I have a real bad Trojan problem. [F]

[WasTech]

My computer is running real slow. The Trojan disabled my AVG and everytime I try to scan it seems like they just run forever not going anywhere. Well, At least I'm able to use the internet and Outlook Express allbe it is slow. Spybot SD, Adaware 2008, AVG won't even run at all. Tried ewido.com free online scan just spun it's wheels. Then I found Sergiwa.com dled this CaSIR v2.2. It took it about a minute to find this. So if I can trust this website I have a Trojan.Win32.Small.cv.. Great huh? Almost forgot don't ask me to go into Safe Mode it won't let me. I get a Blue Screen error and it freezes.

Can I trust this site? It says for $14.95 it will remove Trojan. Do these malwares keep themselves in windows or did it infect my 2nd partition? I have a C: and D: on same HD. I'm just wondering if I reinstall XP PRO just reformatting C: if it will affect my files on D:? Because I can't really backup my files right now on DVD as slow as it is. But I can back important files up from C: to D: drive. How can I get rid of this darn thing??

RKM - Disabled Show System/Folders Restriction.

RKM - Same Thing again.

RKM - Disabled File Extension Names Restriction.

RKD - Default Startup Folder Infection.

SFL - Trojan.Win32.Small.cv

RKA - Security Center Corrupted Settings.

My Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:24 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\Program Files\AVG\AVG8\avgrsx.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\hphmon04.exe
E:\WINDOWS\system32\CTSvcCDA.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\fxssvc.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\MSWorks\Calendar\WKCALREM.EXE
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\dwwin.exe
E:\PROGRA~1\WINZIP\winzip32.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Dogpile Web Search Home Page
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] E:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "E:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MicroSys-CheckAjour] F:\Program Files\Micro-Sys Software\Ajour\ChkAjour.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = E:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209528704281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6209 bytes

 

[KSoD]

Re: I have a real bad Trojan problem.

Hello WasTech,

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs needed in next post:

ComboFix

Regards,
Mak213

 

[WasTech]

Re: I have a real bad Trojan problem.

Hi,

Ok, Please tell me what you see here that was my problem. Thanks

I see it deleted one file. E:\WINDOWS\system32\_000103_.tmp.dll

Here is Combofix.

