Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Virtumonde.generic


  • This topic is locked This topic is locked
18 replies to this topic

#1 jajacks

jajacks

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 16 November 2007 - 06:47 PM

Hello all.
I'm putting up the Bat Signal in desperation. I somehow (probably by clicking on a bad link) amassed a few bad programs on my computer. I first noticed it when two icons appeared on my desktop, one saying "Online Security Guide" and the other labeled "Live Safety Center". Both are shortcuts to a website kukkakreck.com and cannot be permanently removed. Also, I get a IE popup randomly, saying "Virus Detected" from savetheinformation.com. Also, I can't open up my McAfee Security Center. I dl'ed spybot s&d and found that I had Virtumonde and Virtumonde.generic, among others. I completed the scan and proceeded with the fix, but spybot s&d hasn't corrected the problem. I now get a constant and steady flow of "Registry Change Denied" boxes from Spybot. I've run VundoFix and still have the problem. Does anyone have any advice they can give? Thank you for reading, and I hope to hear back from you soon.

-Jesse

Here's the Hijack log. Thanks again for reading.
- - - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:45 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\b.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jesse\Desktop\stinger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Jesse\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 13516 bytes

Edited by jajacks, 16 November 2007 - 06:57 PM.


BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 17 November 2007 - 01:19 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 jajacks

jajacks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 19 November 2007 - 06:11 PM

I've done everything you've asked. I renamed and ran HijackThis, and I ran VundoFix. However, VundoFix couldn't find a problem, although McAfee constantly gives me boxes saying that it's blocked "Vundo".
I'm now getting two error messages on startup saying:

RUNDLL (in the title bar)
Error loading C:\WINDOWS\system32\xqmfossa.dll The specified module could not be found.

and

C:\WINDOWS\17PHolmes1188.exe (in the title bar)
Window cannot find 'C:\WINDOWS\17PHolmes1188.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search


In any case, here are the logs. Thanks again for your help on this matter.
- - - - - - -
HijackThis Log
- - - - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:45 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\b.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jesse\Desktop\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27989C6F-98FF-4C41-9F8F-E7D3AC632C2E} - (no file)
O2 - BHO: (no name) - {42C63C50-012E-4A70-8663-C029C92A2597} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6C56999D-96DA-4827-A51C-6A752E696641} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuusqr.dll
O2 - BHO: (no name) - {DD83396B-1EE0-4795-914F-C8DFAD0F35A1} - C:\WINDOWS\system32\jkkji.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: artqifav - artqifav.dll (file missing)
O20 - Winlogon Notify: wvuusqr - C:\WINDOWS\SYSTEM32\wvuusqr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14583 bytes
- - - - - -
VundoFix Log
- - - - - -
VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 2:53:41 PM 11/16/2007

Listing files found while scanning....

C:\windows\SYSTEM32\hbaylsep.dll
C:\WINDOWS\system32\mmhbbkpi.dll
C:\windows\SYSTEM32\ymprypqa.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\hbaylsep.dll
C:\windows\SYSTEM32\hbaylsep.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mmhbbkpi.dll
C:\WINDOWS\system32\mmhbbkpi.dll Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\ymprypqa.dll
C:\windows\SYSTEM32\ymprypqa.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mmhbbkpi.dll
C:\WINDOWS\system32\mmhbbkpi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 1:28:56 PM 11/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 4:53:00 PM 11/19/2007

Listing files found while scanning....

No infected files were found.

- - - - - - -

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 20 November 2007 - 02:52 AM

Hello again,
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes:

C:\WINDOWS\system32\wvuusqr.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Make a list of all the programs installed on your computer:
Open HijackThis
Click the Config... button, then go to the Misc Tools section.
Press Open Uninstall Manager. You'll see a list of programs.
Select Save List... - save it to your Desktop.
The file "uninstall_list.txt" will be created.
Copy and paste the contents of this file to your next reply.

Please include VundoFix.txt and a new HijackThis log in your next reply along with the uninstall list.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 jajacks

jajacks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 November 2007 - 05:01 PM

Hey, sorry for the delay (out of town for Thanksgiving.) Speaking of which, I hope you had a nice holiday.
Anyway, I did what you asked. VundoFix was unable to remove the program after a reboot. It asked to reboot again, and when it did, the specified file wasn't listed in the box. I clicked "Scan for Vundo" and it couldn't find it. I'm still getting pop-ups and the same errors, unfortunately.

Here are the logs you asked for. Thanks again.
- - - - -
VundoFix Log
- - - - -
VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 2:53:41 PM 11/16/2007

Listing files found while scanning....

C:\windows\SYSTEM32\hbaylsep.dll
C:\WINDOWS\system32\mmhbbkpi.dll
C:\windows\SYSTEM32\ymprypqa.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\hbaylsep.dll
C:\windows\SYSTEM32\hbaylsep.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mmhbbkpi.dll
C:\WINDOWS\system32\mmhbbkpi.dll Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\ymprypqa.dll
C:\windows\SYSTEM32\ymprypqa.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mmhbbkpi.dll
C:\WINDOWS\system32\mmhbbkpi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 1:28:56 PM 11/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 4:53:00 PM 11/19/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 12:57:37 PM 11/25/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 3:31:12 PM 11/25/2007

Listing files found while scanning....

No infected files were found.

- - - - -
Uninstall Log
- - - - -
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Acrobat 7.0.7 Professional
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere 6.0
Adobe Premiere Pro
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
AGEIA PhysX v2.6.0
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
BitTorrent 4.0.4
Broadcom Advanced Control Suite 2
Cakewalk Guitar Tracks 2.0
Cakewalk VST Adapter 4
CivCity
Cleaner 5 EZ
Creative MediaSource
Dell Driver Reset Tool
Dell Picture Studio v3.0
DellSupport
Diablo II
DiscAPI (Studio 10)
DivX Web Player
Drag and Drop Drummer Lite
Drivers Install For Linksys Easylink Advisor
DSound GT Player Express
DVD Solution
exPressit S.E. 2.2
Fast Track USB
Flock 1.0
GdiplusUpgrade
Guitar Tracks Pro 3
Half-Life
Half-Life: Blue Shift
Half-Life: Counter-Strike
Half-Life: Opposing Force
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Update
Intel Application Accelerator
Internet Explorer Default Page
iPod for Windows 2005-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
LG ODD Auto Firmware Update
Linksys EasyLink Advisor 1.6 (0032)
Logitech Desktop Messenger
Logitech SetPoint
Macromedia Shockwave Player
MAX DS Video Converter
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.9)
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Launcher
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Nero OEM
Network Magic
Nintendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
Panda ActiveScan
Pinnacle Instant DVD Recorder
Power Tab Editor 1.7
PowerDVD 5.3
PowerProducer
proDAD Heroglyph 2.5
QuarkXPress 6.5
QuickTime
RAPID (Studio 10)
RGSS-RTP Standard
RPGXP
SAMSUNG Mobile USB Modem 1.0 Software
Samsung PC Studio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Session
Shareaza version 2.2.5.0
Sid Meier's Civilization 4
Sierra Utilities
SimCity 4 Deluxe
SlowBlast!
SmartSound Quicktracks Plugin
Sonic DLA
Sonic RecordNow! Deluxe
Sonic Update Manager
Sound Blaster Audigy 2 ZS
SpeechRedist
Spybot - Search & Destroy
Steam
StillLife
Studio 10
Studio 10 Bonus DVD
Super DVD Ripper v1.90
System Requirements Lab
TeamSpeak 2 RC2
TeLL me More CJ
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 University
The Sims™ 2 Seasons
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Ventrilo Client
Video Edit Magic 3.36
WD Diagnostics
Windows Driver Package - Pure Networks, Inc. Network Magic Device Discovery Driver (02/08/2007 4.1.7039.0)
Windows Driver Package - Pure Networks, Inc. Network Magic Wireless Driver (02/08/2007 4.1.7039.0)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinISO 5.3
WinRAR archiver
WONswap
WordPerfect Office 12
World of Warcraft
Xfire (remove only)
Yahoo! Messenger
Zuma Deluxe RA

