------C:\WINDOWS\system32\COMDLG32.OCX
2008-06-22 11:24 . 2008-06-22 11:24132,880--a------C:\WINDOWS\system32\MSINET.OCX
2008-06-22 11:24 . 2008-06-22 11:24124,688--a------C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-22 10:42 . 2008-06-22 13:35d--------C:\Program Files\Spybot - Search & Destroy
2008-06-22 10:36 . 2008-06-28 13:06d--h-----C:\$AVG8.VAULT$
2008-06-22 10:14 . 2008-06-24 19:24d--------C:\WINDOWS\system32\drivers\Avg
2008-06-22 10:14 . 2008-06-22 10:1496,520--a------C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-22 10:14 . 2008-06-22 10:1475,272--a------C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-22 10:14 . 2008-06-22 10:1410,520--a------C:\WINDOWS\system32\avgrsstx.dll
2008-06-22 10:13 . 2008-06-22 13:35d--------C:\Program Files\AVG
2008-06-22 10:13 . 2008-06-22 13:35d--------C:\Documents and Settings\All Users\Application Data\avg8
2008-06-19 03:02 . 2008-06-19 03:02118--a------C:\WINDOWS\system32\MRT.INI
2008-06-18 03:52 . 2008-06-13 08:10272,128---------C:\WINDOWS\system32\drivers\bthport.sys
2008-06-18 03:52 . 2008-06-13 08:10272,128-----c---C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 09:20 . 2008-06-22 13:35d--------C:\WINDOWS\system32\247880

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 03:29---------d-----wC:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 03:15---------d-----wC:\Program Files\Google
2008-06-25 02:59---------d-----wC:\Documents and Settings\**********\Application Data\Apple Computer
2008-06-25 01:54---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 16:241,376,528----a-wC:\WINDOWS\system32\msvbvm60.dll
2008-05-29 09:000----a-wC:\Program Files\uninstall.dat
2008-05-08 12:28202,752----a-wC:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:181,287,680----a-wC:\WINDOWS\system32\quartz.dll
2008-04-21 07:04659,456----a-wC:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46069f17-adcc-4ebf-95e7-a3fd42c155bc}]
C:\WINDOWS\system32\naaenjcx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-22 10:14 1177368]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 22:05 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHWQKb]
jkkHWQKb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98a48abc]
C:\WINDOWS\system32\hivotuon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9b97b920]
C:\WINDOWS\system32\dmjfibcq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
-ra------ 2000-10-16 10:37 32768 C:\WINDOWS\system32\rmctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-01 16:52 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-04-02 20:07 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Piolet\\piolet.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-22 10:14]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-22 10:14]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-22 10:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-22 10:14]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 20:32:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-30 20:34:51 - machine was rebooted [**********]
ComboFix-quarantined-files.txt 2008-07-01 01:34:44

Pre-Run: 43,329,499,136 bytes free
Post-Run: 43,491,581,952 bytes free

173--- E O F ---2008-06-25 23:33:08

[b]New Hijackthis Log:[/b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:44 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {cb551c24-df3a-7e59-fbe4-ccda71f96064} - {46069f17-adcc-4ebf-95e7-a3fd42c155bc} - C:\WINDOWS\system32\naaenjcx.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file:///D:/LTOCX14N.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkHWQKb - jkkHWQKb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4328 bytes

RE: Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

RichieUK — Sun, 29 Jun 2008 11:25:11 GMT

Welcome:)

Download [b][url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][color="blue"]Combofix[/color][/url][/b] by [b]sUBs[/b] and save to your desktop.
Alternative Combofix download link [b][url=http://subs.geekstogo.com/ComboFix.exe][color="blue"]HERE[/color][/url][/b].
[color="red"][b][u]Note[/u][/b]
It is important that it is saved directly to your desktop[/color]
Close any open browsers.
Click on Start/Run,[url=http://www.webmasternow.com/copyandpaste.html][color="blue"]copy and paste[/color][/url] the following bold text into the '[u]O[/u]pen:' space,then press OK [See image below]:
[b]"%userprofile%\desktop\combofix.exe" /killall[/b]

[IMG]http://img.photobucket.com/albums/v624/29wood/ka.png[/IMG]

Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.
[b]Post the entire contents of C:\ComboFix.txt into your next reply[/b].
[color="red"][b][u]Note[/u][/b]:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang. [/color]
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
[b]*Note*[/b]
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

[b]Also post a new Hijackthis log please[/b].

Firefox Hangs & Various Programs Will Not Update (Trojan Infection)

knight1fox3 — Sun, 29 Jun 2008 10:41:19 GMT

Greetings,

First off, thank you for the recommendations in the post "READ BEFORE POSTING HIJACK THIS LOGS". I followed the steps and I am still having problems. When launching Firefox, most times the program will hang and never actually go to the requested website. AVG will also not update along with SUPERAntispyware and windows XP update. I am running SP2 and I have done the other updates manually. In an attempt to correct this problem, below is my Hijackthis log. If all else fails, wiping the drive and a fresh install of XP is an option, but I would like to try and fix the problem if possible. I appreciate any help and/or suggestions in advance. Thank you. Also, let me know if you need any additional information from me.

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:46 AM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: (no name) - {1BD73B94-7614-48AA-BAAD-2D6C2B3ECD82} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {cb551c24-df3a-7e59-fbe4-ccda71f96064} - {46069f17-adcc-4ebf-95e7-a3fd42c155bc} - C:\WINDOWS\system32\naaenjcx.dll (file missing)
O2 - BHO: (no name) - {922FBD52-7432-4839-BD54-FAF61639020E} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BM9b97b920] Rundll32.exe "C:\WINDOWS\system32\dmjfibcq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file:///D:/LTOCX14N.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkHWQKb - jkkHWQKb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4378 bytes