ComboFix 08-06-19.2 - Ed 2008-06-20 0:52:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1729 [GMT -4:00]
Running from: E:\Documents and Settings\Ed\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\_000103_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 00:32 . 2008-06-20 00:44 <DIR> d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 23:17 . 2008-06-19 23:51 1,242 --a------ E:\WINDOWS\system32\tmp.reg
2008-06-19 23:15 . 2007-09-06 00:22 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2008-06-19 23:15 . 2006-04-27 17:49 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2008-06-19 23:15 . 2008-05-29 09:35 86,528 --a------ E:\WINDOWS\system32\VACFix.exe
2008-06-19 23:15 . 2008-05-18 21:40 82,944 --a------ E:\WINDOWS\system32\IEDFix.exe
2008-06-19 23:15 . 2008-06-15 15:28 81,920 --a------ E:\WINDOWS\system32\IEDFix.C.exe
2008-06-19 23:15 . 2008-05-23 18:21 81,920 --a------ E:\WINDOWS\system32\404Fix.exe
2008-06-19 23:15 . 2003-06-05 21:13 53,248 --a------ E:\WINDOWS\system32\Process.exe
2008-06-19 23:15 . 2004-07-31 18:50 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2008-06-19 23:15 . 2007-10-04 00:36 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe.vir
2008-06-19 22:44 . 2008-06-19 23:01 <DIR> d-------- E:\Program Files\Trojan Remover
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- E:\Documents and Settings\Ed\Application Data\Simply Super Software
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-19 22:44 . 2006-05-25 15:52 162,304 --a------ E:\WINDOWS\system32\ztvunrar36.dll
2008-06-19 22:44 . 2003-02-02 20:06 153,088 --a------ E:\WINDOWS\system32\UNRAR3.dll
2008-06-19 22:44 . 2005-08-26 01:50 77,312 --a------ E:\WINDOWS\system32\ztvunace26.dll
2008-06-19 22:44 . 2002-03-06 01:00 75,264 --a------ E:\WINDOWS\system32\unacev2.dll
2008-06-19 22:44 . 2006-06-19 13:01 69,632 --a------ E:\WINDOWS\system32\ztvcabinet.dll
2008-06-19 22:42 . 2008-06-19 22:42 <DIR> d-------- E:\Program Files\MSConfig CleanUp
2008-06-19 22:41 . 2008-06-19 22:41 <DIR> d-------- E:\Program Files\CleanUp!
2008-06-19 22:39 . 2008-06-19 22:39 <DIR> d-------- E:\Program Files\CCleaner
2008-06-19 22:30 . 2008-06-19 22:30 <DIR> d-------- E:\VundoFix Backups
2008-06-19 20:47 . 2008-06-19 20:47 <DIR> d-------- E:\WINDOWS\McAfee.com
2008-06-19 18:49 . 2008-06-20 00:41 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\McAfee
2008-06-19 18:08 . 2008-06-19 20:48 <DIR> d-------- E:\Program Files\XoftSpySE
2008-06-19 17:50 . 2008-06-19 17:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Zenturi
2008-06-19 16:26 . 2008-06-19 16:26 <DIR> d-------- E:\Program Files\Trend Micro
2008-06-14 12:58 . 2005-03-11 18:28 151,552 --------- E:\WINDOWS\system32\pxwma.dll
2008-06-14 12:58 . 2005-03-11 18:48 109,568 --------- E:\WINDOWS\system32\pxinsi64.exe
2008-06-14 12:58 . 2005-03-11 18:48 108,544 --------- E:\WINDOWS\system32\pxcpyi64.exe
2008-06-14 02:54 . 2008-06-14 12:59 1,065 --a------ E:\WINDOWS\winamp.ini
2008-06-11 01:36 . 2008-04-14 07:01 272,128 -----c--- E:\WINDOWS\system32\dllcache\bthport.sys
2008-06-03 17:05 . 2008-06-03 17:05 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-02 19:56 . 2008-06-02 19:56 <DIR> d-------- E:\Program Files\Common Files\Logishrd
2008-06-02 19:56 . 2008-06-02 19:56 <DIR> d-------- E:\Documents and Settings\Ed\Application Data\InstallShield
2008-06-02 19:56 . 2008-06-02 19:56 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Logitech
2008-06-02 19:56 . 2008-05-02 02:38 301,656 --a------ E:\WINDOWS\system32\BtCoreIf.dll
2008-05-30 12:44 . 1997-04-22 10:16 6,272 --a------ E:\WINDOWS\system32\drivers\ASLM75.SYS
2008-05-30 12:38 . 1996-11-05 16:13 299,008 --a------ E:\WINDOWS\uninst.exe
2008-05-30 12:36 . 2004-01-28 04:21 5,824 --a------ E:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-30 12:36 . 2008-05-30 12:36 2,914 --a------ E:\WINDOWS\Ascd_tmp.ini
2008-05-22 17:07 . 2008-05-22 17:07 <DIR> d-------- E:\Program Files\Lavasoft
2008-05-22 17:07 . 2008-05-22 17:07 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 17:07 . 2008-05-22 17:09 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-22 15:40 . 2008-06-10 01:35 69 --a------ E:\WINDOWS\NeroDigital.ini
2008-05-22 03:15 . 2008-05-22 12:50 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-05-22 02:47 . 2008-05-22 02:47 <DIR> d-------- E:\Program Files\Unlocker
2008-05-21 23:11 . 2008-05-21 23:11 30 --a------ E:\WINDOWS\Iedit.INI
2008-05-20 03:17 . 2008-05-20 03:17 <DIR> d-------- E:\WINDOWS\system32\Viewers
2008-05-20 03:17 . 2008-05-20 03:17 <DIR> d-------- E:\Program Files\MSWorks
2008-05-20 03:17 . 2008-05-20 03:17 1,409 --a------ E:\WINDOWS\system\arnari.FOT
2008-05-20 03:17 . 2008-05-20 03:17 1,409 --a------ E:\WINDOWS\system\arnar.FOT
2008-05-20 03:15 . 2008-05-20 03:15 <DIR> d-------- E:\Program Files\Microsoft Works 4.5
2008-05-20 00:01 . 2001-08-17 13:50 144,896 --a------ E:\WINDOWS\system32\drivers\epcfw2k.sys
