Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.vundo, Adware.ezula And Trojan.metajuan


  • Please log in to reply
16 replies to this topic

#1 n012

n012

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 20 November 2007 - 10:42 PM

Hello everyone!

MY COMPUTER:
Windows SP2 fully updated
HP Pavilion a1330n
AMD athlon 64 3800+
addons: ATi Radeon x1600Pro
Creative Soundblaster SB X-Fi

MY PROBLEM: I have been infected with Trojan.Vundo, Adware.Ezula, and Trojan.Metajuan sometime in the last two weeks. I am not sure how this happened and there are other people here in my house who use this computer so I don't know the exact date of infection. For starters here is an overview of the symptoms: whenever I open up IE an additional unwanted window appears with whatever advertising garbage, sometimes when I am havent opened a new window an unwanted popup will apear, and other times when I am working in an IE window something "deselects" it and tries to popup a new unwanted window (for instance I will be writing something online and my keystrokes will stop appearing on the screen because something selects another window. I am only relating all of this because of the chance that I have some other trojan etc. than what I stated above. Another thing to note is that my system processes have risen from before the infection to after. Also in my startup manager utility list in my TuneUp Utilities 2007 has doubled for some reason I'm not sure why.

WHAT I HAVE TRIED: I have turned off my System Restore. I have both Norton Internet Security and Norton AntiBot, I have scanned multiple times with NIS using the updated definitions. The strange thing is that Norton is detecting and blocking these infections but not eradicating them or even giving the option of doing something about them (quarantine, delete, etc) except for two days ago I was able to remove the files through Norton but they sprang back up about three hours later. I also went to symantec's website to get a seperate Trojan.Vundo and Adware.Ezula fix they have available for download but it says that I am not infected with them when I run the program. After finding this forum and joining I performed all of the steps outlined here http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/.
I followed these instructions fully and now I am at the last step which is posting my log.

For anybody who takes the time to help let me thank you in advance!
Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:47 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NABMonitor.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ercproxy.cscc.edu/ercsearch.pac
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton Protection Center UI Stub] C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140300949656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoe...34/MusicNow.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10416 bytes

Edited by n012, 21 November 2007 - 12:48 AM.


BC AdBot (Login to Remove)

 


#2 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 27 November 2007 - 08:06 PM

Hi,

Start first with this free tool:
Please download
VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt
    .................

    Next, run also this free tool and post the log it makes as well please.
    Download ComboFix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.

    2. Double click on combofix.exe & follow the prompts.
    [list]When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Windows-Security 2003-2008
Posted Image

#3 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 28 November 2007 - 01:40 PM

Thank you for responding! I am at school today and I will not get home until about 8:30 EST. When I get home I will get started on your instructions. Thanks again.

#4 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 28 November 2007 - 02:09 PM

Hi,

Glad you are still with us :thumbsup:

I'm now subscribed to this topic so I will get an email notice from the board each time you reply, and can be here much more quickly than it took for us to get to your new topic here.

Thanks for being so patient.
Microsoft MVP Windows-Security 2003-2008
Posted Image

#5 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 28 November 2007 - 09:46 PM

Here are the new scans for you Calamity!


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 8:47:58 PM 11/28/2007

Listing files found while scanning....

C:\windows\system32\dcothsxp.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\dcothsxp.dllbox
C:\windows\system32\dcothsxp.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

------------------------------------------------------------------------------------------


ComboFix 07-11-19.4C - HP_Administrator 2007-11-28 21:15:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.539 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\system\
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 21:16 81,984 --a------ C:\WINDOWS\system32\jhrrievi.dll
2007-11-28 20:49 81,984 --a------ C:\WINDOWS\system32\ceeicfwe.dll
2007-11-28 20:47 <DIR> d-------- C:\VundoFix Backups
2007-11-28 20:43 73,917 --a------ C:\WINDOWS\system32\fsjntsyd.dll
2007-11-28 09:48 82,629 --a------ C:\WINDOWS\system32\nktkieus.dll
2007-11-28 09:45 81,984 --a------ C:\WINDOWS\system32\qucqbqej.dll
2007-11-27 23:07 82,629 --a------ C:\WINDOWS\system32\jneuqlqv.dll
2007-11-27 20:03 82,629 --a------ C:\WINDOWS\system32\snyxbwfh.dll
2007-11-27 19:43 82,629 --a------ C:\WINDOWS\system32\eheddxti.dll
2007-11-27 19:00 82,629 --a------ C:\WINDOWS\system32\usgdxllj.dll
2007-11-27 13:36 78,273 --a------ C:\WINDOWS\system32\xcbmbfhe.dll
2007-11-27 13:16 82,629 --a------ C:\WINDOWS\system32\tugopmmh.dll
2007-11-27 12:50 82,629 --a------ C:\WINDOWS\system32\xwpofcna.dll
2007-11-27 11:41 84,081 --a------ C:\WINDOWS\system32\qduridmx.dll
2007-11-26 10:31 81,177 --a------ C:\WINDOWS\system32\gvbkqubs.dll
2007-11-25 18:33 78,273 --a------ C:\WINDOWS\system32\fmwrhpxu.dll
2007-11-25 18:30 79,936 --a------ C:\WINDOWS\system32\hxyduvgm.dll
2007-11-25 16:55 79,936 --a------ C:\WINDOWS\system32\qqosohkp.dll
2007-11-25 16:49 82,629 --a------ C:\WINDOWS\system32\yjhstodo.dll
2007-11-24 21:52 81,472 --a------ C:\WINDOWS\system32\annhsqtg.dll
2007-11-24 21:49 82,629 --a------ C:\WINDOWS\system32\iovwpnec.dll
2007-11-24 08:59 82,629 --a------ C:\WINDOWS\system32\nrlumvcm.dll
2007-11-24 08:56 81,472 --a------ C:\WINDOWS\system32\rexybgas.dll
2007-11-24 08:49 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-24 08:11 82,629 --a------ C:\WINDOWS\system32\kedwafmu.dll
2007-11-24 08:08 81,472 --a------ C:\WINDOWS\system32\bmoadbse.dll
2007-11-23 22:11 82,629 --a------ C:\WINDOWS\system32\qfwsygvq.dll
2007-11-23 22:05 83,520 --a------ C:\WINDOWS\system32\aqjehwha.dll
2007-11-23 10:37 82,629 --a------ C:\WINDOWS\system32\bphfsuox.dll
2007-11-23 10:34 83,520 --a------ C:\WINDOWS\system32\kmfxyrfr.dll
2007-11-22 08:01 82,629 --a------ C:\WINDOWS\system32\gwahekqg.dll
2007-11-22 07:58 79,936 --a------ C:\WINDOWS\system32\vsrcagjw.dll
2007-11-21 12:12 80,960 --a------ C:\WINDOWS\system32\bgihytxd.dll
2007-11-21 12:09 82,629 --a------ C:\WINDOWS\system32\faraqqrq.dll
2007-11-20 22:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 18:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-20 18:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-20 18:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-20 18:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-20 15:50 84,544 --a------ C:\WINDOWS\system32\eeuksxfj.dll
2007-11-20 15:41 82,629 --a------ C:\WINDOWS\system32\cjiwticu.dll
2007-11-20 00:49 82,629 --a------ C:\WINDOWS\system32\hcwakjef.dll
2007-11-20 00:46 84,544 --a------ C:\WINDOWS\system32\fpngkded.dll
2007-11-20 00:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2007-11-19 22:32 82,629 --a------ C:\WINDOWS\system32\mopwwgpg.dll
2007-11-19 20:20 84,081 --a------ C:\WINDOWS\system32\taohgetv.dll
2007-11-18 22:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 21:59 82,629 --a------ C:\WINDOWS\system32\ttnufpsg.dll
2007-11-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 20:30 82,629 --a------ C:\WINDOWS\system32\rkyoujlr.dll
2007-11-17 16:51 82,629 --a------ C:\WINDOWS\system32\dsteeipk.dll
2007-11-16 23:11 82,629 --a------ C:\WINDOWS\system32\owoxewbh.dll
2007-11-16 13:19 676,549 ---hs---- C:\WINDOWS\system32\txnaqxwy.ini
2007-11-16 11:14 675,519 ---hs---- C:\WINDOWS\system32\xxvnjhyb.ini
2007-11-15 14:35 669,500 ---hs---- C:\WINDOWS\system32\etxlfcxx.ini
2007-11-15 14:29 79,936 --a------ C:\WINDOWS\system32\dkxrmpvc.dll
2007-11-15 13:31 669,230 ---hs---- C:\WINDOWS\system32\rljrdkxu.ini
2007-11-15 13:25 79,936 --a------ C:\WINDOWS\system32\ixhsrrvi.dll
2007-11-15 01:11 79,936 --a------ C:\WINDOWS\system32\vhahngpj.dll
2007-11-15 01:05 671,154 ---hs---- C:\WINDOWS\system32\vnvuiruj.ini
2007-11-15 00:29 671,446 ---hs---- C:\WINDOWS\system32\ubqqivdb.ini
2007-11-15 00:26 79,936 --a------ C:\WINDOWS\system32\imjnpcvf.dll
2007-11-14 23:50 79,424 --a------ C:\WINDOWS\system32\eearqxcr.dll
2007-11-14 23:47 671,265 --ahs---- C:\WINDOWS\system32\aqlxhjpn.ini
2007-11-14 22:45 79,424 --a------ C:\WINDOWS\system32\ukldlwmp.dll
2007-11-14 22:42 672,850 ---hs---- C:\WINDOWS\system32\lhpcmfnl.ini
2007-11-14 22:20 79,424 --a------ C:\WINDOWS\system32\wvyoguby.dll
2007-11-14 22:14 671,127 ---hs---- C:\WINDOWS\system32\waxwicrl.ini
2007-11-14 15:07 79,424 --a------ C:\WINDOWS\system32\lwgkyyyo.dll
2007-11-14 15:04 671,214 ---hs---- C:\WINDOWS\system32\yecevjcc.ini
2007-11-13 15:01 671,127 ---hs---- C:\WINDOWS\system32\lfeewrff.ini
2007-11-13 11:37 669,191 ---hs---- C:\WINDOWS\system32\vktwrrwv.ini
2007-11-12 18:25 590,914 ---hs---- C:\WINDOWS\system32\uwvrphpq.ini
2007-11-11 18:31 584,632 ---hs---- C:\WINDOWS\system32\pgtajkuq.ini
2007-11-09 12:54 584,305 ---hs---- C:\WINDOWS\system32\ovgysgxc.ini
2007-11-08 11:33 584,133 ---hs---- C:\WINDOWS\system32\mgllglrk.ini
2007-11-08 11:22 556,663 ---hs---- C:\WINDOWS\system32\sbogwxom.ini
2007-11-08 11:05 556,603 ---hs---- C:\WINDOWS\system32\kwiuowfh.ini
2007-11-07 16:17 556,784 ---hs---- C:\WINDOWS\system32\oxntkfsm.ini
2007-11-06 13:23 556,664 ---hs---- C:\WINDOWS\system32\hprdmfhr.ini
2007-11-06 13:19 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-06 13:19 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-06 13:10 571,293 ---hs---- C:\WINDOWS\system32\pvcalfeh.ini
2007-11-05 20:33 564,903 ---hs---- C:\WINDOWS\system32\ojiiugoj.ini
2007-11-05 11:35 576,724 ---hs---- C:\WINDOWS\system32\fiollrto.ini
2007-11-04 11:29 576,604 ---hs---- C:\WINDOWS\system32\xtxygwvn.ini
2007-11-04 11:26 78,912 --a------ C:\WINDOWS\system32\ekfsibcg.dll
2007-11-04 11:01 576,845 ---hs---- C:\WINDOWS\system32\fbuhabjy.ini
2007-11-03 19:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 18:57 576,905 ---hs---- C:\WINDOWS\system32\skbikvue.ini
2007-11-03 18:57 87,616 --a------ C:\WINDOWS\system32\euvkibks.dll
2007-11-03 15:48 576,845 --ahs---- C:\WINDOWS\system32\cwuprcdb.ini
2007-11-02 07:37 72 --a------ C:\WINDOWS\system32\SYSTEM
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 18:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 15:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
2007-11-20 23:50 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-20 23:47 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-20 23:47 --------- d-----w C:\Program Files\iTunes
2007-11-20 23:39 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-19 02:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 16:06 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-11-13 16:33 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-31 14:02 --------- d-----w C:\Program Files\NoodleNet
2007-10-27 01:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-22 21:38 --------- d-----w C:\Program Files\iColorFolder
2007-10-21 03:38 --------- d-----w C:\Program Files\iPod
2007-10-04 22:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 22:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 22:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 22:52 --------- d-----w C:\Program Files\Symantec
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2006-08-29 15:04 176 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AAA2DD4-0E07-4953-8E30-902947B411B6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58D59E72-A545-44AB-B762-39EE8464A74B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80AAC286-66CF-47E9-AA6F-53AB71736CA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F7BB305-A92D-4F69-83E3-E163D3EC0CC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93578D0C-AA15-4D84-99A9-3CA1E629DB0F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E412907-1D3E-46F5-8C65-777406AB7BEF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3087B8-9B6F-4B82-939A-D2D41F6D8429}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7F8050-21BB-41D5-A0B4-7CFF21F20C53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5a5689e-fab5-4517-890d-b5df7830e30a}]
2007-11-28 21:16 81984 --a------ C:\WINDOWS\system32\jhrrievi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42112DD-B60C-4917-B74A-0BAEBD2000A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39D017A-5934-4841-972F-C4E87A6D0C5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E954A517-178C-4E66-8E22-5783088B97D0}

