Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Security Lab --> Please Help (desperate)


  • This topic is locked This topic is locked
16 replies to this topic

#1 deeb

deeb

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 03 November 2007 - 12:15 PM

My old college friend's desktop and laptop are both infected. His wife is 5 months pregnant, he just lost his job, he's broke, and he can't use his PC to job hunt. He's in a pretty desperate situation. I offered to see if I could help fix his PC but I've never fixed anything this complex before. It has the typical symptoms that everyone else is describing. We ran Norton and a few other software programs (see below) but it appears that the fix for PC Security Lab varies from PC to PC. I created an account to see if you can help. Here is the info. We really appreciate your help.


Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:30 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6AB27F2C-4AAC-4E26-B310-F871411F7646} - C:\Program Files\MSN Gaming Zone\hoqexC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Slide - {F25D0054-4CA2-49D5-A8B0-D79B7829D14E} - C:\Program Files\Slide\SlideBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [{99-9D-DA-A2-ZN}] c:\windows\system32\kodsrngn.exe CHD001
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe (User 'Default user')
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://dkbehler.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/cgi/plugin.pl
O16 - DPF: {A94A916C-51A1-4B68-8FB0-7BD25EAED3B3} (CRecorder Object) - http://bix.yahoo.com/install/bix.cab
O16 - DPF: {F143DC71-450A-4A24-B6E7-4B3CC79D691D} (Bix.Yahoo Media Player) - http://bix.yahoo.com/install/bixmedia.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - https://webmail.pas.earthlink.net/wam/image...nk/logo_eln.gif

--
End of file - 14802 bytes






and here is the combofix log:

ComboFix 07-11-02.3 - HP_Owner 2007-11-03 9:09:59.2 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\Accoona
C:\Program Files\akl
C:\Program Files\amsys
C:\Program Files\e-zshopper
C:\Program Files\p2pnetworks
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 09:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 09:06 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-03 09:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 19:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 00:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-01 00:36 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-31 20:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 20:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-31 20:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 20:11 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 19:16 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-31 19:16 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-31 12:07 13,568 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 11:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 11:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 10:30 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 10:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-31 10:16 <DIR> d-------- C:\Program Files\interMute
2007-10-31 08:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 08:16 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 08:15 123,908 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-10-31 08:15 21,504 --a------ C:\WINDOWS\system32\aivskurq.dll
2007-10-31 08:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 08:12 <DIR> d-------- C:\temp\mZOr
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 02:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 05:23 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-11-01 03:51 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-01 03:51 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-01 03:51 --------- d-----w C:\Program Files\Symantec
2007-11-01 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 13:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 17:59 40,508 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-10-27 17:16 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-21 19:58 69,792 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 15:24 29,784 ----a-w C:\Program Files\popcorn Terms.html
2004-12-18 20:50:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-01 16:21:28 6,369 --sha-w C:\WINDOWS\system32\pqtwa.bak1
2007-07-02 04:21:37 1,825,424 --sha-w C:\WINDOWS\system32\pqtwa.bak2
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_ 8.43.59.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-25 17:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 17:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2007-10-25 17:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 17:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AB27F2C-4AAC-4E26-B310-F871411F7646}]
C:\Program Files\MSN Gaming Zone\hoqexC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 20:16 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
2007-10-31 08:15 21504 --a------ C:\WINDOWS\system32\aivskurq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-11 19:36]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 18:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 18:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 02:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 15:36]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-11-24 01:26 C:\WINDOWS\system32\sbusbdll.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 08:43]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 08:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"{99-9D-DA-A2-ZN}"="c:\windows\system32\kodsrngn.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 22:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 21:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 15:08]
"Sonic RecordNow!"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 19:13]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Slide.exe.lnk - C:\Program Files\Slide\Slide.exe [2007-03-26 14:11:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-15 00:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 15:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-01 05:35:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 09:14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 9:15:44
C:\ComboFix2.txt ... 2007-11-03 08:46
.
--- E O F ---

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 06 November 2007 - 04:58 PM

Hello deeb,

Welcome to Bleeping Computer :thumbsup:

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:


O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6AB27F2C-4AAC-4E26-B310-F871411F7646} - C:\Program Files\MSN Gaming Zone\hoqexC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [{99-9D-DA-A2-ZN}] c:\windows\system32\kodsrngn.exe CHD001
O24 - Desktop Component 0: (no name) - https://webmail.pas.earthlink.net/wam/image...nk/logo_eln.gif


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now please run ComboFix again and post its report also. How is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 07 November 2007 - 12:09 PM

Hi Tea,

Thanks SO much for your help. Your instructions are so clear, they are really easy to follow.