2008-05-20 00:01 . 2001-08-17 13:50 144,896 --a--c--- E:\WINDOWS\system32\dllcache\epcfw2k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 03:09 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-06-20 03:02 --------- d-----w E:\Documents and Settings\All Users\Application Data\avg8
2008-06-19 23:08 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 23:56 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-06-02 23:56 --------- d-----w E:\Program Files\Common Files\Logitech
2008-05-27 21:55 --------- d-----w E:\Program Files\Common Files\Adobe
2008-05-27 21:55 --------- d-----w E:\Documents and Settings\Ed\Application Data\AdobeUM
2008-05-19 04:27 --------- d-----w E:\Documents and Settings\Ed\Application Data\Microsoft Web Folders
2008-05-19 04:26 --------- d-----w E:\Program Files\microsoft frontpage
2008-05-18 17:38 --------- d-----w E:\Program Files\Ahead
2008-05-18 17:36 --------- d-----w E:\Program Files\Common Files\Nero
2008-05-18 17:34 --------- d-----w E:\Program Files\Common Files\Ahead
2008-05-18 17:34 --------- d-----w E:\Documents and Settings\All Users\Application Data\Ahead
2008-05-18 16:33 --------- d-----w E:\Program Files\Hewlett-Packard
2008-05-18 16:33 --------- d-----w E:\Documents and Settings\Ed\Application Data\Share-to-Web Upload Folder
2008-05-18 16:30 --------- d-----w E:\Program Files\HP Photosmart 11
2008-05-17 18:09 --------- d-----w E:\Documents and Settings\Ed\Application Data\Creative
2008-05-17 15:14 --------- d-----w E:\Documents and Settings\All Users\Application Data\winamp
2008-05-17 14:34 --------- d-----w E:\Program Files\Creative
2008-05-17 06:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\Creative
2008-05-16 15:58 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w E:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w E:\WINDOWS\system32\quartz.dll
2008-05-04 06:08 --------- d-----w E:\Program Files\Eraser
2008-05-03 04:16 30,544 ----a-w E:\WINDOWS\dirdib.drv
2008-05-03 04:16 179,958 ----a-w E:\WINDOWS\macromix.dll
2008-05-03 03:04 --------- d-----w E:\Program Files\scar5
2008-05-03 03:04 --------- d-----w E:\Documents and Settings\All Users\Application Data\scar5
2008-05-02 23:48 691,545 ----a-w E:\WINDOWS\unins000.exe
2008-05-02 23:33 --------- d-----w E:\Program Files\Logitech
2008-05-02 23:33 --------- d-----w E:\Documents and Settings\Ed\Application Data\Logitech
2008-05-02 23:16 --------- d-----w E:\Program Files\Java
2008-05-02 23:15 --------- d-----w E:\Program Files\Common Files\Java
2008-05-02 06:40 84,496 ----a-w E:\WINDOWS\system32\KemXML.dll
2008-05-02 06:40 117,264 ----a-w E:\WINDOWS\system32\KemWnd.dll
2008-05-02 06:39 170,512 ----a-w E:\WINDOWS\system32\kemutb.dll
2008-05-02 06:39 145,936 ----a-w E:\WINDOWS\system32\KemUtil.dll
2008-05-02 06:10 --------- d--h--w E:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-05-02 06:03 308,856 ----a-w E:\Program Files\rpbrowserrecordplugin.dll
2008-05-02 06:03 --------- d-----w E:\Program Files\DataCache
2008-05-02 06:02 499,712 ----a-w E:\WINDOWS\system32\msvcp71.dll
2008-05-02 06:02 348,160 ----a-w E:\WINDOWS\system32\msvcr71.dll
2008-05-02 02:24 --------- d-----w E:\Program Files\Ulead Systems
2008-05-02 02:24 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-05-01 19:27 --------- d-----w E:\Documents and Settings\Ed\Application Data\AVGTOOLBAR
2008-05-01 19:25 --------- d-----w E:\Program Files\AVG
2008-04-30 04:18 --------- d-----w E:\Documents and Settings\Ed\Application Data\vlc
2008-04-29 18:53 --------- d-----w E:\Program Files\Common Files\Shuttle Technology
2008-04-29 18:09 --------- d-----w E:\Program Files\Analog Devices
2008-04-29 18:04 --------- d-----w E:\Program Files\VIA
2008-04-29 15:20 15,648 ----a-w E:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w E:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w E:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 22:25 --------- d-----w E:\Program Files\ZoneAlarmSB
2008-04-28 22:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-21 07:04 659,456 ----a-w E:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w E:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-28 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-28 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
e:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2008-05-02 02:42 72208 e:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 stltrack;stltrack;E:\WINDOWS\system32\drivers\stltrack.sys [1998-09-14 17:08]
R3 epcfw2k;SCM Parallel Port CF Driver;E:\WINDOWS\system32\DRIVERS\epcfw2k.sys [2001-08-17 13:50]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 04:47:55 E:\WINDOWS\Tasks\HP Usg Daily.job"
- E:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-06-20 04:47:56 E:\WINDOWS\Tasks\HP Usg Login.job"
- E:\Program Files\hp photosmart 11\printer\Hphusg04.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 00:52:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-20 0:53:01
ComboFix-quarantined-files.txt 2008-06-20 04:52:58

