Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.vundo.dtj And Due.


  • This topic is locked This topic is locked
28 replies to this topic

#1 flatdeck

flatdeck

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 30 December 2007 - 03:46 AM

Hello,

At start up two error messages appear, one is cannot run C:\WINDOWS\system32\vtsqq.exe, the other is error loading C:\WINDOWS\system32\qkailcxn.dll . Access is denied. Then HP Product Assistant tries installing and wont stop until the install disc is put in the dvd drive and run. Spysweeper shortcut went 'nowhere', Spysweeper no longer runs. Quicktime player also doesnt respond. IE has many pop ups.
I followed all the steps in the Preparation guide, wow what an eye opener, cleaned everthing best I could.

Thank you very much in advance.

Heres the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:26 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.ec.gc.ca/city/pag...1_metric_e.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtsqq.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dcd7745d] rundll32.exe "C:\WINDOWS\system32\qkailcxn.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SfKg6wIPu] "C:\Documents and Settings\WILLIE\Application Data\Microsoft\Windows\nukkoa.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135745435500
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://merlin.telus.net/wizlet/Qualifier/s...flowActiveX.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)

--
End of file - 9287 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 January 2008 - 09:10 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum flatdeck
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are snowed under with logs.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 January 2008 - 11:43 AM

Hi Richie, Thank you for your help.
Heres the logs you requested, I hope I did the HJT log correctly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:08 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.ec.gc.ca/city/pag...1_metric_e.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A083F893-542F-44C0-B843-68DD131945AB} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dcd7745d] rundll32.exe "C:\WINDOWS\system32\qkailcxn.dll",b
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SfKg6wIPu] "C:\Documents and Settings\WILLIE\Application Data\Microsoft\Windows\nukkoa.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135745435500
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://merlin.telus.net/wizlet/Qualifier/s...flowActiveX.CAB
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)