- - - - -
HijackThis Log
- - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:37 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\b.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jesse\Desktop\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27989C6F-98FF-4C41-9F8F-E7D3AC632C2E} - (no file)
O2 - BHO: (no name) - {42C63C50-012E-4A70-8663-C029C92A2597} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6C56999D-96DA-4827-A51C-6A752E696641} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B8552F9A-0F6D-4AA7-9B22-EF6C3B4A224E} - C:\WINDOWS\system32\jkkji.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuusqr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: artqifav - artqifav.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14695 bytes

Edited by jajacks, 25 November 2007 - 05:03 PM.


#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 26 November 2007 - 11:45 AM

We've still got quite a bit of malware there that needs dealing with, so we will run a scanner called Combofix which should hopefully clear things up again before we start to target things specifically.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

I'd like the Combofix log along with a brand new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 jajacks

jajacks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 29 November 2007 - 12:28 PM

Ok. Sorry for the delay; my cousin is now a new mother :-P
Here are the logs.

-Jesse

- - - - -
ComboFix
- - - - -
ComboFix 07-11-19.4 - Jesse 2007-11-26 17:25:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1429 [GMT -6:00]
Running from: C:\Documents and Settings\Jesse\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Jesse\Favorites\Online Security Guide.lnk
C:\Program Files\myglobalsearch
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\SYSTEM32\ijkkj.ini
C:\WINDOWS\SYSTEM32\ijkkj.ini2
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\mmhbbkpi.dllbox
C:\WINDOWS\system32\pac.txt
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-26 17:22 36,864 --a------ C:\WINDOWS\SYSTEM32\vtutrqp.dll
2007-11-25 15:27 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-11-24 21:53 775,832 --ahs---- C:\WINDOWS\SYSTEM32\semnqseo.ini
2007-11-24 21:53 85,056 --a------ C:\WINDOWS\SYSTEM32\oesqnmes.dll
2007-11-24 10:09 260 --a------ C:\6254.bat
2007-11-23 22:50 <DIR> d-------- C:\Program Files\Shareaza
2007-11-23 22:50 <DIR> d-------- C:\Documents and Settings\Jesse\Application Data\Shareaza
2007-11-23 22:09 <DIR> d-------- C:\Program Files\BearShare
2007-11-23 21:47 775,832 --ahs---- C:\WINDOWS\SYSTEM32\mxiahigy.ini
2007-11-23 21:47 85,056 --a------ C:\WINDOWS\SYSTEM32\ygihaixm.dll
2007-11-19 16:49 685,703 --ahs---- C:\WINDOWS\SYSTEM32\klbyunsa.ini
2007-11-19 16:48 85,056 --a------ C:\WINDOWS\SYSTEM32\asnuyblk.dll
2007-11-19 16:44 37,376 --a------ C:\WINDOWS\SYSTEM32\urqpnop.dll
2007-11-18 14:50 677,920 --ahs---- C:\WINDOWS\SYSTEM32\ptpqhquu.ini
2007-11-18 14:50 85,056 --a------ C:\WINDOWS\SYSTEM32\uuqhqptp.dll
2007-11-18 12:04 36,352 --a------ C:\WINDOWS\SYSTEM32\vtuvuvs.dll
2007-11-17 14:57 677,920 --ahs---- C:\WINDOWS\SYSTEM32\naooorii.ini
2007-11-17 14:57 85,056 --a------ C:\WINDOWS\SYSTEM32\iiroooan.dll
2007-11-17 11:52 36,352 --a------ C:\WINDOWS\SYSTEM32\nnnopqq.dll
2007-11-16 15:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-16 15:29 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-16 15:29 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-11-16 15:13 36,352 --a------ C:\WINDOWS\SYSTEM32\opnklji.dll
2007-11-16 15:13 260 --a------ C:\6615.bat
2007-11-16 15:04 <DIR> d-------- C:\Documents and Settings\Jesse\.housecall6.6
2007-11-16 14:58 678,280 --ahs---- C:\WINDOWS\SYSTEM32\tylwiskc.ini
2007-11-16 14:58 85,056 --a------ C:\WINDOWS\SYSTEM32\cksiwlyt.dll
2007-11-16 14:53 <DIR> d-------- C:\VundoFix Backups
2007-11-15 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 13:57 669,731 --ahs---- C:\WINDOWS\SYSTEM32\assofmqx.ini
2007-11-15 13:49 36,352 --a------ C:\WINDOWS\SYSTEM32\wvutsrp.dll
2007-11-14 17:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\rMa18yy
2007-11-14 17:00 <DIR> d-------- C:\Temp\abW9
2007-11-14 17:00 36,352 --a------ C:\WINDOWS\SYSTEM32\wvuusqr.dll
2007-11-14 17:00 36,352 --a------ C:\WINDOWS\SYSTEM32\mljgggh.dll
2007-11-13 10:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-13 10:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-11-09 18:06 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-11-09 18:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 14:50 <DIR> d-------- C:\Documents and Settings\Jesse\Application Data\Flock
2007-11-08 14:49 <DIR> d-------- C:\Program Files\Flock
2007-10-29 17:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\Cleaner Support
2007-10-29 17:27 <DIR> d-------- C:\Program Files\Cleaner 5 EZ
2007-10-29 17:27 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-10-29 11:11 65,536 -ra------ C:\WINDOWS\SYSTEM32\PfcNTReg.dll
2007-10-29 11:11 14,604 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 23:20 --------- d-----w C:\Program Files\lg_fwupdate
2007-11-24 17:25 --------- d-----w C:\Documents and Settings\Jesse\Application Data\U3
2007-11-15 22:26 --------- d-----w C:\Program Files\VVSN
2007-11-15 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 20:07 --------- d-----w C:\Program Files\World of Warcraft
2007-11-14 22:58 --------- d-----w C:\Program Files\McAfee
2007-11-13 22:36 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-12 22:22 --------- d-----w C:\Documents and Settings\Jesse\Application Data\nView_Wallpaper
2007-10-29 17:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 01:17 --------- d-----w C:\Program Files\EA GAMES
2007-10-25 16:05 --------- d-----w C:\Program Files\NCSoft
2007-10-25 15:56 --------- d-----w C:\Program Files\support.com
2007-10-25 12:02 --------- d-----w C:\Program Files\BroadJump
2007-10-25 12:00 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-21 17:28 --------- d-----w C:\Program Files\iTunes
2007-10-21 17:28 --------- d-----w C:\Program Files\iPod
2007-10-21 17:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-18 21:43 --------- d-----w C:\Program Files\Java
2007-10-18 02:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-10-12 22:07 --------- d-----w C:\Program Files\Lavasoft
2007-10-12 21:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2007-01-10 18:15 290,817 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-11-11 19:52 56 --sh--r C:\WINDOWS\SYSTEM32\1359CA5704.sys
2006-04-08 22:45 734,043 -csha-w C:\WINDOWS\SYSTEM32\jlnmp.bak1
2006-04-17 18:50 770,854 -csha-w C:\WINDOWS\SYSTEM32\jlnmp.bak2
2006-04-17 18:50 771,115 -csha-w C:\WINDOWS\SYSTEM32\jlnmp.ini2
2005-11-11 19:52 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
2007-11-26 17:22 36864 --a------ C:\WINDOWS\system32\vtutrqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27989C6F-98FF-4C41-9F8F-E7D3AC632C2E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42C63C50-012E-4A70-8663-C029C92A2597}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C56999D-96DA-4827-A51C-6A752E696641}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-14 17:00 36352 --a------ C:\WINDOWS\system32\wvuusqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\progra~1\valve\steam\steam.exe" [2007-11-14 16:58]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 12:25]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"CTHelper"="CTHELPER.EXE" [2004-03-11 09:50 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 08:50]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 10:35]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"nwiz"="nwiz.exe" [2006-03-09 14:29 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 00:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"USB2Check"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 16:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-04 23:33]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 13:42]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 23:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-01-10 12:15]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-01-05 15:21]
"984853ac"="C:\WINDOWS\system32\xqmfossa.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-12 11:38:16]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-15 12:25:55]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-04-25 16:32:48]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2005-11-17 22:31:16]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\wvuusqr.dll [2007-11-14 17:00 36352]
"{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}"= C:\WINDOWS\system32\vtutrqp.dll [2007-11-26 17:22 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\artqifav]
artqifav.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutrqp]
vtutrqp.dll 2007-11-26 17:22 36864 C:\WINDOWS\SYSTEM32\vtutrqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkji.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 o1394bul;o1394bul;\??\C:\DOCUME~1\Jesse\LOCALS~1\Temp\o1394bul.sys
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 04:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-15 06:25:09 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-08-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 17:52:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D?????A~??????????????A~l?@?l?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0????????????n????A~?????????????????:'?F???P???????l?@?l?@?????Q?B~????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