Here are the new scans for you Calamity!


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 8:47:58 PM 11/28/2007

Listing files found while scanning....

C:\windows\system32\dcothsxp.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\dcothsxp.dllbox
C:\windows\system32\dcothsxp.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

------------------------------------------------------------------------------------------


ComboFix 07-11-19.4C - HP_Administrator 2007-11-28 21:15:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.539 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\system\
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 21:16 81,984 --a------ C:\WINDOWS\system32\jhrrievi.dll
2007-11-28 20:49 81,984 --a------ C:\WINDOWS\system32\ceeicfwe.dll
2007-11-28 20:47 <DIR> d-------- C:\VundoFix Backups
2007-11-28 20:43 73,917 --a------ C:\WINDOWS\system32\fsjntsyd.dll
2007-11-28 09:48 82,629 --a------ C:\WINDOWS\system32\nktkieus.dll
2007-11-28 09:45 81,984 --a------ C:\WINDOWS\system32\qucqbqej.dll
2007-11-27 23:07 82,629 --a------ C:\WINDOWS\system32\jneuqlqv.dll
2007-11-27 20:03 82,629 --a------ C:\WINDOWS\system32\snyxbwfh.dll
2007-11-27 19:43 82,629 --a------ C:\WINDOWS\system32\eheddxti.dll
2007-11-27 19:00 82,629 --a------ C:\WINDOWS\system32\usgdxllj.dll
2007-11-27 13:36 78,273 --a------ C:\WINDOWS\system32\xcbmbfhe.dll
2007-11-27 13:16 82,629 --a------ C:\WINDOWS\system32\tugopmmh.dll
2007-11-27 12:50 82,629 --a------ C:\WINDOWS\system32\xwpofcna.dll
2007-11-27 11:41 84,081 --a------ C:\WINDOWS\system32\qduridmx.dll
2007-11-26 10:31 81,177 --a------ C:\WINDOWS\system32\gvbkqubs.dll
2007-11-25 18:33 78,273 --a------ C:\WINDOWS\system32\fmwrhpxu.dll
2007-11-25 18:30 79,936 --a------ C:\WINDOWS\system32\hxyduvgm.dll
2007-11-25 16:55 79,936 --a------ C:\WINDOWS\system32\qqosohkp.dll
2007-11-25 16:49 82,629 --a------ C:\WINDOWS\system32\yjhstodo.dll
2007-11-24 21:52 81,472 --a------ C:\WINDOWS\system32\annhsqtg.dll
2007-11-24 21:49 82,629 --a------ C:\WINDOWS\system32\iovwpnec.dll
2007-11-24 08:59 82,629 --a------ C:\WINDOWS\system32\nrlumvcm.dll
2007-11-24 08:56 81,472 --a------ C:\WINDOWS\system32\rexybgas.dll
2007-11-24 08:49 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-24 08:11 82,629 --a------ C:\WINDOWS\system32\kedwafmu.dll
2007-11-24 08:08 81,472 --a------ C:\WINDOWS\system32\bmoadbse.dll
2007-11-23 22:11 82,629 --a------ C:\WINDOWS\system32\qfwsygvq.dll
2007-11-23 22:05 83,520 --a------ C:\WINDOWS\system32\aqjehwha.dll
2007-11-23 10:37 82,629 --a------ C:\WINDOWS\system32\bphfsuox.dll
2007-11-23 10:34 83,520 --a------ C:\WINDOWS\system32\kmfxyrfr.dll
2007-11-22 08:01 82,629 --a------ C:\WINDOWS\system32\gwahekqg.dll
2007-11-22 07:58 79,936 --a------ C:\WINDOWS\system32\vsrcagjw.dll
2007-11-21 12:12 80,960 --a------ C:\WINDOWS\system32\bgihytxd.dll
2007-11-21 12:09 82,629 --a------ C:\WINDOWS\system32\faraqqrq.dll
2007-11-20 22:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 18:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-20 18:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-20 18:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-20 18:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-20 15:50 84,544 --a------ C:\WINDOWS\system32\eeuksxfj.dll
2007-11-20 15:41 82,629 --a------ C:\WINDOWS\system32\cjiwticu.dll
2007-11-20 00:49 82,629 --a------ C:\WINDOWS\system32\hcwakjef.dll
2007-11-20 00:46 84,544 --a------ C:\WINDOWS\system32\fpngkded.dll
2007-11-20 00:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2007-11-19 22:32 82,629 --a------ C:\WINDOWS\system32\mopwwgpg.dll
2007-11-19 20:20 84,081 --a------ C:\WINDOWS\system32\taohgetv.dll
2007-11-18 22:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 21:59 82,629 --a------ C:\WINDOWS\system32\ttnufpsg.dll
2007-11-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 20:30 82,629 --a------ C:\WINDOWS\system32\rkyoujlr.dll
2007-11-17 16:51 82,629 --a------ C:\WINDOWS\system32\dsteeipk.dll
2007-11-16 23:11 82,629 --a------ C:\WINDOWS\system32\owoxewbh.dll
2007-11-16 13:19 676,549 ---hs---- C:\WINDOWS\system32\txnaqxwy.ini
2007-11-16 11:14 675,519 ---hs---- C:\WINDOWS\system32\xxvnjhyb.ini
2007-11-15 14:35 669,500 ---hs---- C:\WINDOWS\system32\etxlfcxx.ini
2007-11-15 14:29 79,936 --a------ C:\WINDOWS\system32\dkxrmpvc.dll
2007-11-15 13:31 669,230 ---hs---- C:\WINDOWS\system32\rljrdkxu.ini
2007-11-15 13:25 79,936 --a------ C:\WINDOWS\system32\ixhsrrvi.dll
2007-11-15 01:11 79,936 --a------ C:\WINDOWS\system32\vhahngpj.dll
2007-11-15 01:05 671,154 ---hs---- C:\WINDOWS\system32\vnvuiruj.ini
2007-11-15 00:29 671,446 ---hs---- C:\WINDOWS\system32\ubqqivdb.ini
2007-11-15 00:26 79,936 --a------ C:\WINDOWS\system32\imjnpcvf.dll
2007-11-14 23:50 79,424 --a------ C:\WINDOWS\system32\eearqxcr.dll
2007-11-14 23:47 671,265 --ahs---- C:\WINDOWS\system32\aqlxhjpn.ini
2007-11-14 22:45 79,424 --a------ C:\WINDOWS\system32\ukldlwmp.dll
2007-11-14 22:42 672,850 ---hs---- C:\WINDOWS\system32\lhpcmfnl.ini
2007-11-14 22:20 79,424 --a------ C:\WINDOWS\system32\wvyoguby.dll
2007-11-14 22:14 671,127 ---hs---- C:\WINDOWS\system32\waxwicrl.ini
2007-11-14 15:07 79,424 --a------ C:\WINDOWS\system32\lwgkyyyo.dll
2007-11-14 15:04 671,214 ---hs---- C:\WINDOWS\system32\yecevjcc.ini
2007-11-13 15:01 671,127 ---hs---- C:\WINDOWS\system32\lfeewrff.ini
2007-11-13 11:37 669,191 ---hs---- C:\WINDOWS\system32\vktwrrwv.ini
2007-11-12 18:25 590,914 ---hs---- C:\WINDOWS\system32\uwvrphpq.ini
2007-11-11 18:31 584,632 ---hs---- C:\WINDOWS\system32\pgtajkuq.ini
2007-11-09 12:54 584,305 ---hs---- C:\WINDOWS\system32\ovgysgxc.ini
2007-11-08 11:33 584,133 ---hs---- C:\WINDOWS\system32\mgllglrk.ini
2007-11-08 11:22 556,663 ---hs---- C:\WINDOWS\system32\sbogwxom.ini
2007-11-08 11:05 556,603 ---hs---- C:\WINDOWS\system32\kwiuowfh.ini
2007-11-07 16:17 556,784 ---hs---- C:\WINDOWS\system32\oxntkfsm.ini
2007-11-06 13:23 556,664 ---hs---- C:\WINDOWS\system32\hprdmfhr.ini
2007-11-06 13:19 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-06 13:19 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-06 13:10 571,293 ---hs---- C:\WINDOWS\system32\pvcalfeh.ini
2007-11-05 20:33 564,903 ---hs---- C:\WINDOWS\system32\ojiiugoj.ini
2007-11-05 11:35 576,724 ---hs---- C:\WINDOWS\system32\fiollrto.ini
2007-11-04 11:29 576,604 ---hs---- C:\WINDOWS\system32\xtxygwvn.ini
2007-11-04 11:26 78,912 --a------ C:\WINDOWS\system32\ekfsibcg.dll
2007-11-04 11:01 576,845 ---hs---- C:\WINDOWS\system32\fbuhabjy.ini
2007-11-03 19:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 18:57 576,905 ---hs---- C:\WINDOWS\system32\skbikvue.ini
2007-11-03 18:57 87,616 --a------ C:\WINDOWS\system32\euvkibks.dll
2007-11-03 15:48 576,845 --ahs---- C:\WINDOWS\system32\cwuprcdb.ini
2007-11-02 07:37 72 --a------ C:\WINDOWS\system32\SYSTEM
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 18:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 15:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
2007-11-20 23:50 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-20 23:47 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-20 23:47 --------- d-----w C:\Program Files\iTunes