Here is the SDFix report:


SDFix: Version 1.113

Run by HP_Owner on Wed 11/07/2007 at 08:21 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ATHPRX~1.DLL - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 08:29:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea10497ec]
"0060574e1432"=hex:1d,54,48,33,e5,db,10,17,a7,47,fa,55,49,34,1d,de
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000ea10497ec]
"0060574e1432"=hex:1d,54,48,33,e5,db,10,17,a7,47,fa,55,49,34,1d,de

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 2 Dec 2004 213 A.SHR --- "C:\BOOT.BAK"
Thu 2 Dec 2004 196 A.SHR --- "C:\BOOTNXX.BAK"
Sat 18 Dec 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sun 1 Jul 2007 6,369 A.SH. --- "C:\WINDOWS\system32\pqtwa.bak1"
Sun 1 Jul 2007 1,825,424 A.SH. --- "C:\WINDOWS\system32\pqtwa.bak2"
Thu 2 Dec 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 2 Dec 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sat 2 Sep 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Thu 5 Aug 2004 1,949,696 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\LAUNCHER.EXE"
Wed 28 Jul 2004 53,760 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\MNYINSTA.DLL"
Sat 12 Jun 2004 94,208 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\RMVSUITE.EXE"
Fri 2 Jul 2004 35,328 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\SETUPLNG.DLL"
Fri 21 Nov 2003 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\UNREGWTR.EXE"
Wed 6 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Fri 5 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\573b8bee2d25ffedabde94732ae6dbae\BIT3.tmp"
Thu 2 Dec 2004 4,348 A..H. --- "C:\Documents and Settings\HP_Owner\My Documents\My Music\License Backup\drmv1key.bak"
Fri 7 Apr 2006 401 A..H. --- "C:\Documents and Settings\HP_Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 18 Dec 2004 400 A..H. --- "C:\Documents and Settings\HP_Owner\My Documents\My Music\License Backup\drmv2key.bak"
Fri 7 Apr 2006 190,464 A..H. --- "C:\Documents and Settings\HP_Owner\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

-----------------
And here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:38 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Slide - {F25D0054-4CA2-49D5-A8B0-D79B7829D14E} - C:\Program Files\Slide\SlideBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe (User 'Default user')
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://dkbehler.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/cgi/plugin.pl
O16 - DPF: {A94A916C-51A1-4B68-8FB0-7BD25EAED3B3} (CRecorder Object) - http://bix.yahoo.com/install/bix.cab
O16 - DPF: {F143DC71-450A-4A24-B6E7-4B3CC79D691D} (Bix.Yahoo Media Player) - http://bix.yahoo.com/install/bixmedia.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12602 bytes




and finally the ComboFix log:

ComboFix 07-11-02.3 - HP_Owner 2007-11-07 8:59:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.87 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-03 08:46 <DIR> d-------- C:\HijackThis
2007-11-03 08:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 08:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-31 23:36 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-31 19:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 19:11 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 18:16 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-31 18:16 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-31 11:07 13,568 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 10:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 10:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 09:30 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 09:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-31 09:16 <DIR> d-------- C:\Program Files\interMute
2007-10-31 07:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 07:16 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 07:15 123,908 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-10-31 07:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 07:12 <DIR> d-------- C:\temp\mZOr
2007-10-25 09:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 02:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 05:23 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-11-01 03:51 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-01 03:51 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-01 03:51 --------- d-----w C:\Program Files\Symantec
2007-11-01 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 13:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 17:59 40,508 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-10-27 17:16 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-21 19:58 69,792 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 15:24 29,784 ----a-w C:\Program Files\popcorn Terms.html
2004-12-18 20:50:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-01 16:21:28 6,369 --sha-w C:\WINDOWS\system32\pqtwa.bak1
2007-07-02 04:21:37 1,825,424 --sha-w C:\WINDOWS\system32\pqtwa.bak2
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_ 8.43.59.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-25 17:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 17:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-25 17:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 17:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2007-11-03 06:37:01 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-07 16:14:51 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-07 16:14:51 262,144 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-03 06:37:01 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-07 16:14:41 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-07 16:14:41 262,144 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2004-03-19 07:52:00 51,088 ----a-w C:\WINDOWS\system32\drivers\hpzid412.sys
+ 2004-03-19 07:52:00 16,496 ----a-w C:\WINDOWS\system32\drivers\HPZipr12.sys
+ 2004-03-19 07:51:00 21,744 ----a-w C:\WINDOWS\system32\drivers\HPZius12.sys
- 2003-11-05 21:04:16 274,432 ----a-r C:\WINDOWS\system32\hpgwiamd.dll
+ 2004-03-14 17:32:06 278,528 ----a-w C:\WINDOWS\system32\hpgwiamd.dll
+ 2004-04-13 15:10:24 581,632 ----a-w C:\WINDOWS\system32\hpotscl.dll
+ 2004-04-13 15:10:16 90,112 ----a-w C:\WINDOWS\system32\hpovst08.dll
+ 2004-03-19 09:36:00 270,336 ----a-w C:\WINDOWS\system32\HPZc3212.dll
+ 2004-04-07 21:34:26 196,608 ----a-w C:\WINDOWS\system32\hpzcoi10.dll
+ 2004-04-07 21:33:20 344,064 ----a-w C:\WINDOWS\system32\hpzcon10.dll
+ 2004-03-14 17:43:30 180,315 ----a-w C:\WINDOWS\system32\hpzsnt10.dll
- 2007-10-31 18:28:47 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 15:26:47 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-31 18:28:47 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 15:26:47 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-04-08 16:16:58 154,397 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpop8310.dat
+ 2004-03-14 17:43:28 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpz2ku10.dll
+ 2004-03-24 14:04:48 286,720 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzcfg10.exe
+ 2004-04-07 21:34:26 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzcoi10.dll
+ 2004-04-07 21:33:20 344,064 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzcon10.dll
+ 2004-03-24 14:04:54 647,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzeng10.exe
+ 2004-03-24 14:04:58 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzflt10.dll
+ 2004-03-24 14:05:00 1,589,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzimc10.dll
+ 2004-03-24 14:05:04 352,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzime10.dll
+ 2004-03-24 14:05:08 1,671,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzims10.dll
+ 2004-03-24 14:05:14 200,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzjui10.dll
+ 2004-03-14 17:43:30 135,249 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzlnt10.dll
+ 2004-03-24 14:05:18 143,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzpcl10.dll
+ 2004-03-14 17:43:30 487,424 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzpm310.dll
+ 2004-03-24 14:05:22 331,776 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzpre10.exe
+ 2004-03-14 17:44:34 3,182,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzr3210.dll
+ 2004-03-24 14:05:26 368,640 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzres10.dll
+ 2004-03-14 17:44:36 1,695,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzrm310.dll
+ 2004-03-24 14:05:28 679,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzslk10.dll
+ 2004-03-14 17:43:30 180,315 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzsnt10.dll
+ 2004-03-24 14:05:32 385,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzstc10.exe
+ 2004-03-24 14:05:36 163,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzstw10.exe
+ 2004-03-24 14:05:38 61,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztbi10.dll
+ 2004-03-24 14:05:42 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztbu10.exe
+ 2004-04-10 02:51:56 7,331,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztbx10.exe
+ 2004-03-24 14:05:52 155,708 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzvip10.dll
+ 2004-04-08 16:16:58 154,397 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpop8310.dat
+ 2004-03-14 17:43:28 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpz2ku10.dll
+ 2004-03-24 14:04:48 286,720 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzcfg10.exe
+ 2004-04-07 21:34:26 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzcoi10.dll
+ 2004-04-07 21:33:20 344,064 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzcon10.dll
+ 2004-03-24 14:04:54 647,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzeng10.exe
+ 2004-03-24 14:04:58 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzflt10.dll
+ 2004-03-24 14:05:00 1,589,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzimc10.dll
+ 2004-03-24 14:05:04 352,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzime10.dll
+ 2004-03-24 14:05:08 1,671,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzims10.dll
+ 2004-03-24 14:05:14 200,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzjui10.dll
+ 2004-03-14 17:43:30 135,249 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzlnt10.dll
+ 2004-03-24 14:05:18 143,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzpcl10.dll
+ 2004-03-14 17:43:30 487,424 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzpm310.dll
+ 2004-03-24 14:05:22 331,776 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzpre10.exe
+ 2004-03-14 17:44:34 3,182,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzr3210.dll
+ 2004-03-24 14:05:26 368,640 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzres10.dll
+ 2004-03-14 17:44:36 1,695,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzrm310.dll
+ 2004-03-24 14:05:28 679,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzslk10.dll
+ 2004-03-14 17:43:30 180,315 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzsnt10.dll
+ 2004-03-24 14:05:32 385,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzstc10.exe
+ 2004-03-24 14:05:36 163,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzstw10.exe
+ 2004-03-24 14:05:38 61,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpztbi10.dll
+ 2004-03-24 14:05:42 172,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpztbu10.exe
+ 2004-04-10 02:51:56 7,331,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpztbx10.exe
+ 2004-03-24 14:05:52 155,708 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1310_series_1300\hpzvip10.dll
- 2007-07-23 01:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 02:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 19:16 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-11 18:36]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 17:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 17:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-11-24 00:26 C:\WINDOWS\system32\sbusbdll.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 07:43]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 07:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 09:21]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 21:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]
"Sonic RecordNow!"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 18:13]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Slide.exe.lnk - C:\Program Files\Slide\Slide.exe [2007-03-26 13:11:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 15:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-01 05:35:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 09:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 9:05:41
C:\ComboFix2.txt ... 2007-11-03 08:15
C:\ComboFix3.txt ... 2007-11-03 07:46
.
--- E O F ---




It seems to be running faster. IE opened much faster than usual. We still have that image on the desktop wallpaper - maybe that's still expected at this stage.

My friend and I both thank you SO much!


deeb

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 07 November 2007 - 12:44 PM

Hello,

You're welcome. :blink:

Navigate to this file and delete it, if present : C:\WINDOWS\system32\vvgeowbv.exe

Reboot if you find it and delete it.

Can you tell me if Norton is up to date, please? There really aren't enough running processes for it to be running and protecting. I see the services, but not the running processes.

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
I need another download, please :

Please print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you wonít be able to access the Internet to view these instructions.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
Be sure and let me know how it's running. It helps me to know, since I can't see what you see. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 10 November 2007 - 05:03 PM

Hi Tea,

Thanks so much. It seems to be running faster, but it still appears a little slow to me. Maybe it's just because this is not my computer and my friend has a ton of SW installed.

You were right, Norton was not running. I'm not sure why, since I ran a full update and scan just before I posted my first thread on this forum. I installed the updates and ran a scan, it's running now.

I guess now the only evidence of all the trouble (besides the slowness) is that annoying red and black "Warning!" desktop wallpaper background which is still there ... was that supposed to be gone by now?

Here are the two logs you requested. Thanks so much for your help!