C:\WINDOWS\system32\rMa05yy

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-26 17:55:41 - machine was rebooted
.
--- E O F ---
- - - - -
HijackThis
- - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:43 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Jesse\Desktop\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtutrqp.dll
O2 - BHO: (no name) - {27989C6F-98FF-4C41-9F8F-E7D3AC632C2E} - (no file)
O2 - BHO: (no name) - {42C63C50-012E-4A70-8663-C029C92A2597} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6C56999D-96DA-4827-A51C-6A752E696641} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B00CD660-567F-4A54-9130-CC7EFE261ADE} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuusqr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: artqifav - artqifav.dll (file missing)
O20 - Winlogon Notify: vtutrqp - C:\WINDOWS\SYSTEM32\vtutrqp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14757 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 30 November 2007 - 03:55 PM

Hello again,
Congratulations to your cousin and her baby :thumbsup:

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtutrqp.dll
O2 - BHO: (no name) - {27989C6F-98FF-4C41-9F8F-E7D3AC632C2E} - (no file)
O2 - BHO: (no name) - {42C63C50-012E-4A70-8663-C029C92A2597} - (no file)
O2 - BHO: (no name) - {6C56999D-96DA-4827-A51C-6A752E696641} - (no file)
O2 - BHO: (no name) - {B00CD660-567F-4A54-9130-CC7EFE261ADE} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\wvuusqr.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O20 - Winlogon Notify: artqifav - artqifav.dll (file missing)
O20 - Winlogon Notify: vtutrqp - C:\WINDOWS\SYSTEM32\vtutrqp.dll


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

File::
C:\WINDOWS\SYSTEM32\klbyunsa.ini
C:\WINDOWS\SYSTEM32\asnuyblk.dll
C:\WINDOWS\SYSTEM32\urqpnop.dll
C:\WINDOWS\SYSTEM32\ptpqhquu.ini
C:\WINDOWS\SYSTEM32\uuqhqptp.dll
C:\WINDOWS\SYSTEM32\vtuvuvs.dll
C:\WINDOWS\SYSTEM32\naooorii.ini
C:\WINDOWS\SYSTEM32\iiroooan.dll
C:\WINDOWS\SYSTEM32\nnnopqq.dll
C:\WINDOWS\SYSTEM32\opnklji.dll
C:\6615.bat
C:\WINDOWS\SYSTEM32\tylwiskc.ini
C:\WINDOWS\SYSTEM32\cksiwlyt.dll
C:\WINDOWS\SYSTEM32\assofmqx.ini
C:\WINDOWS\SYSTEM32\wvutsrp.dll
C:\WINDOWS\SYSTEM32\wvuusqr.dll
C:\WINDOWS\SYSTEM32\mljgggh.dll
C:\WINDOWS\unvise32.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\SYSTEM32\1359CA5704.sys
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\SYSTEM32\jlnmp.bak2
C:\WINDOWS\SYSTEM32\jlnmp.ini2


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply, along with a new HijackThis log.
Thanks,
Charles

Edited by rookie147, 30 November 2007 - 03:56 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 jajacks

jajacks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 30 November 2007 - 08:38 PM

Those last instructions must've freaked out the malware, because when I clicked "fix" HijackThis went non-responsive and Spybot was noting changes (registry deletes). I'm getting warning pop-ups and browser ad pop-ups again, unfortunately. So, I had to reboot and re-run Hijack. I deleted the entries that were very, very similar (I know this specific trojan changes its file name). However, the icons are back on my desktop. Nonetheless, I followed the instructions concerning ComboFix, and I'm in the same predicament. This bug is vicious.