2007-11-20 23:39 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-19 02:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 16:06 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-11-13 16:33 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-31 14:02 --------- d-----w C:\Program Files\NoodleNet
2007-10-27 01:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-22 21:38 --------- d-----w C:\Program Files\iColorFolder
2007-10-21 03:38 --------- d-----w C:\Program Files\iPod
2007-10-04 22:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 22:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 22:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 22:52 --------- d-----w C:\Program Files\Symantec
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2006-08-29 15:04 176 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AAA2DD4-0E07-4953-8E30-902947B411B6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58D59E72-A545-44AB-B762-39EE8464A74B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80AAC286-66CF-47E9-AA6F-53AB71736CA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F7BB305-A92D-4F69-83E3-E163D3EC0CC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93578D0C-AA15-4D84-99A9-3CA1E629DB0F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E412907-1D3E-46F5-8C65-777406AB7BEF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3087B8-9B6F-4B82-939A-D2D41F6D8429}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7F8050-21BB-41D5-A0B4-7CFF21F20C53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5a5689e-fab5-4517-890d-b5df7830e30a}]
2007-11-28 21:16 81984 --a------ C:\WINDOWS\system32\jhrrievi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42112DD-B60C-4917-B74A-0BAEBD2000A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39D017A-5934-4841-972F-C4E87A6D0C5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E954A517-178C-4E66-8E22-5783088B97D0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA7C5ABA-2349-4FA1-8516-5370B4A9210C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBA6705E-C130-4CC6-AE21-9F6B64C202E6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Norton Protection Center UI Stub"="C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe" [2007-07-06 13:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-17 10:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 10:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NortonAntiBot"="C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2007-06-29 19:40]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 16:39]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 14:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-10-06 21:16:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcddeb]
ddcddeb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedd.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=C:\Program Files\Valve\Steam\\Steam.exe -silent
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HPHUPD08"=c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
"KBD"=C:\HP\KBD\KBD.EXE
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
R2 SymantecAntiBotAgent;SymantecAntiBotAgent;"C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe" SymantecAntiBotAgent
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotDriver.sys
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotFilter.sys
R3 SymantecAntiBotShim;SymantecAntiBotShim;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotShim.sys
S3 Fadpu16E;Fadpu16E;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Fadpu16E.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 02:37:47 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-11-24 19:05:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-25 02:41:19 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 21:31:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-28 21:34:09 - machine was rebooted
.
--- E O F ---



----------------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:26 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NABMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ercproxy.cscc.edu/ercsearch.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {4AAA2DD4-0E07-4953-8E30-902947B411B6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58D59E72-A545-44AB-B762-39EE8464A74B} - (no file)
O2 - BHO: (no name) - {5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD} - (no file)
O2 - BHO: (no name) - {80AAC286-66CF-47E9-AA6F-53AB71736CA6} - (no file)
O2 - BHO: (no name) - {8F7BB305-A92D-4F69-83E3-E163D3EC0CC7} - (no file)
O2 - BHO: (no name) - {93578D0C-AA15-4D84-99A9-3CA1E629DB0F} - (no file)
O2 - BHO: (no name) - {9E412907-1D3E-46F5-8C65-777406AB7BEF} - (no file)
O2 - BHO: (no name) - {AE3087B8-9B6F-4B82-939A-D2D41F6D8429} - (no file)
O2 - BHO: (no name) - {BC7F8050-21BB-41D5-A0B4-7CFF21F20C53} - (no file)
O2 - BHO: {a03e0387-fd5b-d098-7154-5bafe9865a5c} - {c5a5689e-fab5-4517-890d-b5df7830e30a} - C:\WINDOWS\system32\jhrrievi.dll
O2 - BHO: (no name) - {D42112DD-B60C-4917-B74A-0BAEBD2000A6} - (no file)
O2 - BHO: (no name) - {E39D017A-5934-4841-972F-C4E87A6D0C5C} - (no file)
O2 - BHO: (no name) - {E954A517-178C-4E66-8E22-5783088B97D0} - (no file)
O2 - BHO: (no name) - {EA7C5ABA-2349-4FA1-8516-5370B4A9210C} - (no file)
O2 - BHO: (no name) - {EBA6705E-C130-4CC6-AE21-9F6B64C202E6} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton Protection Center UI Stub] C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140300949656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoe...34/MusicNow.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O20 - Winlogon Notify: ddcddeb - ddcddeb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11677 bytes



There you go I hope it helps you out!

#6 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 28 November 2007 - 09:53 PM

I forgot to mention that while I was running VundoFix Norton detected a new Trojan that I have not seen yet. It was called Trojan.Duntek. I don't know if that helps or not but I am just trying to record everything that I am observing. Happy Hunting!

#7 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 29 November 2007 - 11:49 AM

Wow, this is really a mess. Each time Vundo has been only partially fixed, it has respawned itself creating numerous infected files. Is someone running Morpheus on this PC? I suspect that a file downloaded from a P2P network is what brought on this mess unless you know something else that did. Most often we are seeing this infection coming down via P2P. It might be a good time to re-think using P2P and Morpheus in particular, and I would recommend you uninstall it and avoid other P2P sharing programs and networks.

Ok, cleanup is going to involve a number of tools (all free) but the steps are going to be numerous for a reason in that this machine needs a lot of cleanup and probably all infections are not showing on these logs. Please temporarily turn OFF your Norton AV and Spybot's teatimer as both are going to squeal at the removal process and may interfere with the fixes. You can turn them back on after we have this cleaned up.

Make a copy of this instruction to have handy as these next steps need to be done with all browsers and any open windows closed.