--
End of file - 9331 bytes


ComboFix 08-01-05.8 - WILLIE 2008-01-05 8:22:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.643 [GMT -8:00]
Running from: C:\Documents and Settings\WILLIE\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bhhcyava.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 08:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 19:41 . 2008-01-03 21:43 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-02 21:07 . 2008-01-02 21:07 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-30 16:17 . 2008-01-02 21:07 <DIR> d-------- C:\VundoFix Backups
2007-12-30 00:16 . 2007-12-30 00:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 21:03 . 2007-12-29 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 17:57 . 2007-12-29 17:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-29 17:57 . 2007-12-29 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 17:56 . 2007-12-29 17:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-28 21:15 . 2007-12-31 22:39 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-28 20:46 . 2007-12-28 20:46 <DIR> d-------- C:\Program Files\Java
2007-12-28 20:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-28 20:45 . 2007-12-28 20:45 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-28 19:39 . 2008-01-04 20:02 <DIR> d-------- C:\Documents and Settings\WILLIE\Application Data\U3
2007-12-26 17:04 . 2007-12-26 17:06 71,181 --a------ C:\WINDOWS\hpqins06.dat
2007-12-26 16:48 . 2007-12-26 16:48 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-26 16:13 . 2007-12-26 16:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-26 16:13 . 2007-12-26 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-26 16:13 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-26 16:13 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-26 16:13 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-26 16:13 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-26 16:13 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-26 16:07 . 2007-12-26 16:07 <DIR> d-------- C:\Program Files\Webroot
2007-12-26 16:07 . 2007-12-26 16:07 <DIR> d-------- C:\Documents and Settings\WILLIE\Application Data\Webroot
2007-12-26 14:48 . 2007-12-26 14:48 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-26 14:24 . 2007-12-26 14:45 112,885 --a------ C:\WINDOWS\hpoins07.dat
2007-12-26 14:24 . 2005-05-23 22:52 21,124 --------- C:\WINDOWS\hpomdl07.dat
2007-12-25 19:39 . 2007-12-26 13:07 <DIR> d-------- C:\Program Files\Best_Security_Tips
2007-12-25 19:38 . 2007-12-25 19:38 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-25 18:03 . 2008-01-03 21:38 <DIR> d-------- C:\Documents and Settings\WILLIE\Application Data\WinButler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 05:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-04 05:38 --------- d-----w C:\Program Files\Freeze.com
2008-01-03 03:38 --------- d-----w C:\Documents and Settings\WILLIE\Application Data\MSN6
2007-12-27 00:48 --------- d-----w C:\Program Files\HP
2007-12-27 00:12 164 ----a-w C:\install.dat
2007-12-26 22:05 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-26 03:42 --------- d-----w C:\Program Files\Winamp
2007-12-26 03:42 --------- d-----w C:\Program Files\QuickTime
2007-12-26 03:42 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-12-03 01:55 --------- d-----w C:\Documents and Settings\WILLIE\Application Data\Roxio
2007-11-30 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-30 04:20 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-30 04:18 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-30 04:18 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-30 04:18 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-30 04:18 --------- d-----w C:\Program Files\Symantec
2007-11-29 05:34 --------- d-----w C:\Documents and Settings\WILLIE\Application Data\AdobeUM
2007-11-19 03:10 --------- d--h--r C:\Documents and Settings\WILLIE\Application Data\SecuROM
2007-11-19 02:40 --------- d-----w C:\Program Files\Electronic Arts
2007-11-19 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 02:29 --------- d-----w C:\Program Files\Call of Duty
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 04:14 --------- d-----w C:\Program Files\Activision
2007-11-05 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-01-22 20:44 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-01-30 04:18 162 ----a-w C:\Documents and Settings\WILLIE\Application Data\tvmdmns.dll
2005-01-28 04:43 28 ----a-w C:\Documents and Settings\CHILDREN\Application Data\tvmcwrd.dll
2005-01-28 04:43 176 ----a-w C:\Documents and Settings\CHILDREN\Application Data\tvmdmns.dll
2004-12-26 04:37 457 -c--a-w C:\Program Files\INSTALL.LOG
2002-09-11 14:26 63,730 -c--a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A083F893-542F-44C0-B843-68DD131945AB}]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SfKg6wIPu"="C:\Documents and Settings\WILLIE\Application Data\Microsoft\Windows\nukkoa.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 11:01 496640 C:\WINDOWS\zHotkey.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [ ]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [ ]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11 771704]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\system32\rundll32.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"dcd7745d"="C:\WINDOWS\system32\qkailcxn.dll" [ ]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 05:16:34 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - WILLIE.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
"2007-12-26 22:45:51 C:\WINDOWS\Tasks\WebReg psc 1500 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 08:28:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 8:31:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 16:30:29
ComboFix2.txt 2008-01-05 16:17:54
.
2007-12-21 05:01:16 --- E O F ---


I had to re run ComboFix as Norton would display an alert the first time I ran it. :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 January 2008 - 11:53 AM

Temporarily disable SpySweeper or it will interfere:

* Open Spy Sweeper and click on Options > Program Options and uncheck "load at windows startup".
* On the left click "shields" and then uncheck everything there.
* Uncheck "home page shield".
* Uncheck "automatically restore default without notification".
* Exit the program.
* (When we are done, you can re-enable it using the same steps but this time reverse them.)


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\VundoFixSVC.exe
C:\VundoFix Backups
C:\Documents and Settings\WILLIE\Application Data\WinButler
C:\Program Files\Freeze.com


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {A083F893-542F-44C0-B843-68DD131945AB} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O4 - HKLM\..\Run: [dcd7745d] rundll32.exe "C:\WINDOWS\system32\qkailcxn.dll",b
O4 - HKCU\..\Run: [SfKg6wIPu] "C:\Documents and Settings\WILLIE\Application Data\Microsoft\Windows\nukkoa.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://merlin.telus.net/wizlet/Qualifier/s...flowActiveX.CAB
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 January 2008 - 03:53 PM

Heres the OTMoveit report. I couldn't disable Spysweeper as I can't run/access the program, theres no icon on the desktop and no way to run it from Program files.

[Manual Searches]
< C:\WINDOWS\system32\VundoFixSVC.exe >
File/Folder C:\WINDOWS\system32\VundoFixSVC.exe not found.
< C:\VundoFix Backups >
File/Folder C:\VundoFix Backups not found.
< C:\Documents and Settings\WILLIE\Application Data\WinButler >
File/Folder C:\Documents and Settings\WILLIE\Application Data\WinButler not found.
< C:\Program Files\Freeze.com >
File/Folder C:\Program Files\Freeze.com not found.