Thanks for your help, and here are the logs.
- - - - - -
ComboFix
- - - - - -
ComboFix 07-11-19.4 - Jesse 2007-11-30 19:11:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1410 [GMT -6:00]
Running from: C:\Documents and Settings\Jesse\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jesse\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\6615.bat
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\SYSTEM32\1359CA5704.sys
C:\WINDOWS\SYSTEM32\asnuyblk.dll
C:\WINDOWS\SYSTEM32\assofmqx.ini
C:\WINDOWS\SYSTEM32\cksiwlyt.dll
C:\WINDOWS\SYSTEM32\iiroooan.dll
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\SYSTEM32\jlnmp.bak2
C:\WINDOWS\SYSTEM32\jlnmp.ini2
C:\WINDOWS\SYSTEM32\klbyunsa.ini
C:\WINDOWS\SYSTEM32\mljgggh.dll
C:\WINDOWS\SYSTEM32\naooorii.ini
C:\WINDOWS\SYSTEM32\nnnopqq.dll
C:\WINDOWS\SYSTEM32\opnklji.dll
C:\WINDOWS\SYSTEM32\ptpqhquu.ini
C:\WINDOWS\SYSTEM32\tylwiskc.ini
C:\WINDOWS\SYSTEM32\urqpnop.dll
C:\WINDOWS\SYSTEM32\uuqhqptp.dll
C:\WINDOWS\SYSTEM32\vtuvuvs.dll
C:\WINDOWS\SYSTEM32\wvutsrp.dll
C:\WINDOWS\SYSTEM32\wvuusqr.dll
C:\WINDOWS\unvise32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6615.bat
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Jesse\Favorites\Online Security Guide.lnk
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\SYSTEM32\1359CA5704.sys
C:\WINDOWS\SYSTEM32\asnuyblk.dll
C:\WINDOWS\SYSTEM32\assofmqx.ini
C:\WINDOWS\SYSTEM32\cksiwlyt.dll
C:\WINDOWS\SYSTEM32\iiroooan.dll
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\SYSTEM32\jlnmp.bak2
C:\WINDOWS\SYSTEM32\jlnmp.ini2
C:\WINDOWS\SYSTEM32\klbyunsa.ini
C:\WINDOWS\SYSTEM32\klnmp.ini
C:\WINDOWS\SYSTEM32\klnmp.ini2
C:\WINDOWS\SYSTEM32\mljgggh.dll
C:\WINDOWS\SYSTEM32\naooorii.ini
C:\WINDOWS\SYSTEM32\nnnopqq.dll
C:\WINDOWS\SYSTEM32\opnklji.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\SYSTEM32\ptpqhquu.ini
C:\WINDOWS\SYSTEM32\tylwiskc.ini
C:\WINDOWS\system32\ublzdgnn.dllbox
C:\WINDOWS\SYSTEM32\urqpnop.dll
C:\WINDOWS\SYSTEM32\uuqhqptp.dll
C:\WINDOWS\SYSTEM32\vtuvuvs.dll
C:\WINDOWS\SYSTEM32\wvutsrp.dll
C:\WINDOWS\SYSTEM32\wvuusqr.dll
C:\WINDOWS\unvise32.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-30 19:18 20,608 ---hs---- C:\WINDOWS\SYSTEM32\ublzdgnn.dllbox
2007-11-30 19:06 37,376 --a------ C:\WINDOWS\SYSTEM32\fccdawv.dll
2007-11-30 19:00 145,984 --a------ C:\WINDOWS\SYSTEM32\ublzdgnn.dll
2007-11-30 19:00 145,984 --a------ C:\WINDOWS\SYSTEM32\lpdcrhyq.dll
2007-11-30 14:35 <DIR> d-------- C:\Program Files\Musicnotes
2007-11-30 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-11-30 11:18 793,664 --ahs---- C:\WINDOWS\SYSTEM32\lsodomkx.ini
2007-11-30 11:15 78,912 --a------ C:\WINDOWS\SYSTEM32\shvortla.dll
2007-11-29 11:19 77,888 --a------ C:\WINDOWS\SYSTEM32\btudomqk.dll
2007-11-29 11:16 789,659 --ahs---- C:\WINDOWS\SYSTEM32\kvohgsqn.ini
2007-11-29 11:16 85,056 --a------ C:\WINDOWS\SYSTEM32\nqsghovk.dll
2007-11-29 11:11 37,376 --a------ C:\WINDOWS\SYSTEM32\cbxwutt.dll
2007-11-27 18:07 85,056 --a------ C:\WINDOWS\SYSTEM32\stvutvqo.dll
2007-11-27 18:07 294 --ahs---- C:\WINDOWS\SYSTEM32\oqvtuvts.ini
2007-11-26 17:54 36,864 --a------ C:\WINDOWS\SYSTEM32\nnnljif.dll
2007-11-26 17:54 260 --a------ C:\8110.bat
2007-11-24 21:53 775,832 --ahs---- C:\WINDOWS\SYSTEM32\semnqseo.ini
2007-11-24 21:53 85,056 --a------ C:\WINDOWS\SYSTEM32\oesqnmes.dll
2007-11-24 10:09 260 --a------ C:\6254.bat
2007-11-23 22:50 <DIR> d-------- C:\Program Files\Shareaza
2007-11-23 22:50 <DIR> d-------- C:\Documents and Settings\Jesse\Application Data\Shareaza
2007-11-23 22:09 <DIR> d-------- C:\Program Files\BearShare
2007-11-23 21:47 775,832 --ahs---- C:\WINDOWS\SYSTEM32\mxiahigy.ini
2007-11-16 15:29 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-16 15:29 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-11-16 15:04 <DIR> d-------- C:\Documents and Settings\Jesse\.housecall6.6
2007-11-16 14:53 <DIR> d-------- C:\VundoFix Backups
2007-11-15 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-14 17:00 <DIR> d-------- C:\Temp\abW9
2007-11-13 10:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-13 10:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-11-09 18:06 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-11-09 18:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 14:50 <DIR> d-------- C:\Documents and Settings\Jesse\Application Data\Flock
2007-11-08 14:49 <DIR> d-------- C:\Program Files\Flock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 01:04 --------- d-----w C:\Program Files\lg_fwupdate
2007-11-24 17:25 --------- d-----w C:\Documents and Settings\Jesse\Application Data\U3
2007-11-15 22:26 --------- d-----w C:\Program Files\VVSN
2007-11-15 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 20:07 --------- d-----w C:\Program Files\World of Warcraft
2007-11-14 22:58 --------- d-----w C:\Program Files\McAfee
2007-11-13 22:36 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-12 22:22 --------- d-----w C:\Documents and Settings\Jesse\Application Data\nView_Wallpaper
2007-10-29 23:27 --------- d-----w C:\Program Files\Cleaner 5 EZ
2007-10-29 17:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 01:17 --------- d-----w C:\Program Files\EA GAMES
2007-10-25 16:05 --------- d-----w C:\Program Files\NCSoft
2007-10-25 15:56 --------- d-----w C:\Program Files\support.com
2007-10-25 12:02 --------- d-----w C:\Program Files\BroadJump
2007-10-25 12:00 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-21 17:28 --------- d-----w C:\Program Files\iTunes
2007-10-21 17:28 --------- d-----w C:\Program Files\iPod
2007-10-21 17:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-18 21:43 --------- d-----w C:\Program Files\Java
2007-10-18 02:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-10-12 22:07 --------- d-----w C:\Program Files\Lavasoft
2007-10-12 21:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2007-01-10 18:15 839,688 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-01-10 18:15 290,818 ----a-w C:\WINDOWS\Fonts\Setup.exe
2005-05-12 05:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2005-11-11 19:52 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-26_17.54.36.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\drmk.sys
+ 2004-08-04 05:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\drmk.sys
- 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ks.sys
+ 2004-08-04 05:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ks.sys
- 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\portcls.sys
+ 2004-08-04 05:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\portcls.sys
- 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\stream.sys
+ 2004-08-04 05:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\stream.sys
- 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\drmk.sys
+ 2004-08-04 05:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\drmk.sys
- 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ks.sys
+ 2004-08-04 05:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ks.sys
- 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\portcls.sys
+ 2004-08-04 05:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\portcls.sys
- 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\stream.sys
+ 2004-08-04 05:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\stream.sys
- 2007-11-26 23:36:07 63,016 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-12-01 01:22:25 63,016 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-11-26 23:36:07 402,406 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-12-01 01:22:25 402,406 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\drmk.sys
+ 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\ks.sys
+ 2004-08-04 06:56:44 4,096 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\ksuser.dll
+ 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\portcls.sys
+ 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\stream.sys
+ 2006-04-04 20:45:18 2,400,648 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\madiousb.dll
+ 2006-04-04 19:42:38 19,456 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\mausbasio.dll
+ 2006-04-04 19:42:34 106,112 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\mausbft.sys
+ 2007-11-30 17:18:21 85,056 ----a-w C:\WINDOWS\SYSTEM32\xkmodosl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
2007-11-26 17:22 36864 --a------ C:\WINDOWS\system32\vtutrqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{725B80C7-6FA6-4188-813D-9F737C5C79E4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{749076E3-5635-44E5-8B8D-7791878A8041}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-30 19:00 145984 --a------ C:\WINDOWS\system32\ublzdgnn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ublzdgnn.dll [2007-11-30 19:00 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ublzdgnn.dll [2007-11-30 19:00 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\progra~1\valve\steam\steam.exe" [2007-11-29 17:15]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 12:25]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"CTHelper"="CTHELPER.EXE" [2004-03-11 09:50 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 08:50]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 10:35]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"nwiz"="nwiz.exe" [2006-03-09 14:29 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 00:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"USB2Check"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 16:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-04 23:33]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 13:42]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 23:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-01-05 15:21]
"984853ac"="C:\WINDOWS\system32\xqmfossa.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-12 11:38:16]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-15 12:25:55]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-04-25 16:32:48]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2005-11-17 22:31:16]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}"= C:\WINDOWS\system32\vtutrqp.dll [2007-11-26 17:22 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ublzdgnn]
ublzdgnn.dll 2007-11-30 19:00 145984 C:\WINDOWS\SYSTEM32\ublzdgnn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutrqp]
vtutrqp.dll 2007-11-26 17:22 36864 C:\WINDOWS\SYSTEM32\vtutrqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 o1394bul;o1394bul;\??\C:\DOCUME~1\Jesse\LOCALS~1\Temp\o1394bul.sys
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 04:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-15 06:25:09 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-08-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 19:18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D?????A~??????????????A~l?@?l?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0????????????n????A~?????????????????:'?F???P???????l?@?l?@?????Q?B~????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 19:24:13 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-26 17:55
.
--- E O F ---
- - - - - -
HijackThis
- - - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:07 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jesse\Desktop\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtutrqp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {725B80C7-6FA6-4188-813D-9F737C5C79E4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ublzdgnn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ublzdgnn.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: ublzdgnn - C:\WINDOWS\SYSTEM32\ublzdgnn.dll
O20 - Winlogon Notify: vtutrqp - C:\WINDOWS\SYSTEM32\vtutrqp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14356 bytes