1. Close any open browsers.

2. Open notepad and copy/paste the text you see in the whitespace of the quotebox below into it (but not the word: quote)

File::
C:\WINDOWS\system32\jhrrievi.dll
C:\WINDOWS\system32\ceeicfwe.dll
C:\WINDOWS\system32\fsjntsyd.dll
C:\WINDOWS\system32\nktkieus.dll
C:\WINDOWS\system32\qucqbqej.dll
C:\WINDOWS\system32\jneuqlqv.dll
C:\WINDOWS\system32\snyxbwfh.dll
C:\WINDOWS\system32\eheddxti.dll
C:\WINDOWS\system32\usgdxllj.dll
C:\WINDOWS\system32\xcbmbfhe.dll
C:\WINDOWS\system32\tugopmmh.dll
C:\WINDOWS\system32\xwpofcna.dll
C:\WINDOWS\system32\qduridmx.dll
C:\WINDOWS\system32\gvbkqubs.dll
C:\WINDOWS\system32\fmwrhpxu.dll
C:\WINDOWS\system32\hxyduvgm.dll
C:\WINDOWS\system32\qqosohkp.dll
C:\WINDOWS\system32\yjhstodo.dll
C:\WINDOWS\system32\annhsqtg.dll
C:\WINDOWS\system32\iovwpnec.dll
C:\WINDOWS\system32\nrlumvcm.dll
C:\WINDOWS\system32\rexybgas.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\kedwafmu.dll
C:\WINDOWS\system32\bmoadbse.dll
C:\WINDOWS\system32\qfwsygvq.dll
C:\WINDOWS\system32\aqjehwha.dll
C:\WINDOWS\system32\bphfsuox.dll
C:\WINDOWS\system32\kmfxyrfr.dll
C:\WINDOWS\system32\gwahekqg.dll
C:\WINDOWS\system32\vsrcagjw.dll
C:\WINDOWS\system32\bgihytxd.dll
C:\WINDOWS\system32\faraqqrq.dll
C:\WINDOWS\system32\eeuksxfj.dll
C:\WINDOWS\system32\cjiwticu.dll
C:\WINDOWS\system32\hcwakjef.dll
C:\WINDOWS\system32\fpngkded.dll
C:\WINDOWS\system32\mopwwgpg.dll
C:\WINDOWS\system32\taohgetv.dll
C:\WINDOWS\system32\ttnufpsg.dll
C:\WINDOWS\system32\rkyoujlr.dll
C:\WINDOWS\system32\dsteeipk.dll
C:\WINDOWS\system32\owoxewbh.dll
C:\WINDOWS\system32\txnaqxwy.ini
C:\WINDOWS\system32\xxvnjhyb.ini
C:\WINDOWS\system32\etxlfcxx.ini
C:\WINDOWS\system32\dkxrmpvc.dll
C:\WINDOWS\system32\rljrdkxu.ini
C:\WINDOWS\system32\ixhsrrvi.dll
C:\WINDOWS\system32\vhahngpj.dll
C:\WINDOWS\system32\vnvuiruj.ini
C:\WINDOWS\system32\ubqqivdb.ini
C:\WINDOWS\system32\imjnpcvf.dll
C:\WINDOWS\system32\eearqxcr.dll
C:\WINDOWS\system32\aqlxhjpn.ini
C:\WINDOWS\system32\ukldlwmp.dll
C:\WINDOWS\system32\lhpcmfnl.ini
C:\WINDOWS\system32\wvyoguby.dll
C:\WINDOWS\system32\waxwicrl.ini
C:\WINDOWS\system32\lwgkyyyo.dll
C:\WINDOWS\system32\yecevjcc.ini
C:\WINDOWS\system32\lfeewrff.ini
C:\WINDOWS\system32\vktwrrwv.ini
C:\WINDOWS\system32\uwvrphpq.ini
C:\WINDOWS\system32\pgtajkuq.ini
C:\WINDOWS\system32\ovgysgxc.ini
C:\WINDOWS\system32\mgllglrk.ini
C:\WINDOWS\system32\sbogwxom.ini
C:\WINDOWS\system32\kwiuowfh.ini
C:\WINDOWS\system32\oxntkfsm.ini
C:\WINDOWS\system32\hprdmfhr.ini
C:\WINDOWS\system32\pvcalfeh.ini
C:\WINDOWS\system32\ojiiugoj.ini
C:\WINDOWS\system32\fiollrto.ini
C:\WINDOWS\system32\xtxygwvn.ini
C:\WINDOWS\system32\ekfsibcg.dll
C:\WINDOWS\system32\fbuhabjy.ini
C:\WINDOWS\system32\skbikvue.ini
C:\WINDOWS\system32\euvkibks.dll
C:\WINDOWS\system32\cwuprcdb.ini
C:\WINDOWS\system32\jhrrievi.dll


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". Please post that log back here

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

.......................
Next, Open HijackThis and do a *system scan only*
When it finishes, checkmark these entries in the list, then press the *fix checked* button

O2 - BHO: (no name) - {4AAA2DD4-0E07-4953-8E30-902947B411B6} - (no file)

O2 - BHO: (no name) - {4AAA2DD4-0E07-4953-8E30-902947B411B6} - (no file)

O2 - BHO: (no name) - {58D59E72-A545-44AB-B762-39EE8464A74B} - (no file)

O2 - BHO: (no name) - {5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD} - (no file)

O2 - BHO: (no name) - {80AAC286-66CF-47E9-AA6F-53AB71736CA6} - (no file)

O2 - BHO: (no name) - {8F7BB305-A92D-4F69-83E3-E163D3EC0CC7} - (no file)

O2 - BHO: (no name) - {93578D0C-AA15-4D84-99A9-3CA1E629DB0F} - (no file)

O2 - BHO: (no name) - {9E412907-1D3E-46F5-8C65-777406AB7BEF} - (no file)

O2 - BHO: (no name) - {AE3087B8-9B6F-4B82-939A-D2D41F6D8429} - (no file)

O2 - BHO: (no name) - {BC7F8050-21BB-41D5-A0B4-7CFF21F20C53} - (no file)

O2 - BHO: {a03e0387-fd5b-d098-7154-5bafe9865a5c} - {c5a5689e-fab5-4517-890d-b5df7830e30a} -
C:\WINDOWS\system32\jhrrievi.dll

O2 - BHO: (no name) - {D42112DD-B60C-4917-B74A-0BAEBD2000A6} - (no file)

O2 - BHO: (no name) - {E39D017A-5934-4841-972F-C4E87A6D0C5C} - (no file)

O2 - BHO: (no name) - {E954A517-178C-4E66-8E22-5783088B97D0} - (no file)

O2 - BHO: (no name) - {EA7C5ABA-2349-4FA1-8516-5370B4A9210C} - (no file)

O2 - BHO: (no name) - {EBA6705E-C130-4CC6-AE21-9F6B64C202E6} - (no file)
O20 - Winlogon Notify: ddcddeb - ddcddeb.dll (file missing)

....................
Next, please run this free tool which will look for a remote access (backdoor) trojan as this infection is sometimes seen with a backdoor trojan and rootkit. If found, it will remove it.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum here.
.........................
Next: There are likely other infected files I can't see in the prior logs, so let's get a full system scan with a online AV known to target this infection.

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

Microsoft MVP Windows-Security 2003-2008
Posted Image

#8 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 29 November 2007 - 12:08 PM

When you are done with all that and logs requested posted, could you please use ComboFix to give me a specific log for a suspect directory I want to take a peek at.

Open notepad and copy/paste the text you see in the whitespace of the quotebox below into it (but not the word: quote)

DirLook::
C:\WINDOWS\system32\SYSTEM


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Please post that extra log back here for review :thumbsup:
Microsoft MVP Windows-Security 2003-2008
Posted Image

#9 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 November 2007 - 05:14 PM

Well so good so far I have not had any pop ups in the small amount of websurfing I have done since completing all of the steps you outlined. Two good signs have occured for me: one,the lack of popups (which would have undoubtedly popped up in the past as s oon as I opened IE), and two, I was even able to access safe mode. I had forgotten to mention in my original post that the whole reason I had come to this site was because I had tried to access safe mode to do AV scans there and safe mode was unstable and essentially rebooting. Now it doesn't do that. So thanks so far! I don't use P2P networks but I do have two kids who use this PC and so I think they may have been monkeying around on here and clicked on a link somewhere on the net that allowed the proper files for Vundo to be installed. As an aside I am performing the second ComboFix scan you requested right after I post this and I will post that as soon as it is done. So without further adieu here are the logs!