Pre-Run: 120,113,143,808 bytes free
Post-Run: 120,099,262,464 bytes free

172 --- E O F --- 2008-06-11 05:39:48

 

[WasTech]

Re: I have a real bad Trojan problem.

Ok is the **** thing gone now or what? Was it or is it the Trojan.Win32.Small.wv

Hijackthis log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:01:05, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTSvcCDA.EXE
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Dogpile Web Search Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209528704281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5321/mcfscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe

--
End of file - 3451 bytes

 

[KSoD]

Re: I have a real bad Trojan problem.

No you are not clean. I will develop your Fix ASAP and get it to you. There is a infection on the PC still. Please just bear with me. Thank you.

 

[KSoD]

Re: I have a real bad Trojan problem.

Hello Was Tech,

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::
E:\WINDOWS\system32\WS2Fix.exe.vir
File::
E:\WINDOWS\unins000.exe
E:\WINDOWS\system32\tmp.reg
E:\WINDOWS\system32\dumphive.exe
E:\WINDOWS\system32\pxwma.dll
E:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in next post:

ComboFix

Regards,
Mak

 

[WasTech]

Re: I have a real bad Trojan problem.

Hey Mak,

When I started my comp today it was faster. Then I dled Microsoft updates restarted and it was slow again. I rebooted did what you said to do. It was running faster again. When I ran Combofix I got errors. Here they are below. I figured that it might be the worms sending out false reports. So I didn't hit ok on them right away but then it didn't look like CF was running so I hit ok. Oh, my clock is on military time and doesn't show am or pm now. When I try to change it it shows it right but not on the tool bar.

1st - Findstr.cfexe - App Error

App Failed initialation pro (0xc0000096)

2nd - CF24193.exe - Corrupt File

3rd - Windows - Registry Recovery

1 File containing system Reg data had to be recovered by use of a log or alt copy. Recovery was Successful.

CF went thru 43 stages some A&B to complete. Is that right?

Is it clean now?

ComboFix log:

ComboFix 08-06-19.2 - Ed 2008-06-20 16:41:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1732 [GMT -4:00]
Running from: E:\Documents and Settings\Ed\Desktop\Trojans suck\ComboFix.exe
Command switches used :: E:\Documents and Settings\Ed\Desktop\Trojans suck\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
E:\WINDOWS\system32\dumphive.exe
E:\WINDOWS\system32\pxwma.dll
E:\WINDOWS\system32\tmp.reg
E:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\dumphive.exe
E:\WINDOWS\system32\pxwma.dll
E:\WINDOWS\system32\tmp.reg
E:\WINDOWS\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 12:30 . 2008-06-20 12:30 <DIR> d--h----- E:\WINDOWS\$hf_mig$
2008-06-20 12:26 . 2008-06-20 17:25 716,832 --ahs---- E:\WINDOWS\system32\drivers\fidbox.dat
2008-06-20 12:26 . 2008-06-20 17:22 10,424 --ahs---- E:\WINDOWS\system32\drivers\fidbox.idx
2008-06-20 02:37 . 2008-06-20 02:37 <DIR> d-------- E:\Program Files\Zone Labs
2008-06-20 02:36 . 2008-06-20 17:25 352,918 --a------ E:\WINDOWS\system32\vsconfig.xml
2008-06-20 02:32 . 2008-06-20 13:31 <DIR> d--h----- E:\$AVG8.VAULT$
2008-06-20 01:58 . 2008-06-20 12:29 <DIR> d-------- E:\WINDOWS\system32\drivers\Avg
2008-06-20 01:58 . 2008-06-20 01:58 96,520 --a------ E:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 01:58 . 2008-06-20 01:58 75,272 --a------ E:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 01:58 . 2008-06-20 01:58 10,520 --a------ E:\WINDOWS\system32\avgrsstx.dll
2008-06-20 00:32 . 2008-06-20 00:44 <DIR> d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 23:15 . 2007-09-06 00:22 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2008-06-19 23:15 . 2006-04-27 17:49 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2008-06-19 23:15 . 2008-05-29 09:35 86,528 --a------ E:\WINDOWS\system32\VACFix.exe
2008-06-19 23:15 . 2008-05-18 21:40 82,944 --a------ E:\WINDOWS\system32\IEDFix.exe
2008-06-19 23:15 . 2008-06-15 15:28 81,920 --a------ E:\WINDOWS\system32\IEDFix.C.exe
2008-06-19 23:15 . 2008-05-23 18:21 81,920 --a------ E:\WINDOWS\system32\404Fix.exe
2008-06-19 23:15 . 2003-06-05 21:13 53,248 --a------ E:\WINDOWS\system32\Process.exe
2008-06-19 23:15 . 2007-10-04 00:36 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe.vir
2008-06-19 22:44 . 2008-06-19 23:01 <DIR> d-------- E:\Program Files\Trojan Remover
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- E:\Documents and Settings\Ed\Application Data\Simply Super Software
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-19 22:44 . 2006-05-25 15:52 162,304 --a------ E:\WINDOWS\system32\ztvunrar36.dll
2008-06-19 22:44 . 2003-02-02 20:06 153,088 --a------ E:\WINDOWS\system32\UNRAR3.dll
2008-06-19 22:44 . 2005-08-26 01:50 77,312 --a------ E:\WINDOWS\system32\ztvunace26.dll
2008-06-19 22:44 . 2002-03-06 01:00 75,264 --a------ E:\WINDOWS\system32\unacev2.dll
2008-06-19 22:44 . 2006-06-19 13:01 69,632 --a------ E:\WINDOWS\system32\ztvcabinet.dll
2008-06-19 22:42 . 2008-06-19 22:42 <DIR> d-------- E:\Program Files\MSConfig CleanUp