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 December 2007 - 04:22 PM

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes:

C:\WINDOWS\system32\ublzdgnn.dll
C:\WINDOWS\system32\vtutrqp.dll


Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Download GMER from here:
http://www.gmer.net/files.php
Unzip it to the Desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Please include VundoFix.txt and a new HijackThis log in your next reply, along with the gmer log.
Thanks,
Charles

Edited by rookie147, 01 December 2007 - 04:22 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 jajacks

jajacks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 02 December 2007 - 02:08 AM

I ran VundoFix and it found two additional files. I added the ones you asked and clicked remove. The program stated that it had to be rebooted to delete a certain file "vtutrqp.dll". I rebooted it and followed instructions. After the reboot, the program stated again that the file couldn't be deleted and the computer must be rebooted. I complied and allowed a reboot. Upon loading back up (before explorer loaded), VundoFix showed no more files. I then clicked on Scan for Vundo (maybe I shouldn't have) and VundoFix went non-responsive. I shut the process down and explorer pulled up immediately.

I then ran GMER. During the first scan, GMER went non-responsive. I closed it and re-ran the scan. The scan finished anti-climactic, with no bells, whistles, or reports. I clicked on Copy nonetheless, and will list the report here.

Thank you again for your time. Here are the logs you requested.

-Jesse

P.S. - I glanced at the VundoFix log and it seems incomplete. I imagine that's due to the program stalling. But nonetheless, I wanted to let you know that the log is pasted exactly word-for-word. And a side note, the pop-up ads and desktop icons seem to be gone again (YAY!) :-) Also, I think I should tell you (in case I haven't already) that every once and a while, Spybot will catch a browser toolbar trying to install itself. I'll block it, of course. However, it comes back up again, and I'll check the "remember this action" box and re-block it. Spybot will then run an endless loop of block reports from my system tray. This thing is nasty.