OTMoveIt2 v1.0.5 log created on 01052008_124743

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 January 2008 - 04:05 PM

Carry on with the remaining steps please.
Posted Image
Posted Image

#7 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 January 2008 - 05:18 PM

So after all that there is no more error messages on start up, but Spysweeper is still inoperable, Quick time player dosent work. Maybe it will take an uninstall and re install?? While checking things out Norton AV had an error ' Auto Protect experienced an unexpected error. 0x000003EE. I followed the link to Symantec and followed the instructions for an Auto Fix tool, rebooted and Norton appears ok at this time.

Anyways heres the logs you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:21 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.ec.gc.ca/city/pag...1_metric_e.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135745435500
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)

--
End of file - 8860 bytes


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2008 at 01:48 PM

Application Version : 3.9.1008

Core Rules Database Version : 3374
Trace Rules Database Version: 1369

Scan type : Complete Scan
Total Scan Time : 00:41:20

Memory items scanned : 444
Memory threats detected : 0
Registry items scanned : 7278
Registry threats detected : 4
File items scanned : 37097
File threats detected : 260

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{530631D6-670F-4186-9361-D6B640A8869C}
HKCR\CLSID\{530631D6-670F-4186-9361-D6B640A8869C}
HKCR\CLSID\{530631D6-670F-4186-9361-D6B640A8869C}\InprocServer32
HKCR\CLSID\{530631D6-670F-4186-9361-D6B640A8869C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQO.DLL

Adware.Tracking Cookie
C:\Documents and Settings\CORREANA\Cookies\correana@1.affiliateclicks[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@3.adbrite[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ad.103092804[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ad.zanox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adbrite[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adcentriconline[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adinterax[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adopt.specificclick[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.addesktop[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.bridgetrack[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.cnn[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.monster[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.mytelus[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.pr[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.ratingz[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads.uknetguide.co[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads1.bigrradio[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ads1.rodale[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adserver.petpeoplesplace[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adultcheck[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adult[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adv.medscape[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@adv.webmd[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@advertising[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@advertising[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@aj.petfinder[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@apmebf[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@atdmt[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@atdmt[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@banner.monacogoldcasino[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@banner.reciperewards[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@brightcove.112.2o7[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@casalemedia[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@cbcnewmedia.112.2o7[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@chokertraffic[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@citi.bridgetrack[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@clickaider[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@clickwatchwin[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@coreg.azoogleads[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@counter.cnw[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@cpvfeed[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@date.ventivmedia[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@doubleclick[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@doubleclick[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ecnext.advertserve[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-aarp.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-aha.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-chrysler.hitbox[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-financialaid.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-foxsports.hitbox[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-hillspet.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-meandaur.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-mybc.hitbox[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-nestlepurinapetcare.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-rodale.hitbox[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ehg-thomsonhealthcareinc.hitbox[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@enhance[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@fastclick[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@femaleadvantage[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@findaperson.canada-411[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@findaperson.canada411[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@findghostpicture[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@findlinks.addresses[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@focalex[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@hurricanedigitalmedia[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@interclick[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@kanoodle[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@keywordmax[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@linksynergy[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@lynxtrack[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@m1.webstats4u[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@medhelpinternational.112.2o7[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@msnportal.112.2o7[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@oddcast[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@pacificpoker[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@partner2profit[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@phg.hitbox[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@regalinteractive[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@register.screensaver[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@richmedia.yahoo[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@sales.liveperson[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@server2.mediatakeout[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@socialmedia[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@specificclick[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@stats.channel4[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@tacoda[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@track.searchignite[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@tracking.mos[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@v7.stats.load[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@valueclick[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@vhost.oddcast[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.adtrak[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.bigfreepornmovies[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.burstbeacon[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.burstnet[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.clickmanage[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.clickxchange[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.destinationadult[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.fatpenguinmedia[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.gmbtrack[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.bleepbot[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.popundersupply[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.sexy-photos[1].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.twilightsex[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@www.windowsmedia[2].txt
C:\Documents and Settings\CORREANA\Cookies\correana@ylwbook.findlinks.addresses[1].txt