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:50:38 PM 11/10/2007

+ Scan result:



HKU\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup (quarantined).
HKU\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} -> Adware.ActivShopper : Cleaned with backup (quarantined).
HKU\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP589\A0066951.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP589\A0066952.exe -> Downloader.VB.bkw : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071107-080631-457.dll -> Downloader.VB.bpt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP591\A0067313.dll -> Downloader.VB.bpt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP591\A0067121.exe -> Dropper.VB.tg : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\.exe.vir -> Dropper.VB.tg : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1825813201-1758208904-3384277756-1009\Dc7.exe -> Not-A-Virus.Hoax.Win32.Renos.kj : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\HP_Owner\Application Data\Earthlink\6.0\mitchfabito@earthlink.net\Cookies\hp_owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\HP_Owner\Application Data\Earthlink\6.0\mitchfabito@earthlink.net\Cookies\hp_owner@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\HP_Owner\Application Data\Earthlink\6.0\mitchfabito@earthlink.net\Cookies\hp_owner@guide.real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP587\A0066551.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP589\A0066941.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


----------
And now Hijack This:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:37 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Slide - {F25D0054-4CA2-49D5-A8B0-D79B7829D14E} - C:\Program Files\Slide\SlideBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://dkbehler.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/cgi/plugin.pl
O16 - DPF: {A94A916C-51A1-4B68-8FB0-7BD25EAED3B3} (CRecorder Object) - http://bix.yahoo.com/install/bix.cab
O16 - DPF: {F143DC71-450A-4A24-B6E7-4B3CC79D691D} (Bix.Yahoo Media Player) - http://bix.yahoo.com/install/bixmedia.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11211 bytes




Awaiting further instructions. We thank you!


Deeb

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 10 November 2007 - 09:36 PM

Hi Deeb,

I'd like to know how the scan with Norton came out, please. If it found anything, please tell me. Most everything AVG found was in System Restore, and we'll take care of that after we know for sure the malware is gone. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 11 November 2007 - 11:37 AM

Hi Tea,

I'm not sure where to find what you need. This is the activity log. I also ran a "Quick Scan" - it says "no viruses, spyware, or other risks found".