2008-06-19 22:41 . 2008-06-19 22:41 <DIR> d-------- E:\Program Files\CleanUp!
2008-06-19 22:39 . 2008-06-19 22:39 <DIR> d-------- E:\Program Files\CCleaner
2008-06-19 22:30 . 2008-06-19 22:30 <DIR> d-------- E:\VundoFix Backups
2008-06-19 20:47 . 2008-06-19 20:47 <DIR> d-------- E:\WINDOWS\McAfee.com
2008-06-19 18:49 . 2008-06-20 00:41 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\McAfee
2008-06-19 18:08 . 2008-06-19 20:48 <DIR> d-------- E:\Program Files\XoftSpySE
2008-06-19 17:50 . 2008-06-19 17:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Zenturi
2008-06-19 16:26 . 2008-06-19 16:26 <DIR> d-------- E:\Program Files\Trend Micro
2008-06-14 12:58 . 2005-03-11 18:48 109,568 --------- E:\WINDOWS\system32\pxinsi64.exe
2008-06-14 12:58 . 2005-03-11 18:48 108,544 --------- E:\WINDOWS\system32\pxcpyi64.exe
2008-06-14 02:54 . 2008-06-14 12:59 1,065 --a------ E:\WINDOWS\winamp.ini
2008-06-11 01:36 . 2008-06-13 09:10 272,128 -----c--- E:\WINDOWS\system32\dllcache\bthport.sys
2008-06-03 17:05 . 2008-06-03 17:05 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-02 19:56 . 2008-06-02 19:56 <DIR> d-------- E:\Program Files\Common Files\Logishrd
2008-06-02 19:56 . 2008-06-02 19:56 <DIR> d-------- E:\Documents and Settings\Ed\Application Data\InstallShield
2008-06-02 19:56 . 2008-06-02 19:56 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Logitech
2008-06-02 19:56 . 2008-05-02 02:38 301,656 --a------ E:\WINDOWS\system32\BtCoreIf.dll
2008-05-30 12:44 . 1997-04-22 10:16 6,272 --a------ E:\WINDOWS\system32\drivers\ASLM75.SYS
2008-05-30 12:38 . 1996-11-05 16:13 299,008 --a------ E:\WINDOWS\uninst.exe
2008-05-30 12:36 . 2004-01-28 04:21 5,824 --a------ E:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-30 12:36 . 2008-05-30 12:36 2,914 --a------ E:\WINDOWS\Ascd_tmp.ini
2008-05-22 17:07 . 2008-05-22 17:07 <DIR> d-------- E:\Program Files\Lavasoft
2008-05-22 17:07 . 2008-05-22 17:07 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 17:07 . 2008-05-22 17:09 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-22 15:40 . 2008-06-10 01:35 69 --a------ E:\WINDOWS\NeroDigital.ini
2008-05-22 03:15 . 2008-05-22 12:50 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-05-22 02:47 . 2008-05-22 02:47 <DIR> d-------- E:\Program Files\Unlocker
2008-05-21 23:11 . 2008-05-21 23:11 30 --a------ E:\WINDOWS\Iedit.INI
2008-05-20 03:17 . 2008-05-20 03:17 <DIR> d-------- E:\WINDOWS\system32\Viewers
2008-05-20 03:17 . 2008-05-20 03:17 <DIR> d-------- E:\Program Files\MSWorks
2008-05-20 03:17 . 2008-05-20 03:17 1,409 --a------ E:\WINDOWS\system\arnari.FOT
2008-05-20 03:17 . 2008-05-20 03:17 1,409 --a------ E:\WINDOWS\system\arnar.FOT
2008-05-20 03:15 . 2008-05-20 03:15 <DIR> d-------- E:\Program Files\Microsoft Works 4.5
2008-05-20 00:01 . 2001-08-17 13:50 144,896 --a------ E:\WINDOWS\system32\drivers\epcfw2k.sys
2008-05-20 00:01 . 2001-08-17 13:50 144,896 --a--c--- E:\WINDOWS\system32\dllcache\epcfw2k.sys