- - - - - -
GMER
- - - - - -
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-12-02 00:36:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!ZwYieldExecution 80509014 7 Bytes JMP B25A09A8 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtOpenProcess 8057908C 5 Bytes JMP B25A0904 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805793A1 7 Bytes JMP B25A0992 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8057D3C4 5 Bytes JMP B25A097E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057E2A3 5 Bytes JMP B25A09D4 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E71B 7 Bytes JMP B25A09BE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtSetInformationProcess 80581B2D 5 Bytes JMP B25A0956 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058AB10 7 Bytes JMP B25A0940 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwTerminateProcess 8058C399 5 Bytes JMP B25A09ED \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtOpenThread 805B132C 5 Bytes JMP B25A0918 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805C0BF0 5 Bytes JMP B25A092C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetContextThread 80633D53 5 Bytes JMP B25A096A \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.13 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[268] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[268] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008A0F33
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008A0F4E
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008A0F6B
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008A0F7C
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008A0FA8
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008A0060
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008A004F
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008A008C
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008A007B
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008A00B1
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008A0F8D
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008A0FDE
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008A0F18
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008A0FB9
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008A0EFD
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00890040
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00890FB9
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00890FE5
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00890025
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00890076
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00890FCA
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00890051
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070086
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0007006B
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F91
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0007004E
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070FB6
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F62
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000700A8
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessW 7C802332 1 Byte [ E9 ]
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessW + 2 7C802334 3 Bytes [ EB, 86, 83 ]
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F47
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 000700EA
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0007003D
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00070097
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 000700C5
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060F9B
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[840] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FD0F77
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FD006C
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FD0F92
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FD0F4B
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FD0093
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FD00B8
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FD0F1F
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FD0EFA
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FD0F66
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FD0F30
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F4002F
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F40FA1
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F40FB2
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F4004A
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\lsass.exe[852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenW 771BAF2D 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenA 771C58DA 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenUrlA 771C5BA6 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F20FC8
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0085007D
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0085006C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0085005B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00850F9E
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00850025
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00850F37
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00850F52
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 0085009A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00850F01
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008500AB
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00850040
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00850FE5
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00850F6D
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00850FB9
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00850FCA
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00850F1C
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00840025
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00840F97
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00840000
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00840FCA
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00840FA8
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0084004A
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00840FEF
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00840FB9
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A10059
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A10F6E
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A10F7F
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A10F90
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A10FB2
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A10096
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A10085
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A10F33
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A100CC
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A100E7
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A10FA1
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A1006A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A100B1
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A00FDB
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A00062
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A0002C
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A00FA5
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A00051
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0399000A
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 03990F92
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03990FA3
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0399007D
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03990FCA
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03990051
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 039900AE
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03990F5C
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 03990F1F
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 03990F3A
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 03990F0E
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 03990062
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0399001B
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 03990F77
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 03990FE5
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 03990036
.text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 03990F4B
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 03980040
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 03980091
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 03980025
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 03980014
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 03980FD4
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 03980076
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 03980FEF
.text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 03980051
.text C:\WINDOWS\System32\svchost.exe[1212] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 037C0000
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenW 771BAF2D 5 Bytes JMP 03920FE5
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenA 771C58DA 5 Bytes JMP 03920000
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771C5BA6 5 Bytes JMP 03920FCA
.text C:\WINDOWS\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 03920FB9
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007F0F50
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007F0045
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007F0F61
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007F0F7C
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007F0FB2
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007F007D
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007F0F35
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007F0EEE
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007F0F09
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007F0EDD
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 007F0F97
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 007F0060
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 007F0FC3
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 007F0014
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007F0F1A
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 007E0FDB
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 007E0F9E
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 007E002C
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 007E005B
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 007E0FAF
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 007E0FC0
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CA005D
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CA0F72
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CA0F83
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CA0F94
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CA0F4B
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CA0093
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CA00C9
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CA00B8
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CA0F1F
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CA0011
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CA0082
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CA0FDB
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CA002C
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CA0F3A
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0097001B
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00970F8A
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00970FCA
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00970FDB
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00970F9B
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0097003D
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0097002C
.text C:\WINDOWS\system32\svchost.exe[1532] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.dll!InternetOpenW 771BAF2D 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.dll!InternetOpenA 771C58DA 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.dll!InternetOpenUrlA 771C5BA6 5 Bytes JMP 00950025
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00950FC8
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F81
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A005B
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A004A
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0080
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F38
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00C7
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00AC
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A0F13
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0F55
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3452] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0091
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00280FB9
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00280051
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00280FCA
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280000
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280040
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00280025
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00280FEF
.text C:\WINDOWS\System32\svchost.exe[3452] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00280F9E
.text C:\WINDOWS\System32\svchost.exe[3452] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006D0000
.text C:\Program Files\Mozilla Firefox\firefox.exe[3864] kernel32.dll!MultiByteToWideChar 7C809BF8 5 Bytes JMP 1000CC82 C:\WINDOWS\system32\sstts.dll

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [02497376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3864] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [024973CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [B25A32C7] mfehidk.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [B343810E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [B343810E] Mpfp.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [B25A32C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [B25A32C7] mfehidk.sys

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [A991440B] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [A991440B] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [A991440B] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [A991440B] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [A991440B] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [A991458F] tfsnifs.sys

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg \Registry\USER\S-1-5-21-2906200601-267674079-856787748-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x25 0xF0 0xF1 0x8D ...
Reg \Registry\USER\S-1-5-21-2906200601-267674079-856787748-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x01 0x46 0xDC 0x17 ...

---- EOF - GMER 1.0.13 ----

- - - - - -
VundoFix
- - - - - -
VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 2:53:41 PM 11/16/2007

Listing files found while scanning....

C:\windows\SYSTEM32\hbaylsep.dll
C:\WINDOWS\system32\mmhbbkpi.dll
C:\windows\SYSTEM32\ymprypqa.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\hbaylsep.dll
C:\windows\SYSTEM32\hbaylsep.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mmhbbkpi.dll
C:\WINDOWS\system32\mmhbbkpi.dll Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\ymprypqa.dll
C:\windows\SYSTEM32\ymprypqa.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mmhbbkpi.dll
C:\WINDOWS\system32\mmhbbkpi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 1:28:56 PM 11/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 4:53:00 PM 11/19/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 12:57:37 PM 11/25/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wvuusqr.dll
C:\WINDOWS\system32\wvuusqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 3:31:12 PM 11/25/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:14:27 PM 12/1/2007

Listing files found while scanning....


VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:19:24 PM 12/1/2007

Listing files found while scanning....


VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:52:17 PM 12/1/2007

Listing files found while scanning....