ComboFix 07-11-19.4C - HP_Administrator 2007-11-29 14:56:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.487 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\annhsqtg.dll
C:\WINDOWS\system32\aqjehwha.dll
C:\WINDOWS\system32\aqlxhjpn.ini
C:\WINDOWS\system32\bgihytxd.dll
C:\WINDOWS\system32\bmoadbse.dll
C:\WINDOWS\system32\bphfsuox.dll
C:\WINDOWS\system32\ceeicfwe.dll
C:\WINDOWS\system32\cjiwticu.dll
C:\WINDOWS\system32\cwuprcdb.ini
C:\WINDOWS\system32\dkxrmpvc.dll
C:\WINDOWS\system32\dsteeipk.dll
C:\WINDOWS\system32\eearqxcr.dll
C:\WINDOWS\system32\eeuksxfj.dll
C:\WINDOWS\system32\eheddxti.dll
C:\WINDOWS\system32\ekfsibcg.dll
C:\WINDOWS\system32\etxlfcxx.ini
C:\WINDOWS\system32\euvkibks.dll
C:\WINDOWS\system32\faraqqrq.dll
C:\WINDOWS\system32\fbuhabjy.ini
C:\WINDOWS\system32\fiollrto.ini
C:\WINDOWS\system32\fmwrhpxu.dll
C:\WINDOWS\system32\fpngkded.dll
C:\WINDOWS\system32\fsjntsyd.dll
C:\WINDOWS\system32\gvbkqubs.dll
C:\WINDOWS\system32\gwahekqg.dll
C:\WINDOWS\system32\hcwakjef.dll
C:\WINDOWS\system32\hprdmfhr.ini
C:\WINDOWS\system32\hxyduvgm.dll
C:\WINDOWS\system32\imjnpcvf.dll
C:\WINDOWS\system32\iovwpnec.dll
C:\WINDOWS\system32\ixhsrrvi.dll
C:\WINDOWS\system32\jhrrievi.dll
C:\WINDOWS\system32\jneuqlqv.dll
C:\WINDOWS\system32\kedwafmu.dll
C:\WINDOWS\system32\kmfxyrfr.dll
C:\WINDOWS\system32\kwiuowfh.ini
C:\WINDOWS\system32\lfeewrff.ini
C:\WINDOWS\system32\lhpcmfnl.ini
C:\WINDOWS\system32\lwgkyyyo.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgllglrk.ini
C:\WINDOWS\system32\mopwwgpg.dll
C:\WINDOWS\system32\nktkieus.dll
C:\WINDOWS\system32\nrlumvcm.dll
C:\WINDOWS\system32\ojiiugoj.ini
C:\WINDOWS\system32\ovgysgxc.ini
C:\WINDOWS\system32\owoxewbh.dll
C:\WINDOWS\system32\oxntkfsm.ini
C:\WINDOWS\system32\pgtajkuq.ini
C:\WINDOWS\system32\pvcalfeh.ini
C:\WINDOWS\system32\qduridmx.dll
C:\WINDOWS\system32\qfwsygvq.dll
C:\WINDOWS\system32\qqosohkp.dll
C:\WINDOWS\system32\qucqbqej.dll
C:\WINDOWS\system32\rexybgas.dll
C:\WINDOWS\system32\rkyoujlr.dll
C:\WINDOWS\system32\rljrdkxu.ini
C:\WINDOWS\system32\sbogwxom.ini
C:\WINDOWS\system32\skbikvue.ini
C:\WINDOWS\system32\snyxbwfh.dll
C:\WINDOWS\system32\taohgetv.dll
C:\WINDOWS\system32\ttnufpsg.dll
C:\WINDOWS\system32\tugopmmh.dll
C:\WINDOWS\system32\txnaqxwy.ini
C:\WINDOWS\system32\ubqqivdb.ini
C:\WINDOWS\system32\ukldlwmp.dll
C:\WINDOWS\system32\usgdxllj.dll
C:\WINDOWS\system32\uwvrphpq.ini
C:\WINDOWS\system32\vhahngpj.dll
C:\WINDOWS\system32\vktwrrwv.ini
C:\WINDOWS\system32\vnvuiruj.ini
C:\WINDOWS\system32\vsrcagjw.dll
C:\WINDOWS\system32\waxwicrl.ini
C:\WINDOWS\system32\wvyoguby.dll
C:\WINDOWS\system32\xcbmbfhe.dll
C:\WINDOWS\system32\xtxygwvn.ini
C:\WINDOWS\system32\xwpofcna.dll
C:\WINDOWS\system32\xxvnjhyb.ini
C:\WINDOWS\system32\yecevjcc.ini
C:\WINDOWS\system32\yjhstodo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\annhsqtg.dll
C:\WINDOWS\system32\aqjehwha.dll
C:\WINDOWS\system32\aqlxhjpn.ini
C:\WINDOWS\system32\bgihytxd.dll
C:\WINDOWS\system32\bmoadbse.dll
C:\WINDOWS\system32\bphfsuox.dll
C:\WINDOWS\system32\ceeicfwe.dll
C:\WINDOWS\system32\cjiwticu.dll
C:\WINDOWS\system32\cwuprcdb.ini
C:\WINDOWS\system32\dkxrmpvc.dll
C:\WINDOWS\system32\dsteeipk.dll
C:\WINDOWS\system32\eearqxcr.dll
C:\WINDOWS\system32\eeuksxfj.dll
C:\WINDOWS\system32\eheddxti.dll
C:\WINDOWS\system32\ekfsibcg.dll
C:\WINDOWS\system32\etxlfcxx.ini
C:\WINDOWS\system32\euvkibks.dll
C:\WINDOWS\system32\faraqqrq.dll
C:\WINDOWS\system32\fbuhabjy.ini
C:\WINDOWS\system32\fiollrto.ini
C:\WINDOWS\system32\fmwrhpxu.dll
C:\WINDOWS\system32\fpngkded.dll
C:\WINDOWS\system32\fsjntsyd.dll
C:\WINDOWS\system32\gvbkqubs.dll
C:\WINDOWS\system32\gwahekqg.dll
C:\WINDOWS\system32\hcwakjef.dll
C:\WINDOWS\system32\hprdmfhr.ini
C:\WINDOWS\system32\hxyduvgm.dll
C:\WINDOWS\system32\imjnpcvf.dll
C:\WINDOWS\system32\iovwpnec.dll
C:\WINDOWS\system32\ixhsrrvi.dll
C:\WINDOWS\system32\jhrrievi.dll
C:\WINDOWS\system32\jneuqlqv.dll
C:\WINDOWS\system32\kedwafmu.dll
C:\WINDOWS\system32\kmfxyrfr.dll
C:\WINDOWS\system32\kwiuowfh.ini
C:\WINDOWS\system32\lfeewrff.ini
C:\WINDOWS\system32\lhpcmfnl.ini
C:\WINDOWS\system32\lwgkyyyo.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgllglrk.ini
C:\WINDOWS\system32\mopwwgpg.dll
C:\WINDOWS\system32\nktkieus.dll
C:\WINDOWS\system32\nrlumvcm.dll
C:\WINDOWS\system32\ojiiugoj.ini
C:\WINDOWS\system32\ovgysgxc.ini
C:\WINDOWS\system32\owoxewbh.dll
C:\WINDOWS\system32\oxntkfsm.ini
C:\WINDOWS\system32\pgtajkuq.ini
C:\WINDOWS\system32\pvcalfeh.ini
C:\WINDOWS\system32\qduridmx.dll
C:\WINDOWS\system32\qfwsygvq.dll
C:\WINDOWS\system32\qqosohkp.dll
C:\WINDOWS\system32\qucqbqej.dll
C:\WINDOWS\system32\rexybgas.dll
C:\WINDOWS\system32\rkyoujlr.dll
C:\WINDOWS\system32\rljrdkxu.ini
C:\WINDOWS\system32\sbogwxom.ini
C:\WINDOWS\system32\skbikvue.ini
C:\WINDOWS\system32\snyxbwfh.dll
C:\WINDOWS\system32\system\
C:\WINDOWS\system32\taohgetv.dll
C:\WINDOWS\system32\ttnufpsg.dll
C:\WINDOWS\system32\tugopmmh.dll
C:\WINDOWS\system32\txnaqxwy.ini
C:\WINDOWS\system32\ubqqivdb.ini
C:\WINDOWS\system32\ukldlwmp.dll
C:\WINDOWS\system32\usgdxllj.dll
C:\WINDOWS\system32\uwvrphpq.ini
C:\WINDOWS\system32\vhahngpj.dll
C:\WINDOWS\system32\vktwrrwv.ini
C:\WINDOWS\system32\vnvuiruj.ini
C:\WINDOWS\system32\vsrcagjw.dll
C:\WINDOWS\system32\waxwicrl.ini
C:\WINDOWS\system32\wvyoguby.dll
C:\WINDOWS\system32\xcbmbfhe.dll
C:\WINDOWS\system32\xtxygwvn.ini
C:\WINDOWS\system32\xwpofcna.dll
C:\WINDOWS\system32\xxvnjhyb.ini
C:\WINDOWS\system32\yecevjcc.ini
C:\WINDOWS\system32\yjhstodo.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 20:47 <DIR> d-------- C:\VundoFix Backups
2007-11-20 22:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 18:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-20 18:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-20 18:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-20 18:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-20 00:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2007-11-18 22:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 13:19 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-06 13:19 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-03 19:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 07:37 72 --a------ C:\WINDOWS\system32\SYSTEM
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 19:24 12,963 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 16:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 15:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
2007-11-20 23:50 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-20 23:47 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-20 23:47 --------- d-----w C:\Program Files\iTunes
2007-11-20 23:39 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-19 02:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 16:06 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-11-13 16:33 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-31 14:02 --------- d-----w C:\Program Files\NoodleNet
2007-10-27 01:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-22 21:38 --------- d-----w C:\Program Files\iColorFolder
2007-10-21 03:38 --------- d-----w C:\Program Files\iPod
2007-10-04 22:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 22:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 22:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 22:52 --------- d-----w C:\Program Files\Symantec
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2006-08-29 15:04 176 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AAA2DD4-0E07-4953-8E30-902947B411B6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58D59E72-A545-44AB-B762-39EE8464A74B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80AAC286-66CF-47E9-AA6F-53AB71736CA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F7BB305-A92D-4F69-83E3-E163D3EC0CC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93578D0C-AA15-4D84-99A9-3CA1E629DB0F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E412907-1D3E-46F5-8C65-777406AB7BEF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3087B8-9B6F-4B82-939A-D2D41F6D8429}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7F8050-21BB-41D5-A0B4-7CFF21F20C53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5a5689e-fab5-4517-890d-b5df7830e30a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42112DD-B60C-4917-B74A-0BAEBD2000A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39D017A-5934-4841-972F-C4E87A6D0C5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E954A517-178C-4E66-8E22-5783088B97D0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA7C5ABA-2349-4FA1-8516-5370B4A9210C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBA6705E-C130-4CC6-AE21-9F6B64C202E6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Norton Protection Center UI Stub"="C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe" [2007-07-06 13:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-17 10:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 10:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NortonAntiBot"="C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2007-06-29 19:40]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 16:39]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 14:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-10-06 21:16:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcddeb]
ddcddeb.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=C:\Program Files\Valve\Steam\\Steam.exe -silent
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HPHUPD08"=c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
"KBD"=C:\HP\KBD\KBD.EXE
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
R2 SymantecAntiBotAgent;SymantecAntiBotAgent;"C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe" SymantecAntiBotAgent
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotDriver.sys
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotFilter.sys
R3 SymantecAntiBotShim;SymantecAntiBotShim;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotShim.sys
S3 Fadpu16E;Fadpu16E;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Fadpu16E.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 02:37:47 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-11-24 19:05:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-25 02:41:19 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 15:02:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 15:04:49 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 21:34
.
--- E O F ---

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


SDFix: Version 1.116

Run by HP_Administrator on Thu 11/29/2007 at 03:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 15:36:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Sat 25 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 29 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 25 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\HP_Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Mon 22 May 2006 11,116 A.SH. --- "C:\Documents and Settings\HP_Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Thu 25 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\School\Terms\2007\AU07\HUM\ArtPaper\~WRL0584.tmp"
Thu 25 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\HP_Administrator\Desktop\School\Terms\2007\AU07\HUM\ArtPaper\~WRL2983.tmp"

Finished!