.

 

[WasTech]

Re: I have a real bad Trojan problem.

Continued log:


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 06:12 --------- d-----w E:\Documents and Settings\Ed\Application Data\AVGTOOLBAR
2008-06-20 05:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 03:09 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-06-19 23:08 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 13:10 272,128 ------w E:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 23:56 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-06-02 23:56 --------- d-----w E:\Program Files\Common Files\Logitech
2008-05-27 21:55 --------- d-----w E:\Program Files\Common Files\Adobe
2008-05-27 21:55 --------- d-----w E:\Documents and Settings\Ed\Application Data\AdobeUM
2008-05-19 04:27 --------- d-----w E:\Documents and Settings\Ed\Application Data\Microsoft Web Folders
2008-05-19 04:26 --------- d-----w E:\Program Files\microsoft frontpage
2008-05-18 17:38 --------- d-----w E:\Program Files\Ahead
2008-05-18 17:36 --------- d-----w E:\Program Files\Common Files\Nero
2008-05-18 17:34 --------- d-----w E:\Program Files\Common Files\Ahead
2008-05-18 17:34 --------- d-----w E:\Documents and Settings\All Users\Application Data\Ahead
2008-05-18 16:33 --------- d-----w E:\Program Files\Hewlett-Packard
2008-05-18 16:33 --------- d-----w E:\Documents and Settings\Ed\Application Data\Share-to-Web Upload Folder
2008-05-18 16:30 --------- d-----w E:\Program Files\HP Photosmart 11
2008-05-17 18:09 --------- d-----w E:\Documents and Settings\Ed\Application Data\Creative
2008-05-17 15:14 --------- d-----w E:\Documents and Settings\All Users\Application Data\winamp
2008-05-17 14:34 --------- d-----w E:\Program Files\Creative
2008-05-17 06:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\Creative
2008-05-16 15:58 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w E:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w E:\WINDOWS\system32\quartz.dll
2008-05-04 06:08 --------- d-----w E:\Program Files\Eraser
2008-05-03 04:16 30,544 ----a-w E:\WINDOWS\dirdib.drv
2008-05-03 04:16 179,958 ----a-w E:\WINDOWS\macromix.dll
2008-05-03 03:04 --------- d-----w E:\Program Files\scar5
2008-05-03 03:04 --------- d-----w E:\Documents and Settings\All Users\Application Data\scar5
2008-05-02 23:33 --------- d-----w E:\Program Files\Logitech
2008-05-02 23:33 --------- d-----w E:\Documents and Settings\Ed\Application Data\Logitech
2008-05-02 23:16 --------- d-----w E:\Program Files\Java
2008-05-02 23:15 --------- d-----w E:\Program Files\Common Files\Java
2008-05-02 06:40 84,496 ----a-w E:\WINDOWS\system32\KemXML.dll
2008-05-02 06:40 117,264 ----a-w E:\WINDOWS\system32\KemWnd.dll
2008-05-02 06:39 170,512 ----a-w E:\WINDOWS\system32\kemutb.dll
2008-05-02 06:39 145,936 ----a-w E:\WINDOWS\system32\KemUtil.dll
2008-05-02 06:10 --------- d--h--w E:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-05-02 06:03 308,856 ----a-w E:\Program Files\rpbrowserrecordplugin.dll
2008-05-02 06:03 --------- d-----w E:\Program Files\DataCache
2008-05-02 06:02 499,712 ----a-w E:\WINDOWS\system32\msvcp71.dll
2008-05-02 06:02 348,160 ----a-w E:\WINDOWS\system32\msvcr71.dll
2008-05-02 02:24 --------- d-----w E:\Program Files\Ulead Systems
2008-05-02 02:24 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-05-01 19:25 --------- d-----w E:\Program Files\AVG
2008-04-30 04:18 --------- d-----w E:\Documents and Settings\Ed\Application Data\vlc
2008-04-29 18:53 --------- d-----w E:\Program Files\Common Files\Shuttle Technology
2008-04-29 18:09 --------- d-----w E:\Program Files\Analog Devices
2008-04-29 18:04 --------- d-----w E:\Program Files\VIA
2008-04-29 15:20 15,648 ----a-w E:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w E:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w E:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 22:25 --------- d-----w E:\Program Files\ZoneAlarmSB
2008-04-28 22:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-21 07:04 659,456 ----a-w E:\WINDOWS\system32\wininet.dll
2008-04-03 01:07 75,248 ----a-w E:\WINDOWS\zllsputility.exe
2008-04-03 01:07 1,086,952 ----a-w E:\WINDOWS\system32\zpeng24.dll
2008-03-27 08:12 151,583 ----a-w E:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-20_ 0.52.53.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-20 04:47:44 2,048 --s-a-w E:\WINDOWS\bootstat.dat
+ 2008-06-20 21:25:15 2,048 --s-a-w E:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w E:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w E:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-20 05:58:06 26,184 ----a-w E:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-07-19 20:10:28 127,768 ----a-w E:\WINDOWS\system32\drivers\klif.sys
+ 2008-04-03 01:07:36 796,048 ----a-w E:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2008-04-03 01:07:40 83,432 ----a-w E:\WINDOWS\system32\vsdata.dll
+ 2008-04-03 01:08:00 394,952 ----a-w E:\WINDOWS\system32\vsdatant.sys
+ 2008-04-03 01:07:40 157,160 ----a-w E:\WINDOWS\system32\vsinit.dll
+ 2008-04-03 01:07:40 103,912 ----a-w E:\WINDOWS\system32\vsmonapi.dll
+ 2008-04-03 01:07:40 275,944 ----a-w E:\WINDOWS\system32\vspubapi.dll
+ 2008-04-03 01:07:42 71,144 ----a-w E:\WINDOWS\system32\vsregexp.dll
+ 2008-04-03 01:07:42 472,552 ----a-w E:\WINDOWS\system32\vsutil.dll
+ 2008-04-03 01:07:42 46,568 ----a-w E:\WINDOWS\system32\vswmi.dll
+ 2008-04-03 01:07:42 99,816 ----a-w E:\WINDOWS\system32\vsxml.dll
+ 2008-04-03 01:07:44 83,432 ----a-w E:\WINDOWS\system32\zlcomm.dll
+ 2008-04-03 01:07:44 71,144 ----a-w E:\WINDOWS\system32\zlcommdb.dll
- 2008-04-28 22:25:59 4,212 ---h--w E:\WINDOWS\system32\zllictbl.dat
+ 2008-06-20 06:39:15 4,212 ---h--w E:\WINDOWS\system32\zllictbl.dat