Category: Security risks
Date Time,Feature,Risk Name,Result,Item Type,Virus Definition Version,Product Version,User Name,Computer Name,Details
11/10/2007 11:55:42 AM,Virus scanner,Tracking Cookie,Fully removed,File,2007.11.10.007,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Cookie;Overall Risk Impact: Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Fully removed;Affected Areas;Network & Browser Items;Cookie:hp_owner@statse.webtrendslive.com/;Cookie:hp_owner@itxt.vibrantmedia.com/;Cookie:hp_owner@bleepingcomputer.us.intellitxt.com/;Cookie:hp_owner@techguy.us.intellitxt.com/
11/2/2007 6:44:23 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.11.02.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
11/2/2007 6:43:36 PM,Auto-Protect,Trojan.Vundo,Blocked,File,2007.11.02.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\system32\awvvw.dll.vir
11/2/2007 6:39:35 PM,Auto-Protect,Trojan.Vundo,Process Termination Required,File,2007.11.02.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Process Termination Required;Affected Areas;Files & Directories;c:\windows\system32\awvvw.dll;Registry Entries;HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9};HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A};HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60};HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_CLASSES_ROOT\CLSID\{BAD263C7-B253-43D9-A1F7-25A1010E24E2};HKEY_CLASSES_ROOT\MSEvents.MSEvents;HKEY_CLASSES_ROOT\MSEvents.MSEvents.1;HKEY_CLASSES_ROOT\IEpl.IEpl;HKEY_CLASSES_ROOT\IEpl.IEPl.1;HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater;HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1;HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib;HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1;HKEY_CLASSES_ROOT\RawExecAction.RawExecAction;HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60};HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD263C7-B253-43D9-A1F7-25A1010E24E2};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks->{BAD263C7-B253-43D9-A1F7-25A1010E24E2};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\WindowsUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\SysUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\SysUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd;HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152};HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9};HKEY_CLASSES_ROOT\CLSID\{B1580291-AD74-45A0-B092-80D8F4CC2FED};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1580291-AD74-45A0-B092-80D8F4CC2FED};Processes & Start-Up Items;C:\Program Files\Internet Explorer\iexplore.exe;Network & Browser Items;Browser Cache
11/2/2007 6:06:14 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
11/1/2007 5:27:23 AM,Virus scanner,Adware.Mirar,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Adware;Overall Risk Impact: Low;Performance: Medium;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Fully removed;Affected Areas;Files & Directories;c:\documents and settings\hp_owner\local settings\temp\mit251.tmp;C:\Documents and Settings\HP_Owner\Local Settings\Temp\mit251.tmp.cab;c:\documents and settings\hp_owner\local settings\temp\mit26c.tmp;c:\documents and settings\hp_owner\local settings\temp\mit271.tmp;c:\documents and settings\hp_owner\local settings\temp\mit272.tmp;c:\documents and settings\hp_owner\local settings\temp\mit273.tmp;c:\documents and settings\hp_owner\local settings\temp\mit274.tmp;c:\documents and settings\hp_owner\local settings\temp\mit275.tmp;C:\Documents and Settings\HP_Owner\Local Settings\Temp\ICD1.tmp;Network & Browser Items;Browser Cache
11/1/2007 5:27:22 AM,Virus scanner,Tracking Cookie,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Cookie;Overall Risk Impact: Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Fully removed;Affected Areas;Network & Browser Items;Cookie:hp_owner@sales.liveperson.net/;Cookie:hp_owner@adopt.specificclick.net/;Cookie:hp_owner@ads.monster.com/;Cookie:hp_owner@adv.webmd.com/;Cookie:hp_owner@finance.yahoo.com/;Cookie:hp_owner@image.masterstats.com/;Cookie:hp_owner@server.iad.liveperson.net/hc/68511475;Cookie:hp_owner@audit.median.hu/;Cookie:hp_owner@server.iad.liveperson.net/hc/83842527;Cookie:hp_owner@sales.liveperson.net/hc/39119317;Cookie:hp_owner@business.msnbc.us.intellitxt.com/;Cookie:hp_owner@ads.as4x.tmcs.net/;Cookie:hp_owner@visit.theglobeandmail.com/;Cookie:hp_owner@bn.uol.com.br/;Cookie:hp_owner@redorbit.us.intellitxt.com/;Cookie:hp_owner@as.webmd.com/;Cookie:hp_owner@sales.liveperson.net/hc/48770159;Cookie:hp_owner@coxtv.us.intellitxt.com/;Cookie:hp_owner@server.iad.liveperson.net/hc/17283262;Cookie:hp_owner@fc.webmasterpro.de/;Cookie:hp_owner@mycommute.maptuit.com/;Cookie:hp_owner@artistdirect.us.intellitxt.com/;Cookie:hp_owner@body-philosophy.us.intellitxt.com/;Cookie:hp_owner@server.iad.liveperson.net/hc/LPcort;Cookie:hp_owner@consumersearch.us.intellitxt.com/;Cookie:hp_owner@hollywoodbackwash.us.intellitxt.com/;Cookie:hp_owner@videocodezone.us.intellitxt.com/;Cookie:hp_owner@sales.liveperson.net/hc/28856772;Cookie:hp_owner@blabbermouth.us.intellitxt.com/;Cookie:hp_owner@ads.traderonline.com/;Cookie:hp_owner@tvgasm.us.intellitxt.com/;Cookie:hp_owner@ehow.us.intellitxt.com/;Cookie:hp_owner@atlas.fixionmedia.net/
11/1/2007 5:27:22 AM,Virus scanner,Trackware.7FaSStSearch,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Trackware;Overall Risk Impact: Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Fully removed;Affected Areas;Registry Entries;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06DFEDAA-6196-11D5-BFC8-00508B4A487D};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06DFEDAA-6196-11D5-BFC8-00508B4A487D}
10/31/2007 10:14:21 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
10/31/2007 9:44:19 PM,Virus scanner,Tracking Cookie,Ignored,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Cookie;Overall Risk Impact: Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Ignored;Affected Areas;Network & Browser Items;Cookie:hp_owner@sales.liveperson.net/;Cookie:hp_owner@adopt.specificclick.net/;Cookie:hp_owner@ads.monster.com/;Cookie:hp_owner@adv.webmd.com/;Cookie:hp_owner@finance.yahoo.com/;Cookie:hp_owner@image.masterstats.com/;Cookie:hp_owner@server.iad.liveperson.net/hc/68511475;Cookie:hp_owner@audit.median.hu/;Cookie:hp_owner@server.iad.liveperson.net/hc/83842527;Cookie:hp_owner@sales.liveperson.net/hc/39119317;Cookie:hp_owner@business.msnbc.us.intellitxt.com/;Cookie:hp_owner@ads.as4x.tmcs.net/;Cookie:hp_owner@visit.theglobeandmail.com/;Cookie:hp_owner@bn.uol.com.br/;Cookie:hp_owner@redorbit.us.intellitxt.com/;Cookie:hp_owner@as.webmd.com/;Cookie:hp_owner@sales.liveperson.net/hc/48770159;Cookie:hp_owner@coxtv.us.intellitxt.com/;Cookie:hp_owner@server.iad.liveperson.net/hc/17283262;Cookie:hp_owner@fc.webmasterpro.de/;Cookie:hp_owner@mycommute.maptuit.com/;Cookie:hp_owner@artistdirect.us.intellitxt.com/;Cookie:hp_owner@body-philosophy.us.intellitxt.com/;Cookie:hp_owner@server.iad.liveperson.net/hc/LPcort;Cookie:hp_owner@consumersearch.us.intellitxt.com/;Cookie:hp_owner@hollywoodbackwash.us.intellitxt.com/;Cookie:hp_owner@videocodezone.us.intellitxt.com/;Cookie:hp_owner@sales.liveperson.net/hc/28856772;Cookie:hp_owner@blabbermouth.us.intellitxt.com/;Cookie:hp_owner@ads.traderonline.com/;Cookie:hp_owner@tvgasm.us.intellitxt.com/;Cookie:hp_owner@ehow.us.intellitxt.com/;Cookie:hp_owner@atlas.fixionmedia.net/
10/31/2007 9:44:19 PM,Virus scanner,Trackware.7FaSStSearch,Ignored,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Trackware;Overall Risk Impact: Low;Performance: Low;Privacy: Low;Removal: Low;Stealth: Low;Action taken: Ignored;Affected Areas;Registry Entries;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06DFEDAA-6196-11D5-BFC8-00508B4A487D};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06DFEDAA-6196-11D5-BFC8-00508B4A487D}
10/31/2007 9:43:53 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
10/31/2007 9:32:56 PM,Auto-Protect,Downloader,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\documents and settings\hp_owner\local settings\temporary internet files\content.ie5\1fzvthge\vasya[1]
10/31/2007 9:32:55 PM,Auto-Protect,Trojan.Vundo,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\documents and settings\hp_owner\local settings\temporary internet files\content.ie5\gw9j5udk\upd32_v13[1]
10/31/2007 9:32:55 PM,Auto-Protect,Trojan.Vundo,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\documents and settings\hp_owner\local settings\temp\liicdqad.dll
10/31/2007 9:25:01 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
10/31/2007 8:59:24 PM,Auto-Protect,Trojan.Vundo,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Fully removed;Affected Areas;Files & Directories;c:\windows\system32\pmnlkll.dll;Registry Entries;HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9};HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A};HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60};HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_CLASSES_ROOT\CLSID\{BAD263C7-B253-43D9-A1F7-25A1010E24E2};HKEY_CLASSES_ROOT\MSEvents.MSEvents;HKEY_CLASSES_ROOT\MSEvents.MSEvents.1;HKEY_CLASSES_ROOT\IEpl.IEpl;HKEY_CLASSES_ROOT\IEpl.IEPl.1;HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater;HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1;HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib;HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1;HKEY_CLASSES_ROOT\RawExecAction.RawExecAction;HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60};HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD263C7-B253-43D9-A1F7-25A1010E24E2};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks->{BAD263C7-B253-43D9-A1F7-25A1010E24E2};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1};HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75};HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\WindowsUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd;HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1009\Software\Microsoft\SysUpd;HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd;HKEY_USERS\S-1-5-21-1825813201-1758208904-3384277756-1010\Software\Microsoft\SysUpd;HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd;HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152};HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9};HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9};Network & Browser Items;Browser Cache
10/31/2007 8:58:36 PM,Auto-Protect,Downloader,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Fully removed;Affected Areas;Files & Directories;c:\windows\system32\mz08r\mz08r1099.exe;Network & Browser Items;Browser Cache
10/31/2007 8:58:06 PM,Auto-Protect,Downloader,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Fully removed;Affected Areas;Files & Directories;c:\windows\system32\f02wtr\f02wtr1065.exe;Network & Browser Items;Browser Cache
10/31/2007 8:37:08 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
10/31/2007 8:05:10 PM,Auto-Protect,Downloader,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Fully removed;Affected Areas;Files & Directories;c:\documents and settings\darren\local settings\temporary internet files\content.ie5\8p0dl0nm\114382.myshoutbox[1].htm;Network & Browser Items;Browser Cache
10/31/2007 7:39:57 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe
10/31/2007 7:23:38 PM,Auto-Protect,Trojan Horse,Fully removed,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Fully removed;Affected Areas;Files & Directories;c:\windows\fkwggshm.exe;Network & Browser Items;Browser Cache
10/31/2007 7:21:01 PM,Auto-Protect,Trojan Horse,Blocked,File,2007.10.31.016,15.0.0.58,SYSTEM,MICHELLEVFABITO,Risk category: Virus;Overall Risk Impact: High;Performance: High;Privacy: High;Removal: High;Stealth: High;Action taken: Blocked;Affected Areasc:\windows\fkwggshm.exe