--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2693 (20071129)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=b2ef55625a703a49bac9e075c22ad6e4
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-29 09:42:50
# local_time=2007-11-29 04:42:50 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=515672
# found=43
# scan_time=3469
# nod_component=NOD32MOD_WINNT_ENGLISH_ADMIN Build:0x0 ()
# nod_component=NOD32MOD_WINNT_ENGLISH_BASE Build:0x0 ()
# nod_component=NOD32MOD_WINNT_ENGLISH_INET Build:0x0 ()
# nod_component=NOD32MOD_WINNT_ENGLISH_STANDARD Build:0x0 ()
C:\qoobox\Quarantine\C\WINDOWS\system32\aqjehwha.dll.vir Win32/BHO.G trojan 2B7DF84A927DAF3ED8BCCC4D2B10C7B4
C:\qoobox\Quarantine\C\WINDOWS\system32\bgihytxd.dll.vir Win32/BHO.G trojan 3311D83F18C4042CB259711E1F9E5650
C:\qoobox\Quarantine\C\WINDOWS\system32\bphfsuox.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\ceeicfwe.dll.vir Win32/BHO.G trojan 0CE19F284131BA6FD931F149C2081E70
C:\qoobox\Quarantine\C\WINDOWS\system32\cjiwticu.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\dsteeipk.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\eearqxcr.dll.vir Win32/BHO.G trojan E3230FAC2898EA4A984789C2894F3A6D
C:\qoobox\Quarantine\C\WINDOWS\system32\eeuksxfj.dll.vir Win32/BHO.G trojan 173D48C9B09BEE7C57175229AC2522E6
C:\qoobox\Quarantine\C\WINDOWS\system32\eheddxti.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\faraqqrq.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\fmwrhpxu.dll.vir Win32/Adware.Virtumonde application 7CF1BD56D8C39683AD6B7EF49FE0DC0A
C:\qoobox\Quarantine\C\WINDOWS\system32\fpngkded.dll.vir Win32/BHO.G trojan 173D48C9B09BEE7C57175229AC2522E6
C:\qoobox\Quarantine\C\WINDOWS\system32\fsjntsyd.dll.vir Win32/Adware.Virtumonde application FA2E08EA9FF0102E00668D54553C8C10
C:\qoobox\Quarantine\C\WINDOWS\system32\gvbkqubs.dll.vir Win32/Adware.Virtumonde application 02C3FB3F5A3C55A950357AC7C67CFC03
C:\qoobox\Quarantine\C\WINDOWS\system32\gwahekqg.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\hcwakjef.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\hxyduvgm.dll.vir Win32/BHO.G trojan B6FC185D2EE547AE12DB8C301C790F3F
C:\qoobox\Quarantine\C\WINDOWS\system32\iovwpnec.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\jhrrievi.dll.vir Win32/BHO.G trojan 0CE19F284131BA6FD931F149C2081E70
C:\qoobox\Quarantine\C\WINDOWS\system32\jneuqlqv.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\kedwafmu.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\kmfxyrfr.dll.vir Win32/BHO.G trojan 2B7DF84A927DAF3ED8BCCC4D2B10C7B4
C:\qoobox\Quarantine\C\WINDOWS\system32\lwgkyyyo.dll.vir Win32/BHO.G trojan E3230FAC2898EA4A984789C2894F3A6D
C:\qoobox\Quarantine\C\WINDOWS\system32\mopwwgpg.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\nktkieus.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\nrlumvcm.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\owoxewbh.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\qduridmx.dll.vir Win32/Adware.Virtumonde application FE2D877DD639ABF22DC64C437ECA15D5
C:\qoobox\Quarantine\C\WINDOWS\system32\qfwsygvq.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\qqosohkp.dll.vir Win32/BHO.G trojan B6FC185D2EE547AE12DB8C301C790F3F
C:\qoobox\Quarantine\C\WINDOWS\system32\qucqbqej.dll.vir Win32/BHO.G trojan 0CE19F284131BA6FD931F149C2081E70
C:\qoobox\Quarantine\C\WINDOWS\system32\rkyoujlr.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\snyxbwfh.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\taohgetv.dll.vir Win32/Adware.Virtumonde application FE2D877DD639ABF22DC64C437ECA15D5
C:\qoobox\Quarantine\C\WINDOWS\system32\ttnufpsg.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\tugopmmh.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\ukldlwmp.dll.vir Win32/BHO.G trojan E3230FAC2898EA4A984789C2894F3A6D
C:\qoobox\Quarantine\C\WINDOWS\system32\usgdxllj.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\vsrcagjw.dll.vir Win32/BHO.G trojan A1FBC70F16F774D17C4316BEC997CC33
C:\qoobox\Quarantine\C\WINDOWS\system32\wvyoguby.dll.vir Win32/BHO.G trojan E3230FAC2898EA4A984789C2894F3A6D
C:\qoobox\Quarantine\C\WINDOWS\system32\xcbmbfhe.dll.vir Win32/Adware.Virtumonde application 7CF1BD56D8C39683AD6B7EF49FE0DC0A
C:\qoobox\Quarantine\C\WINDOWS\system32\xwpofcna.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16
C:\qoobox\Quarantine\C\WINDOWS\system32\yjhstodo.dll.vir Win32/Adware.Virtumonde application 877C23CFFFF9D69AD3FABF6015084E16

#10 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 November 2007 - 05:24 PM

Here is the second ComboFix scan of the SYSTEM file and once again, happy hunting!

ComboFix 07-11-19.4C - HP_Administrator 2007-11-29 17:17:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\system\

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-29 15:43 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-29 15:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-28 20:47 <DIR> d-------- C:\VundoFix Backups
2007-11-20 22:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 18:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-20 18:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-20 18:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-20 18:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-20 00:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2007-11-18 22:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 13:19 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-06 13:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-06 13:19 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-03 19:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 07:37 72 --a------ C:\WINDOWS\system32\SYSTEM
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 19:24 12,963 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 16:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 15:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\U3
2007-11-20 23:50 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-20 23:47 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-20 23:47 --------- d-----w C:\Program Files\iTunes
2007-11-20 23:39 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-19 02:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 16:06 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-11-13 16:33 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-31 14:02 --------- d-----w C:\Program Files\NoodleNet
2007-10-27 01:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-22 21:38 --------- d-----w C:\Program Files\iColorFolder
2007-10-21 03:38 --------- d-----w C:\Program Files\iPod
2007-10-04 22:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 22:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 22:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 22:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 22:52 --------- d-----w C:\Program Files\Symantec
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 03:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-09-29 02:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 02:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 02:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 02:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 02:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 02:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 02:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 02:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 02:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 02:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-29 01:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2006-08-29 15:04 176 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2005-05-12 14:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\SYSTEM ----

C:\WINDOWS\system32\SYSTEM\


((((((((((((((((((((((((((((( snapshot@2007-11-28_21.33.06.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 23:53:00 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-29 20:27:57 6,508,544 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-11-29 20:27:57 266,240 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-28 23:53:00 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-29 20:27:19 6,508,544 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-11-29 20:27:19 266,240 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AAA2DD4-0E07-4953-8E30-902947B411B6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58D59E72-A545-44AB-B762-39EE8464A74B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80AAC286-66CF-47E9-AA6F-53AB71736CA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F7BB305-A92D-4F69-83E3-E163D3EC0CC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93578D0C-AA15-4D84-99A9-3CA1E629DB0F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E412907-1D3E-46F5-8C65-777406AB7BEF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3087B8-9B6F-4B82-939A-D2D41F6D8429}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7F8050-21BB-41D5-A0B4-7CFF21F20C53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5a5689e-fab5-4517-890d-b5df7830e30a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42112DD-B60C-4917-B74A-0BAEBD2000A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39D017A-5934-4841-972F-C4E87A6D0C5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E954A517-178C-4E66-8E22-5783088B97D0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA7C5ABA-2349-4FA1-8516-5370B4A9210C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBA6705E-C130-4CC6-AE21-9F6B64C202E6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Norton Protection Center UI Stub"="C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe" [2007-07-06 13:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-17 10:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 10:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NortonAntiBot"="C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2007-06-29 19:40]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 16:39]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 14:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-10-06 21:16:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcddeb]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=C:\Program Files\Valve\Steam\\Steam.exe -silent
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HPHUPD08"=c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
"KBD"=C:\HP\KBD\KBD.EXE
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotDriver.sys
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotFilter.sys
R3 SymantecAntiBotShim;SymantecAntiBotShim;\??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\platform_XP\AntiBotShim.sys
S2 SymantecAntiBotAgent;SymantecAntiBotAgent;"C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe" SymantecAntiBotAgent
S3 Fadpu16E;Fadpu16E;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Fadpu16E.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 02:37:47 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-11-24 19:05:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-25 02:41:19 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 17:20:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 17:20:48
C:\ComboFix2.txt ... 2007-11-29 15:04
C:\ComboFix3.txt ... 2007-11-28 21:34
.
--- E O F ---

#11 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 29 November 2007 - 06:30 PM

Very good :blink: All looking pretty good so far.