+ 2008-04-03 01:07:32 370,208 ----a-w E:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 05:03:30 65,248 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 19:47:36 21,568 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 05:03:30 1,628 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-31 05:03:16 77,824 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 05:03:16 110,592 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 05:03:16 331,776 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 05:03:16 38,400 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-20 04:12:14 208,960 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 19:53:58 282,624 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 23:13:52 1,093,632 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 05:03:20 548,864 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 05:03:20 626,688 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 05:03:18 184,320 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 05:03:22 90,112 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 19:53:58 139,264 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 23:13:52 200,704 ----a-w E:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-04-03 01:07:32 99,816 ----a-w E:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 17:35:08 813,568 ----a-w E:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-04-03 01:07:34 128,480 ----a-w E:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-04-03 01:07:34 38,376 ----a-w E:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-04-03 01:07:34 321,016 ----a-w E:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-04-03 01:08:02 288,144 ----a-w E:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-06-20 16:44:08 152,976 ----a-w E:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-04-03 01:08:02 26,000 ----a-w E:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-04-03 01:08:02 1,361,296 ----a-w E:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-04-03 01:08:02 71,056 ----a-w E:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-04-03 01:09:10 30,184 ----a-w E:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-04-03 01:09:12 30,216 ----a-w E:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 08:10:26 714,208 ----a-w E:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 08:10:28 792,032 ----a-w E:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-04-03 01:07:38 173,544 ----a-w E:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-01-21 13:34:36 7,603,688 ----a-w E:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 08:10:32 1,504,736 ----a-w E:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 08:10:44 51,176 ----a-w E:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-04-03 01:07:38 456,168 ----a-w E:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-04-03 01:09:12 214,528 ----a-w E:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-04-03 01:09:14 3,266,040 ----a-w E:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 01:59:14 503,875 ----a-w E:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 21:50:32 832,984 ----a-w E:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-04-03 01:07:54 144,936 ----a-w E:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 22:31:06 286,787 ----a-w E:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-04-03 01:07:40 108,008 ----a-w E:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-04-03 01:07:40 83,432 ----a-w E:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-04-03 01:07:54 75,304 ----a-w E:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-04-03 01:07:40 2,029,032 ----a-w E:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-04-03 01:07:42 1,361,384 ----a-w E:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-04-03 01:07:42 239,080 ----a-w E:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-01-21 13:34:36 7,603,688 ----a-w E:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-04-03 01:07:44 177,640 ----a-w E:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-04-03 01:07:44 79,344 ----a-w E:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-04-03 01:07:46 382,440 ----a-w E:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-04-03 01:07:46 120,296 ----a-w E:\WINDOWS\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-28 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= E:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-28 18:25 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="E:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 01:58 1177368]
"ZoneAlarm Client"="E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
e:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2008-05-02 02:42 72208 e:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"E:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;E:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 01:58]
R1 stltrack;stltrack;E:\WINDOWS\system32\drivers\stltrack.sys [1998-09-14 17:08]
R2 avg8emc;AVG8 E-mail Scanner;E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 01:58]
R2 avg8wd;AVG8 WatchDog;E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 01:58]
R2 AvgTdiX;AVG8 Network Redirector;E:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 01:58]
R3 epcfw2k;SCM Parallel Port CF Driver;E:\WINDOWS\system32\DRIVERS\epcfw2k.sys [2001-08-17 13:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 21:26:20 E:\WINDOWS\Tasks\HP Usg Daily.job"
- E:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-06-20 21:26:21 E:\WINDOWS\Tasks\HP Usg Login.job"
- E:\Program Files\hp photosmart 11\printer\Hphusg04.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 17:25:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\CTSVCCDA.EXE
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-20 17:27:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 21:27:01
ComboFix2.txt 2008-06-20 04:53:02

Pre-Run: 119,579,156,480 bytes free
Post-Run: 119,678,885,888 bytes free

293 --- E O F --- 2008-06-20 16:30:05

 

[WasTech]

Re: I have a real bad Trojan problem.

After all you told me to do including logs above. It seems I still had something. It started running real slow again. So I got mad and reformatted C: which is what it is now instead of E:. So now I have it all up and running again although I do have some errors going on here and there. I hope that Trojan or it's buddies weren't hiding in my other partition which was F: now D:. So what do you think is it clean or do I have to do something else yet? Thanks

 

[KSoD]

Re: I have a real bad Trojan problem.

Well if you have formatted it should be clean. The infections were on the E:\ Drive where you had Windows installed. If that is the drive you formatted than it is gone.