EC.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E10.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E11.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E12.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E125.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E127.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E13.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E14.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E15.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E16.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E17.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E18.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E19.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E1A.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E1B.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E1C.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E1D.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E1E.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E1F.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E20.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E21.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E22.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E23.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E24.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E25.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E26.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E27.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E28.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E29.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2A.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2B.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2C.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2D.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2E.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E2F.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E30.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E31.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E32.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E33.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E34.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E35.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E36.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E37.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E38.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E39.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3A.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3B.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3C.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3D.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3E.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E3F.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E40.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E41.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E42.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E43.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E44.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E45.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E46.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E47.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E48.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E49.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4A.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4B.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4C.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4D.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4E.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E4F.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E5.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E50.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E51.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E52.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E53.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E54.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E55.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E56.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E6.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E65.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E66.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E6D.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E6E.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E7.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E72.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E73.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E74.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E75.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E76.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E77.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E78.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E79.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E7B.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E7C.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E7D.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E7E.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E7F.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E8.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E80.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E81.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E82.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E83.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E84.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E85.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E86.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E87.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E9.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E94.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E95.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E96.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E97.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E98.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E99.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E9A.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\E9B.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA0.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA1.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA2.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA3.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA4.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA6.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA7.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EA8.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EAB.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EB.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EB3.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EC.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EC3.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EC9.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ECD.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ECE.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ED.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ED3.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ED4.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ED8.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\ED9.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EDA.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EDB.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EDC.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EDF.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EE.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EE0.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EE1.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EE2.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EE5.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EE9.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EF.TMP
C:\DOCUMENTS AND SETTINGS\CORREANA\LOCAL SETTINGS\TEMP\EFD.TMP

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{14E389F5-500C-4C8F-BE9D-3036669180B8}\RP3\A0000007.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{14E389F5-500C-4C8F-BE9D-3036669180B8}\RP3\A0000009.DLL

Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{14E389F5-500C-4C8F-BE9D-3036669180B8}\RP3\A0000008.DLL

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 January 2008 - 07:05 PM

Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
Posted Image
Posted Image

#9 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 January 2008 - 09:06 PM

Here you go.

Ran on Sat 01/05/2008 - 18:02:50.34

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 January 2008 - 09:17 PM

Spysweeper is still inoperable


Try downloading and reinstalling the program over the present install:
http://www.webroot.com/shoppingcart/tryme....&vcode=DT14

Quick time player dosent work.

Again try downloading and reinstalling the program over the present install:
http://www.apple.com/quicktime/download/

Do the following first:

Your log is clean:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Edited by RichieUK, 05 January 2008 - 09:19 PM.

Posted Image
Posted Image

#11 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 05 January 2008 - 09:38 PM

Richie, Thats great news that the log is clean. But I logged onto my wife and kids accounts and the error windows appear!! I thought that when a scan is performed it scans the whole machine ! What should I do next? I have NOT performed any of the actions from your last post...yet.

I did the QuickTime player download and it works fine and dandy now. :thumbsup:

I also noticed that Windows Messenger doesn't work, same with my wifes hotmail account and she says word perfect acts very strange, (haven't verified proper operation, or not yet)

Sorry about all the late info, I'm definately a newbie.

Edited by flatdeck, 05 January 2008 - 10:43 PM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 06 January 2008 - 05:17 AM

I have NOT performed any of the actions from your last post...yet.

I suggest you do that now.

But I logged onto my wife and kids accounts and the error windows appear!!
I thought that when a scan is performed it scans the whole machine !

You are the system administrator aren't you,you was logged on as administrator when running SuperAntiSpyware!!

Make sure you're logged on as administrator,then do the following:

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.

Now run AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1) Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2) Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done,then restart your pc.
Posted Image
Posted Image

#13 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 06 January 2008 - 03:56 PM

My account (and the wifes) are administrator accounts and all actions were performed from my account. I will follow all of your instructions and post the info in my next reply.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 06 January 2008 - 06:17 PM

Ok,thanks for the update.
Posted Image
Posted Image

#15 flatdeck

flatdeck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 06 January 2008 - 09:05 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:00:22 PM 1/6/2008

+ Scan result:



:mozilla.6:C:\Documents and Settings\WILLIE\Application Data\Mozilla\Profiles\default\v2gsbt0u.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\WILLIE\Application Data\Mozilla\Profiles\default\v2gsbt0u.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\WILLIE\Cookies\willie@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.


::Report end


Here you go.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users