One more tool I'd like to see a log from please and then there might some minor cleanup. But you're almost there :thumbsup:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Microsoft MVP Windows-Security 2003-2008
Posted Image

#12 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 November 2007 - 09:17 PM

Here we go Round Number 3! And just in case I have not said it enough, thank you so much for your help!

main.txt:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2007-11-29 21:09:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2007-11-30 02:10:00 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2007-11-29 22:17:16 UTC - RP4 - ComboFix created restore point
3: 2007-11-29 19:56:05 UTC - RP3 - ComboFix created restore point
2: 2007-11-29 02:14:11 UTC - RP2 - ComboFix created restore point
1: 2007-11-29 02:13:35 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:34 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ercproxy.cscc.edu/ercsearch.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {4AAA2DD4-0E07-4953-8E30-902947B411B6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58D59E72-A545-44AB-B762-39EE8464A74B} - (no file)
O2 - BHO: (no name) - {5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD} - (no file)
O2 - BHO: (no name) - {80AAC286-66CF-47E9-AA6F-53AB71736CA6} - (no file)
O2 - BHO: (no name) - {8F7BB305-A92D-4F69-83E3-E163D3EC0CC7} - (no file)
O2 - BHO: (no name) - {93578D0C-AA15-4D84-99A9-3CA1E629DB0F} - (no file)
O2 - BHO: (no name) - {9E412907-1D3E-46F5-8C65-777406AB7BEF} - (no file)
O2 - BHO: (no name) - {AE3087B8-9B6F-4B82-939A-D2D41F6D8429} - (no file)
O2 - BHO: (no name) - {BC7F8050-21BB-41D5-A0B4-7CFF21F20C53} - (no file)
O2 - BHO: (no name) - {c5a5689e-fab5-4517-890d-b5df7830e30a} - (no file)
O2 - BHO: (no name) - {D42112DD-B60C-4917-B74A-0BAEBD2000A6} - (no file)
O2 - BHO: (no name) - {E39D017A-5934-4841-972F-C4E87A6D0C5C} - (no file)
O2 - BHO: (no name) - {E954A517-178C-4E66-8E22-5783088B97D0} - (no file)
O2 - BHO: (no name) - {EA7C5ABA-2349-4FA1-8516-5370B4A9210C} - (no file)
O2 - BHO: (no name) - {EBA6705E-C130-4CC6-AE21-9F6B64C202E6} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton Protection Center UI Stub] C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140300949656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoe...34/MusicNow.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O20 - Winlogon Notify: ddcddeb - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11605 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071129-151402-237 O2 - BHO: (no name) - {EBA6705E-C130-4CC6-AE21-9F6B64C202E6} - (no file)
backup-20071129-151402-306 O2 - BHO: (no name) - {E39D017A-5934-4841-972F-C4E87A6D0C5C} - (no file)
backup-20071129-151402-453 O2 - BHO: (no name) - {5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD} - (no file)
backup-20071129-151402-485 O2 - BHO: (no name) - {93578D0C-AA15-4D84-99A9-3CA1E629DB0F} - (no file)
backup-20071129-151402-513 O20 - Winlogon Notify: ddcddeb - ddcddeb.dll (file missing)
backup-20071129-151402-551 O2 - BHO: (no name) - {D42112DD-B60C-4917-B74A-0BAEBD2000A6} - (no file)
backup-20071129-151402-558 O2 - BHO: (no name) - {BC7F8050-21BB-41D5-A0B4-7CFF21F20C53} - (no file)
backup-20071129-151402-566 O2 - BHO: (no name) - {E954A517-178C-4E66-8E22-5783088B97D0} - (no file)
backup-20071129-151402-663 O2 - BHO: (no name) - {8F7BB305-A92D-4F69-83E3-E163D3EC0CC7} - (no file)
backup-20071129-151402-674 O2 - BHO: (no name) - {58D59E72-A545-44AB-B762-39EE8464A74B} - (no file)
backup-20071129-151402-752 O2 - BHO: (no name) - {9E412907-1D3E-46F5-8C65-777406AB7BEF} - (no file)
backup-20071129-151402-756 O2 - BHO: (no name) - {4AAA2DD4-0E07-4953-8E30-902947B411B6} - (no file)
backup-20071129-151402-849 O2 - BHO: (no name) - {80AAC286-66CF-47E9-AA6F-53AB71736CA6} - (no file)
backup-20071129-151402-889 O2 - BHO: (no name) - {AE3087B8-9B6F-4B82-939A-D2D41F6D8429} - (no file)
backup-20071129-151402-996 O2 - BHO: (no name) - {EA7C5ABA-2349-4FA1-8516-5370B4A9210C} - (no file)

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\Icons\NewSilverSystem[1]\NewSilverSystem.icl,52
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\Icons\NewSilverSystem[1]\NewSilverSystem.icl,49
.txt - txtfile - DefaultIcon - C:\WINDOWS\Icons\NewSilverSystem[1]\NewSilverSystem.icl,46


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R3 catchme - c:\docume~1\hp_adm~1\locals~1\temp\catchme.sys (file missing)

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
S3 Fadpu16E - c:\docume~1\hp_adm~1\locals~1\temp\fadpu16e.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 NOD32krn (NOD32 Kernel Service) - "c:\program files\eset\nod32krn.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-24 21:41:19 644 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job
2007-11-24 14:05:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-11-23 21:37:47 412 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 15:43:41 0 d-------- C:\Program Files\EsetOnlineScanner
2007-11-29 15:26:40 0 d-------- C:\WINDOWS\ERUNT
2007-11-28 20:47:58 0 d-------- C:\VundoFix Backups
2007-11-27 15:50:00 0 d--hs---- C:\Documents and Settings\HP_Administrator\Recent
2007-11-20 22:18:23 0 d-------- C:\Program Files\Trend Micro
2007-11-20 18:04:30 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-20 12:07:53 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-20 00:12:23 0 d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2007-11-18 22:00:52 0 d-------- C:\Program Files\Lavasoft
2007-11-18 22:00:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 21:03:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 19:52:00 0 d-------- C:\Program Files\CCleaner
2007-11-02 07:37:20 72 --a------ C:\WINDOWS\system32\SYSTEM


-- Find3M Report ---------------------------------------------------------------

2007-11-29 11:35:53 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-28 10:05:11 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\U3
2007-11-20 19:16:47 0 d-------- C:\Program Files\Common Files
2007-11-20 18:50:08 0 d-------- C:\Program Files\Norton Internet Security
2007-11-20 18:47:50 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-11-20 18:47:19 0 d-------- C:\Program Files\iTunes
2007-11-20 18:39:50 0 d-a------ C:\Program Files\Common Files\LightScribe
2007-11-18 21:03:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 11:06:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\ATI
2007-11-13 21:39:40 196 --a------ C:\Documents and Settings\HP_Administrator\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2007-11-13 11:33:42 0 d-------- C:\Program Files\TuneUp Utilities 2007
2007-10-31 09:02:29 0 d-------- C:\Program Files\NoodleNet
2007-10-26 20:17:25 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-10-22 16:38:53 0 d-------- C:\Program Files\iColorFolder
2007-10-22 16:24:26 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-22 16:07:54 0 d-------- C:\Program Files\Movie Maker
2007-10-20 22:38:11 0 d-------- C:\Program Files\iPod
2007-10-04 17:52:02 0 d-------- C:\Program Files\Symantec
2007-09-28 20:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AAA2DD4-0E07-4953-8E30-902947B411B6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58D59E72-A545-44AB-B762-39EE8464A74B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80AAC286-66CF-47E9-AA6F-53AB71736CA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F7BB305-A92D-4F69-83E3-E163D3EC0CC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93578D0C-AA15-4D84-99A9-3CA1E629DB0F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E412907-1D3E-46F5-8C65-777406AB7BEF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE3087B8-9B6F-4B82-939A-D2D41F6D8429}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7F8050-21BB-41D5-A0B4-7CFF21F20C53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5a5689e-fab5-4517-890d-b5df7830e30a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42112DD-B60C-4917-B74A-0BAEBD2000A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39D017A-5934-4841-972F-C4E87A6D0C5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E954A517-178C-4E66-8E22-5783088B97D0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA7C5ABA-2349-4FA1-8516-5370B4A9210C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBA6705E-C130-4CC6-AE21-9F6B64C202E6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [08/17/2006 10:32 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/17/2006 10:32 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NortonAntiBot"="C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [06/29/2007 07:40 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/04/2007 09:05 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [06/26/2007 12:00 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 04:39 PM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [09/21/2005 12:41 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 04:41 PM]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/03/2005 02:19 AM C:\WINDOWS\arpwrmsg.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/26/2007 02:56 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"Norton Protection Center UI Stub"="C:\Program Files\Common Files\Symantec Shared\NPC\uiStub.exe" [07/06/2007 01:24 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [10/6/2006 9:16:52 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcddeb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=C:\Program Files\Valve\Steam\\Steam.exe -silent
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HPHUPD08"=c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
"KBD"=C:\HP\KBD\KBD.EXE
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-11-29 21:12:36 ------------



extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3800+
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 1022.48 MiB / 514.47 MiB
Pagefile Memory (total/avail): 2362.95 MiB / 1933.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.87 MiB