C:\windows\SYSTEM32\lpdcrhyq.dll
C:\WINDOWS\system32\ublzdgnn.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\lpdcrhyq.dll
C:\windows\SYSTEM32\lpdcrhyq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ublzdgnn.dll
C:\WINDOWS\system32\ublzdgnn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutrqp.dll
C:\WINDOWS\system32\vtutrqp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtutrqp.dll
C:\WINDOWS\system32\vtutrqp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:59:28 PM 12/1/2007

Listing files found while scanning....

- - - - -
HijackThis
- - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:20 AM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Jesse\Desktop\gmer\gmer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Jesse\Desktop\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtutrqp.dll
O2 - BHO: (no name) - {3C18B21A-1424-46EB-8300-3EB7ABA3EAB0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {725B80C7-6FA6-4188-813D-9F737C5C79E4} - (no file)
O2 - BHO: (no name) - {726DA195-1EED-4DAB-B4C3-1A18E74C37F4} - C:\WINDOWS\system32\sstts.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14289 bytes

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 December 2007 - 04:29 PM

Hello again Jesse,
It looks like things are starting to get a little better, but we still have quite a large number of infected files that need deleting. I think the main reason behind your Spybot alerts was the Vundo infection which specifically installs browser tooolbars that point to infected files. Therefore, the more we remove of this malware, the fewer of these alerts should be caused, but please let me know if this persists and we will try to prevent it.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtutrqp.dll
O2 - BHO: (no name) - {3C18B21A-1424-46EB-8300-3EB7ABA3EAB0} - (no file)
O2 - BHO: (no name) - {725B80C7-6FA6-4188-813D-9F737C5C79E4} - (no file)
O2 - BHO: (no name) - {726DA195-1EED-4DAB-B4C3-1A18E74C37F4} - C:\WINDOWS\system32\sstts.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\vtutrqp.dll
C:\WINDOWS\SYSTEM32\ublzdgnn.dllbox
C:\WINDOWS\SYSTEM32\fccdawv.dll
C:\WINDOWS\SYSTEM32\ublzdgnn.dll
C:\WINDOWS\SYSTEM32\lpdcrhyq.dll
C:\WINDOWS\SYSTEM32\lsodomkx.ini
C:\WINDOWS\SYSTEM32\shvortla.dll
C:\WINDOWS\SYSTEM32\btudomqk.dll
C:\WINDOWS\SYSTEM32\kvohgsqn.ini
C:\WINDOWS\SYSTEM32\nqsghovk.dll
C:\WINDOWS\SYSTEM32\cbxwutt.dll
C:\WINDOWS\SYSTEM32\stvutvqo.dll
C:\WINDOWS\SYSTEM32\oqvtuvts.ini
C:\WINDOWS\SYSTEM32\nnnljif.dll
C:\WINDOWS\SYSTEM32\semnqseo.ini
C:\WINDOWS\SYSTEM32\oesqnmes.dll
C:\WINDOWS\SYSTEM32\mxiahigy.ini
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\xqmfossa.dll


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Then please scan once more with Combofix and post the log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 jajacks

jajacks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 December 2007 - 01:14 PM

I did what you asked. HijackThis went ok, but Killbox acted a little funny. During the fix, I received an error message saying "Pending File Rename Operations Registry Data has been removed by External Process". I ran the program again and saw the same message, so I don't think it completed. So I ran Combofix, and it went non-responsive on reboot. This little bugger is annoying. I believe it changed its name again and has re-activated - I've got the pop-ups and desktop icons again.