Thanks!
deeb

Edited by deeb, 11 November 2007 - 11:39 AM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 11 November 2007 - 12:44 PM

Hello,

Please run ComboFix for me again, and post the report.

Can you please post a new HijackThis log made in normal mode? The last one was made in safe mode, and I can't see everything that way. Thanks :thumbsup:


tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 11 November 2007 - 02:19 PM

Ah sorry, didn't even occur to me! Here you go:


ComboFix:


ComboFix 07-11-02.3 - HP_Owner 2007-11-11 9:46:28.4 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-07 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-03 08:46 <DIR> d-------- C:\HijackThis
2007-11-03 08:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 08:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-31 23:36 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-31 19:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 19:11 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 18:16 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-31 18:16 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-31 11:07 13,568 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 10:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 10:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 09:30 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 09:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-31 09:16 <DIR> d-------- C:\Program Files\interMute
2007-10-31 07:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 07:16 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 07:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 07:12 <DIR> d-------- C:\temp\mZOr
2007-10-25 09:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 20:16 --------- d-----w C:\Program Files\Java
2007-11-07 17:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 17:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-07 17:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-07 17:11 --------- d-----w C:\Program Files\Symantec
2007-11-01 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 05:23 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-11-01 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 13:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 17:59 40,508 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-10-27 17:16 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-21 19:58 69,792 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 15:24 29,784 ----a-w C:\Program Files\popcorn Terms.html
2004-12-18 20:50:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-01 16:21:28 6,369 --sha-w C:\WINDOWS\system32\pqtwa.bak1
2007-07-02 04:21:37 1,825,424 --sha-w C:\WINDOWS\system32\pqtwa.bak2
.