C: is Fixed (NTFS) - 224.37 GiB total, 176.81 GiB free.
D: is Fixed (FAT32) - 8.5 GiB total, 1.13 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3250823AS - 232.88 GiB - 2 partitions
\PARTITION0 - Unknown - 8.51 GiB - D:
\PARTITION1 (bootable) - Installable File System - 224.37 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation) Disabled
AV: Eset NOD32 antivirus system 0.0 v0.0 (Eset) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP_Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-4DACD0EA75
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP_Administrator
LOGONSERVER=\\YOUR-4DACD0EA75
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
USERDOMAIN=YOUR-4DACD0EA75
USERNAME=HP_Administrator
USERPROFILE=C:\Documents and Settings\HP_Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HP_Administrator (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{888347B3-AEC5-4BB5-8BAB-781D72A57C73}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{888347B3-AEC5-4BB5-8BAB-781D72A57C73}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FBFF2411-D066-4D24-BCE0-893086009E1B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FBFF2411-D066-4D24-BCE0-893086009E1B}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader Japanese Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5760-0000-705000000001}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASAPI Update --> C:\PROGRA~1\VOB\ASAPIU~1\IWUNIN~1.EXE -uninstall C:\WINDOWS\ISUNINST.EXE -fC:\PROGRA~1\VOB\ASAPIU~1\ASAPI.isu
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{34566374-6C4D-419F-A9E0-8B21CA905FD8}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Call of Duty® 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative Software AutoUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -IAsu200Ck.inf
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
FL Studio 5 --> C:\Program Files\Image-Line\FLStudio5\uninstall.exe
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /uninstall
HP Deskjet 6500 --> msiexec /x{3D50E33F-0DB8-4E3B-B75C-2B872A33D87B}
HP Deskjet Printer Preload --> MsiExec.exe /I{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}
HP DigitalMedia Archive --> MsiExec.exe /I{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Game Console and games --> C:\Program Files\WildTangent\Apps\hpuninstall.exe
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone for Media Center PC --> c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Photosmart Cameras 5.0 --> C:\Program Files\HP\Digital Imaging\{C83A12B9-B31B-461A-BBD4-CE9B988094F1}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iColorFolder --> C:\Program Files\iColorFolder\uninstall.exe
iDump Build: 24 --> C:\Program Files\iDump\uninst.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic 3D Coloring Book Amazing Animals --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM and Crayola\Amazing Animals\Uninst.isu"
Mah Jong Quest from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\538B9061-0C77-4FB2-903F-EC42A1FF5DD8\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
NoodleNet --> "C:\WINDOWS\NoodleNet\uninstall.exe" "/U:C:\Program Files\NoodleNet\Uninstall\uninstall.xml"
Norton AntiBot --> MsiExec.exe /X{CBBEDD57-6E66-4497-9564-1ACA84054F1A}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49E2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4BFE-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41F3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41F3-87C5-2B5A031F2B3B}_10_4_0_13\{5AA2CD16-706F-41F3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shooting Stars Pool from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B2AA88B1-4920-462B-9F7C-019782B3C4DB\Uninstall.exe"
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sound Blaster X-Fi --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x9 /remove
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Symantec Technical Support Web Controls --> MsiExec.exe /X{DDC63227-BA06-4855-B002-BDB49E9F677E}
Team Fortress 2 --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/440
Team Fortress 2 Dedicated Server --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/310
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
U3Launcher --> MsiExec.exe /I{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}
Updates from HP (remove only) --> C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type20029 / Error
Event Submitted/Written: 11/29/2007 09:12:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type20028 / Error
Event Submitted/Written: 11/29/2007 09:12:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type20027 / Error
Event Submitted/Written: 11/29/2007 09:12:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type20026 / Error
Event Submitted/Written: 11/29/2007 09:12:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type20025 / Error
Event Submitted/Written: 11/29/2007 09:12:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2710 / Error
Event Submitted/Written: 11/29/2007 08:38:51 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort3, did not respond within the timeout period.

Event Record #/Type2665 / Error
Event Submitted/Written: 11/29/2007 03:36:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NOD32 Kernel Service service failed to start due to the following error:
%%2

Event Record #/Type2664 / Error
Event Submitted/Written: 11/29/2007 03:36:25 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error:
%%1058

Event Record #/Type2663 / Error
Event Submitted/Written: 11/29/2007 03:36:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AMON service failed to start due to the following error:
%%2

Event Record #/Type2659 / Error
Event Submitted/Written: 11/29/2007 03:25:49 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AmdK8
eeCtrl
Fips
IPSec
MRxSmb
NetBIOS
NetBT
nod32drv
RasAcd
Rdbss
SbcpHid
SRTSP
SRTSPX
SYMTDI
Tcpip
WS2IFSL



-- End of Deckard's System Scanner: finished at 2007-11-29 21:12:36 ------------

#13 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 29 November 2007 - 10:34 PM

You're doing really well. Problem is I think that the Spybot teatimer is still blocking some of the fixes we are trying to make here.

The active infections appear to be resolved and I'll go over this last log more in depth tomorrow when I'm more fresh (right now I've been staring at logs for something like 15 hours straight.

Lets see if we can get the the more obvious entries fixed that remain.

1) Open Spybot-S&D
2) Go to the Mode menu and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
...............
After the restart, open HijackThis and do a *system scan only*

When it finishes, checkmark these entries, then press the *fix checked* button:

O2 - BHO: (no name) - {4AAA2DD4-0E07-4953-8E30-902947B411B6} - (no file)

O2 - BHO: (no name) - {58D59E72-A545-44AB-B762-39EE8464A74B} - (no file)

O2 - BHO: (no name) - {5DBF0DD8-0CED-4DA2-BADC-FB12B65467FD} - (no file)

O2 - BHO: (no name) - {80AAC286-66CF-47E9-AA6F-53AB71736CA6} - (no file)

O2 - BHO: (no name) - {8F7BB305-A92D-4F69-83E3-E163D3EC0CC7} - (no file)

O2 - BHO: (no name) - {93578D0C-AA15-4D84-99A9-3CA1E629DB0F} - (no file)

O2 - BHO: (no name) - {9E412907-1D3E-46F5-8C65-777406AB7BEF} - (no file)

O2 - BHO: (no name) - {AE3087B8-9B6F-4B82-939A-D2D41F6D8429} - (no file)

O2 - BHO: (no name) - {BC7F8050-21BB-41D5-A0B4-7CFF21F20C53} - (no file)

O2 - BHO: (no name) - {c5a5689e-fab5-4517-890d-b5df7830e30a} - (no file)

O2 - BHO: (no name) - {D42112DD-B60C-4917-B74A-0BAEBD2000A6} - (no file)

O2 - BHO: (no name) - {E39D017A-5934-4841-972F-C4E87A6D0C5C} - (no file)

O2 - BHO: (no name) - {E954A517-178C-4E66-8E22-5783088B97D0} - (no file)

O2 - BHO: (no name) - {EA7C5ABA-2349-4FA1-8516-5370B4A9210C} - (no file)

O2 - BHO: (no name) - {EBA6705E-C130-4CC6-AE21-9F6B64C202E6} - (no file)

O20 - Winlogon Notify: ddcddeb - C:\WINDOWS\


After checkmarking those make sure you have pressed the *fix checked* button. If any of your security programs squeal or alert about changes to the registry during this procedure, please choose *allow* because these are changes we are making for the good :thumbsup:

When done, scan with HijackThis to make a log please. Post the new log back here.
Microsoft MVP Windows-Security 2003-2008
Posted Image

#14 n012

n012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 30 November 2007 - 02:18 AM

Sounds like you need a break before your eyeballs melt! I have been studying all night (finals next week) so I have not been able to do the new steps you outlined, but I will be able to complete them sometime in the early afternoon tomorrow after I get out of school! Have a good night/morning/day!

#15 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 30 November 2007 - 10:06 AM

Ok, eyeballs rested and seeing much better now :thumbsup:

After reviewing the full log - go ahead with the *fix* using HijackThis. That will delete a number of now harmless but leftover entries in the registry.

Then you also need to do the following

(Re-enable your Norton Antivirus and Spybot teatimer if you are using that)

Also: Remove from Add/remove programs in the Control Panel this program:
J2SE Runtime Environment 5.0 Update 5 -
That is an outdated version and a security vulnerability

Your Sun Java is very out of date and a security vulnerability!

Old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.
They will appear in the "J's" something similar to:

j2re1.4.2_05 or

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06

(or similar, and there may be more than one. Remove them all)

Then go get the latest up to date version here:
http://www.java.com/en/download/manual.jsp

Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreports.com/forum/remark,14738046

This is a vulnerability in that Sun Java new updated versions do not remove prior vulnerable versions. You will have to remember to do that manually whenever you update your Sun Java.
..............
Also - regarding this statement:

do have two kids who use this PC and so I think they may have been monkeying around

You really need to set up user accounts (Limited User) for the kids to use and not the Admin account. This will minimize your risk because we have some serious nasties out there that anyone running as Admin can jeopardize the entire system (and all your data) if a "mistake" is made.

I know you are tied up with your studying for finals, but bookmark this topic to refer back to and some things you need to do to better secure your computer.

See these links for additional information:
Teach Kids to be safe online visit:
http://www.bewebaware.ca/english/default.aspx

Microsoft Security At Home: Protect your family
Child safety
http://www.microsoft.com/canada/athome/sec...en/default.mspx

A parent's guide to online safety: Ages and stages
http://www.microsoft.com/canada/athome/sec...rentsguide.mspx

And this link will help you set up proper and safe user accounts for the kids to use:
A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Microsoft MVP Windows-Security 2003-2008
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users