Here are the Hijack and Combofix logs.
- - - - - - -
ComboFix
- - - - - - -
ComboFix 07-11-19.4 - Jesse 2007-12-04 16:10:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1362 [GMT -6:00]
Running from: C:\Documents and Settings\Jesse\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Jesse\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Melanie\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Melanie\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Melanie\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\kpazypzm.dllbox
C:\WINDOWS\system32\ublzdgnn.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 20:46 20,810 ---hs---- C:\WINDOWS\SYSTEM32\kpazypzm.dllbox
2007-12-04 16:04 145,984 --a------ C:\WINDOWS\SYSTEM32\kpazypzm.dll
2007-12-04 16:04 145,984 --a------ C:\WINDOWS\SYSTEM32\dghgchyy.dll
2007-12-04 15:19 79,424 --a------ C:\WINDOWS\SYSTEM32\qlfoibap.dll
2007-12-04 15:16 805,441 ---hs---- C:\WINDOWS\SYSTEM32\tyqyrnwu.ini
2007-12-04 15:16 85,568 --a------ C:\WINDOWS\SYSTEM32\uwnryqyt.dll
2007-12-03 10:45 73,280 --a------ C:\WINDOWS\SYSTEM32\dnugvkyd.dll
2007-12-03 10:42 805,381 ---hs---- C:\WINDOWS\SYSTEM32\levuxvek.ini
2007-12-03 10:42 85,056 --------- C:\WINDOWS\SYSTEM32\kevxuvel.dll
2007-12-02 22:26 76,864 --a------ C:\WINDOWS\SYSTEM32\jdeommgv.dll
2007-12-02 22:20 85,056 --a------ C:\WINDOWS\SYSTEM32\ccordfyw.dll
2007-12-01 22:12 457,299 --ahs---- C:\WINDOWS\SYSTEM32\sttss.ini2
2007-12-01 22:12 457,299 --ahs---- C:\WINDOWS\SYSTEM32\sttss.ini
2007-12-01 22:12 324,192 --------- C:\WINDOWS\SYSTEM32\sstts.dll
2007-11-30 19:06 37,376 --------- C:\WINDOWS\SYSTEM32\fccdawv.dll
2007-11-30 14:35 <DIR> d-------- C:\Program Files\Musicnotes
2007-11-30 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-11-30 11:18 793,664 --------- C:\WINDOWS\SYSTEM32\lsodomkx.ini
2007-11-30 11:15 78,912 --------- C:\WINDOWS\SYSTEM32\shvortla.dll
2007-11-29 11:19 77,888 --------- C:\WINDOWS\SYSTEM32\btudomqk.dll
2007-11-29 11:16 789,659 --------- C:\WINDOWS\SYSTEM32\kvohgsqn.ini
2007-11-29 11:16 85,056 --------- C:\WINDOWS\SYSTEM32\nqsghovk.dll
2007-11-29 11:11 37,376 --------- C:\WINDOWS\SYSTEM32\cbxwutt.dll
2007-11-27 18:07 85,056 --------- C:\WINDOWS\SYSTEM32\stvutvqo.dll
2007-11-27 18:07 294 --------- C:\WINDOWS\SYSTEM32\oqvtuvts.ini
2007-11-26 17:54 36,864 --------- C:\WINDOWS\SYSTEM32\nnnljif.dll
2007-11-26 17:54 260 --a------ C:\8110.bat
2007-11-24 21:53 775,832 --------- C:\WINDOWS\SYSTEM32\semnqseo.ini
2007-11-24 21:53 85,056 --------- C:\WINDOWS\SYSTEM32\oesqnmes.dll
2007-11-24 10:09 260 --a------ C:\6254.bat
2007-11-23 22:50 <DIR> d-------- C:\Program Files\Shareaza
2007-11-23 22:50 <DIR> d-------- C:\Documents and Settings\Jesse\Application Data\Shareaza
2007-11-23 22:09 <DIR> d-------- C:\Program Files\BearShare
2007-11-23 21:47 775,832 --------- C:\WINDOWS\SYSTEM32\mxiahigy.ini
2007-11-16 15:29 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-16 15:29 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-11-16 15:04 <DIR> d-------- C:\Documents and Settings\Jesse\.housecall6.6
2007-11-16 14:53 <DIR> d-------- C:\VundoFix Backups
2007-11-15 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-14 17:00 <DIR> d-------- C:\Temp\abW9
2007-11-13 10:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-13 10:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-11-09 18:06 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-11-09 18:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 14:50 <DIR> d-------- C:\Documents and Settings\Jesse\Application Data\Flock
2007-11-08 14:49 <DIR> d-------- C:\Program Files\Flock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 21:10 --------- d-----w C:\Program Files\lg_fwupdate
2007-11-24 17:25 --------- d-----w C:\Documents and Settings\Jesse\Application Data\U3
2007-11-15 22:26 --------- d-----w C:\Program Files\VVSN
2007-11-15 20:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 20:07 --------- d-----w C:\Program Files\World of Warcraft
2007-11-14 22:58 --------- d-----w C:\Program Files\McAfee
2007-11-13 22:36 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-12 22:22 --------- d-----w C:\Documents and Settings\Jesse\Application Data\nView_Wallpaper
2007-10-29 23:27 --------- d-----w C:\Program Files\Cleaner 5 EZ
2007-10-29 17:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 01:17 --------- d-----w C:\Program Files\EA GAMES
2007-10-25 16:05 --------- d-----w C:\Program Files\NCSoft
2007-10-25 15:56 --------- d-----w C:\Program Files\support.com
2007-10-25 12:02 --------- d-----w C:\Program Files\BroadJump
2007-10-25 12:00 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-21 17:28 --------- d-----w C:\Program Files\iTunes
2007-10-21 17:28 --------- d-----w C:\Program Files\iPod
2007-10-21 17:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-18 21:43 --------- d-----w C:\Program Files\Java
2007-10-18 02:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-10-12 22:07 --------- d-----w C:\Program Files\Lavasoft
2007-10-12 21:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2007-01-10 18:15 839,688 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-01-10 18:15 290,818 ----a-w C:\WINDOWS\Fonts\Setup.exe
2005-05-12 05:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2005-11-11 19:52 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-26_17.54.36.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-02 06:18:33 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 15:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
- 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\drmk.sys
+ 2004-08-04 05:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\drmk.sys
- 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ks.sys
+ 2004-08-04 05:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ks.sys
- 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\portcls.sys
+ 2004-08-04 05:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\portcls.sys
- 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\stream.sys
+ 2004-08-04 05:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\stream.sys
- 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\drmk.sys
+ 2004-08-04 05:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\drmk.sys
+ 2007-12-02 06:18:33 70,001 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys
- 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ks.sys
+ 2004-08-04 05:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ks.sys
- 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\portcls.sys
+ 2004-08-04 05:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\portcls.sys
- 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\stream.sys
+ 2004-08-04 05:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\stream.sys
- 2007-11-26 23:36:07 63,016 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-12-04 22:41:11 63,016 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-11-26 23:36:07 402,406 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-12-04 22:41:11 402,406 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\drmk.sys
+ 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\ks.sys
+ 2004-08-04 06:56:44 4,096 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\ksuser.dll
+ 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\portcls.sys
+ 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\i386\stream.sys
+ 2006-04-04 20:45:18 2,400,648 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\madiousb.dll
+ 2006-04-04 19:42:38 19,456 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\mausbasio.dll
+ 2006-04-04 19:42:34 106,112 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0026\DriverFiles\mausbft.sys
- 2007-11-25 21:27:24 24,576 ----a-w C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
+ 2007-12-02 05:54:57 24,576 ----a-w C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
+ 2007-11-30 17:18:21 85,056 ----a-w C:\WINDOWS\SYSTEM32\xkmodosl.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C18B21A-1424-46EB-8300-3EB7ABA3EAB0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{725B80C7-6FA6-4188-813D-9F737C5C79E4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E4E05D7-2E76-4BF9-9B81-283027FB4B88}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-04 16:04 145984 --a------ C:\WINDOWS\system32\kpazypzm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F191E51C-644D-48CD-BC0F-5B6D47784549}]
2007-12-01 22:12 324192 --------- C:\WINDOWS\system32\sstts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kpazypzm.dll [2007-12-04 16:04 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kpazypzm.dll [2007-12-04 16:04 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\progra~1\valve\steam\steam.exe" [2007-11-29 17:15]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 12:25]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"CTHelper"="CTHELPER.EXE" [2004-03-11 09:50 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 08:50]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 10:35]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"nwiz"="nwiz.exe" [2006-03-09 14:29 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 00:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"USB2Check"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 16:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-04 23:33]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 13:42]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 23:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-01-05 15:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-12 11:38:16]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-15 12:25:55]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-04-25 16:32:48]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2005-11-17 22:31:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kpazypzm]
kpazypzm.dll 2007-12-04 16:04 145984 C:\WINDOWS\SYSTEM32\kpazypzm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstts.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 o1394bul;o1394bul;\??\C:\DOCUME~1\Jesse\LOCALS~1\Temp\o1394bul.sys
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 04:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-15 06:25:09 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-08-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 20:47:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 20:52:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-30 19:24
C:\ComboFix3.txt ... 2007-11-26 17:55
.
--- E O F ---
- - - - - - - -
HijackThis
- - - - - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:03 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jesse\Desktop\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - (no file)
O2 - BHO: (no name) - {3C18B21A-1424-46EB-8300-3EB7ABA3EAB0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {725B80C7-6FA6-4188-813D-9F737C5C79E4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8E4E05D7-2E76-4BF9-9B81-283027FB4B88} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kpazypzm.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E214F8C4-091E-48D1-B96E-EB8A67EB8D34} - C:\WINDOWS\system32\sstts.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kpazypzm.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [984853ac] rundll32.exe "C:\WINDOWS\system32\xqmfossa.dll",b
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157659659252
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: kpazypzm - C:\WINDOWS\SYSTEM32\kpazypzm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14469 bytes

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 06 December 2007 - 04:41 PM

Could you try running the KillBox deletion in Safe Mode for me, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 16 December 2007 - 12:24 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users