((((((((((((((((((((((((((((( snapshot_2007-11-07_ 9.04.25.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-12 02:36:12 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-08-12 02:36:12 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 19:16 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 17:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 17:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-11-24 00:26 C:\WINDOWS\system32\sbusbdll.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 07:43]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 07:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 09:21]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]
"Sonic RecordNow!"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 18:13]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Slide.exe.lnk - C:\Program Files\Slide\Slide.exe [2007-03-26 13:11:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 15:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-01 05:35:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 09:51:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 9:53:21
C:\ComboFix2.txt ... 2007-11-07 09:05
C:\ComboFix3.txt ... 2007-11-03 08:15
.
--- E O F ---




------------------------
HijackThis:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:28 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Slide - {F25D0054-4CA2-49D5-A8B0-D79B7829D14E} - C:\Program Files\Slide\SlideBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-18 Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe (User 'Default user')
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://dkbehler.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/cgi/plugin.pl
O16 - DPF: {A94A916C-51A1-4B68-8FB0-7BD25EAED3B3} (CRecorder Object) - http://bix.yahoo.com/install/bix.cab
O16 - DPF: {F143DC71-450A-4A24-B6E7-4B3CC79D691D} (Bix.Yahoo Media Player) - http://bix.yahoo.com/install/bixmedia.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12943 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 11 November 2007 - 02:28 PM

No worries :thumbsup:

This is being stubborn. :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\vvgeowbv.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running?

Thanks,
tea

Edited by teacup61, 11 November 2007 - 02:29 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 11 November 2007 - 03:07 PM

Hi Tea,

Ok, I ran ComboFix twice. The first time I ran it, it got to process 7 before I realized that IE was still open. So here it is with IE open for the first 7 process, and again with IE closed:


1st time:

ComboFix 07-11-02.3 - HP_Owner 2007-11-11 11:53:46.5 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\vvgeowbv.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-07 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-03 08:46 <DIR> d-------- C:\HijackThis
2007-11-03 08:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 08:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-31 23:36 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-31 19:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 19:11 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 18:16 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-31 18:16 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-31 11:07 13,568 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 10:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 10:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 09:30 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 09:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-31 09:16 <DIR> d-------- C:\Program Files\interMute
2007-10-31 07:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 07:16 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 07:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 07:12 <DIR> d-------- C:\temp\mZOr
2007-10-25 09:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 20:16 --------- d-----w C:\Program Files\Java
2007-11-07 17:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 17:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-07 17:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-07 17:11 --------- d-----w C:\Program Files\Symantec
2007-11-01 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 05:23 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-11-01 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 13:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 17:59 40,508 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-10-27 17:16 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-21 19:58 69,792 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 15:24 29,784 ----a-w C:\Program Files\popcorn Terms.html
2004-12-18 20:50:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-01 16:21:28 6,369 --sha-w C:\WINDOWS\system32\pqtwa.bak1
2007-07-02 04:21:37 1,825,424 --sha-w C:\WINDOWS\system32\pqtwa.bak2
.

((((((((((((((((((((((((((((( snapshot_2007-11-07_ 9.04.25.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-12 02:36:12 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-08-12 02:36:12 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 19:16 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 17:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 17:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-11-24 00:26 C:\WINDOWS\system32\sbusbdll.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 07:43]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 07:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 09:21]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]
"Sonic RecordNow!"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 18:13]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Slide.exe.lnk - C:\Program Files\Slide\Slide.exe [2007-03-26 13:11:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 15:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-01 05:35:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 11:57:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 11:59:35
C:\ComboFix2.txt ... 2007-11-11 09:53
C:\ComboFix3.txt ... 2007-11-07 09:05
.
--- E O F ---




2nd time:


ComboFix 07-11-02.3 - HP_Owner 2007-11-11 12:00:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.115 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-07 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-03 08:46 <DIR> d-------- C:\HijackThis
2007-11-03 08:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 08:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-31 23:36 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-31 19:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 19:11 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 18:16 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-31 18:16 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-31 11:07 13,568 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 10:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 10:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 09:30 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 09:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-31 09:16 <DIR> d-------- C:\Program Files\interMute
2007-10-31 07:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 07:16 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 07:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 07:12 <DIR> d-------- C:\temp\mZOr
2007-10-25 09:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 20:16 --------- d-----w C:\Program Files\Java
2007-11-07 17:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 17:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-07 17:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-07 17:11 --------- d-----w C:\Program Files\Symantec
2007-11-01 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 05:23 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-11-01 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 13:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 17:59 40,508 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-10-27 17:16 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-21 19:58 69,792 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 15:24 29,784 ----a-w C:\Program Files\popcorn Terms.html
2004-12-18 20:50:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-01 16:21:28 6,369 --sha-w C:\WINDOWS\system32\pqtwa.bak1
2007-07-02 04:21:37 1,825,424 --sha-w C:\WINDOWS\system32\pqtwa.bak2
.

((((((((((((((((((((((((((((( snapshot_2007-11-07_ 9.04.25.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-12 02:36:12 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-08-12 02:36:12 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 19:16 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 17:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 17:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-11-24 00:26 C:\WINDOWS\system32\sbusbdll.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 07:43]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 07:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 09:21]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]
"Sonic RecordNow!"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 18:13]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Slide.exe.lnk - C:\Program Files\Slide\Slide.exe [2007-03-26 13:11:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 15:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-01 05:35:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 12:04:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 12:05:47
C:\ComboFix2.txt ... 2007-11-11 11:59
C:\ComboFix3.txt ... 2007-11-11 09:53
.
--- E O F ---



It is running really nicely. Everything is smooth. If it wasn't for the wallpaper you wouldn't know anything had happened. :thumbsup:

deeb

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 11 November 2007 - 04:06 PM

Stubborn thing :blink:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\vvgeowbv.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply. Let me know about the wallpaper. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 11 November 2007 - 07:42 PM

Hi Tea,

I run the script, but the process stops midway with an error message:

The system cannot find the file specified.
Could Not Find C:\avenger\*.reg
C:\avenger\backup.zip
1 file(s) copied.
zip warning: C:/backup.zip not found or empty
adding: avenger/avenger.txt (188 bytes security) (deflated 66%)
adding: avenger/backup.reg (188 bytes security) (stored 0%)




And then there is a windows popup error message:

Windows - No Disk

Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c




If I click "Try Again" or "Continue" I get the same error message again, so I have to click "Cancel".

When I click "Cancel", the wallpaper changes back to that annoying red/black one, and the avenger log file comes up. I will copy it below. I tried this twice with the same results.


When I go to C:\WINDOWS\system32 I do not see that file vvgeowbv.exe .


-------------------
Here is the avenger log file:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\anoqrgce

*******************

Script file located at: \??\C:\WINDOWS\ocsnwgld.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\vvgeowbv.exe not found!
Deletion of file C:\WINDOWS\system32\vvgeowbv.exe failed!

Could not process line:
C:\WINDOWS\system32\vvgeowbv.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.





------------------
Thought you might need a ComboFix log again:


ComboFix 07-11-02.3 - HP_Owner 2007-11-11 16:49:02.7 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 16:13 60,416 --a------ C:\WINDOWS\system32\drivers\ipabgblg.sys
2007-11-11 16:13 1,080 --a------ C:\tdjxewxu.bat
2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-11-10 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 12:19 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-07 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-03 08:46 <DIR> d-------- C:\HijackThis
2007-11-03 08:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 08:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-02 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 23:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-31 23:36 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 19:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-31 19:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 19:11 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 18:16 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-31 18:16 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-31 11:07 13,568 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-31 10:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 10:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 09:30 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 09:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-31 09:16 <DIR> d-------- C:\Program Files\interMute
2007-10-31 07:40 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 07:16 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 07:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 07:12 <DIR> d-------- C:\temp\mZOr
2007-10-25 09:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 20:16 --------- d-----w C:\Program Files\Java
2007-11-07 17:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 17:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-07 17:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-07 17:11 --------- d-----w C:\Program Files\Symantec
2007-11-01 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 05:23 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-11-01 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 13:33 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 17:59 40,508 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-10-27 17:16 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-21 19:58 69,792 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 15:24 29,784 ----a-w C:\Program Files\popcorn Terms.html
2004-12-18 20:50:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-01 16:21:28 6,369 --sha-w C:\WINDOWS\system32\pqtwa.bak1
2007-07-02 04:21:37 1,825,424 --sha-w C:\WINDOWS\system32\pqtwa.bak2
.

((((((((((((((((((((((((((((( snapshot_2007-11-07_ 9.04.25.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-12 02:36:12 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-08-12 02:36:12 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 19:16 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 17:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 17:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 19:43]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-11-24 00:26 C:\WINDOWS\system32\sbusbdll.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 07:43]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 07:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 09:21]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]
"Sonic RecordNow!"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-16 18:13]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Slide.exe.lnk - C:\Program Files\Slide\Slide.exe [2007-03-26 13:11:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 15:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-01 05:35:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 16:56:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 16:58:13
C:\ComboFix2.txt ... 2007-11-11 12:05
C:\ComboFix3.txt ... 2007-11-11 11:59
.
--- E O F ---




-----------------
And a HijackThis log for good measure :thumbsup: :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:25 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Slide - {F25D0054-4CA2-49D5-A8B0-D79B7829D14E} - C:\Program Files\Slide\SlideBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://dkbehler.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/cgi/plugin.pl
O16 - DPF: {A94A916C-51A1-4B68-8FB0-7BD25EAED3B3} (CRecorder Object) - http://bix.yahoo.com/install/bix.cab
O16 - DPF: {F143DC71-450A-4A24-B6E7-4B3CC79D691D} (Bix.Yahoo Media Player) - http://bix.yahoo.com/install/bixmedia.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA01D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12818 bytes





Thanks,
deeb

Edited by deeb, 11 November 2007 - 08:00 PM.


#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 13 November 2007 - 12:14 PM

Hello,

Well if it's not there, then it's not there huh? :thumbsup: How is it running today?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 deeb

deeb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 15 November 2007 - 11:20 AM

Hmm, I tried IE and Word, everything seems ok. Didn't seem slow this time either. Good progress!
I don't see this file present: C:\WINDOWS\system32\vvgeowbv.exe although the wallpaper is still on the desktop. What do we do next?

Thanks :thumbsup:

deeb




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users