Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dropper.agent.dgo, Vundo


  • Please log in to reply
22 replies to this topic

#1 +duracell-

+duracell-

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 01 January 2008 - 03:40 PM

I can only boot in safe mode. If I try to boot normally, processes slow to a halt.

Spybot comes up clean
AVG found a trace of Dropper.Agent.dgo but I can't seem to get rid of it.
I think I still have some remnants of Vundo also.
Here is my HJT log, any help would be appreciated.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:38 PM, on 1/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration .exe /title="Corel Painter Essentials 2" /date=010808 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160051006296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5844 bytes

BC AdBot (Login to Remove)

 


#2 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 01 January 2008 - 05:19 PM

Also, if I try to run Ad-Aware 2007 I get an Application Error;
"Exception EAccessViolation in module Ad-Aware2007.exe at 001C852C."

If I try to uninstall Ad-Aware through Add/Remove programs, I am told the
Windows Installer Service cannot be accessed since I am in safe mode.

#3 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 02 January 2008 - 08:25 AM

Now I can boot up normally. I tried to sort through what I had running at startup with Spybot instead of msconfig. I enabled some things that I had previously disabled. But I am not sure what did it. I think my system speed is back to normal, but I still cant uninstall programs (Adaware, BitDefender still show up etc.). Also I keep getting timed out after about 5 minutes of internet use. Here is a new HJT log.

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:07:57 AM, on 1/2/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\HijackThis\Fluffybunny.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.comcast.net/"]http://www.comcast.net/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.dellnet.com/"]http://www.dellnet.com/[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.dellnet.com/"]http://www.dellnet.com/[/url]O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OpenOffice.org 1.1.4.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabledO4 - Global Startup: Adobe Gamma Loader.lnk.disabledO4 - Global Startup: Adobe Reader Speed Launch.lnk.disabledO4 - Global Startup: Adobe Reader Synchronizer.lnk.disabledO4 - Global Startup: Daily Motivator.lnk.disabledO4 - Global Startup: HP Digital Imaging Monitor.lnk.disabledO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url="http://housecall60.trendmicro.com/housecall/xscan60.cab"]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - [url="http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab"]http://wdownload.weatherbug.com/minibug/tr...Transporter.cab[/url]?O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160051006296"]http://update.microsoft.com/microsoftupdat...b?1160051006296[/url]O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - [url="http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab"]http://download.games.yahoo.com/games/web_...aploader_v6.cab[/url]O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXEO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe--End of file - 5864 bytes


#4 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 12 January 2008 - 01:01 PM

Update: It seems as if I keep busy online (like via a kaspersky scan) I wont time out.
So here is what that found

------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 12, 2008 11:52:28 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/01/2008
Kaspersky Anti-Virus database records: 508826
------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 66608
Number of viruses found: 3
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 00:58:50

Infected Object Name / Virus Name / Last Action*
C:\Documents and Settings\Administrator\Desktop\catchme.zip/jkhfe.dll
Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lori\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Lori\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Lori\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\History\History.IE5\MSHist012008011220080113\index.dat Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lori\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\catchme2007-12-28_143802.98.zip/jkhfe.dll Infected: Virus.Win32.Trats.d skipped
C:\qoobox\Quarantine\catchme2007-12-28_143802.98.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-2108790148-3810616182-155502530-1007\Dc4\backups\backup-20071228-232248-328.dll Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-2108790148-3810616182-155502530-1007\Dc4\backups\backup-20071228-232339-705.dll Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-2108790148-3810616182-155502530-1007\Dc4\backups\backup-20071228-232553-831.dll Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-2108790148-3810616182-155502530-1007\Dc4\backups\backup-20071229-201826-468.dll Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-2108790148-3810616182-155502530-1007\Dc4\backups\backup-20071230-084717-595.dll Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-2108790148-3810616182-155502530-1007\Dc4\backups\backup-20080101-013205-572.dll Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000435.dll Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000693.dll Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\change.log Object is locked skipped
C:\VundoFix Backups\jkhfe.dll.bad Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\vtuurrs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.

#5 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 14 January 2008 - 10:46 AM

It doesnt matter whether im using IE or Firefox. After a few minutes I will get timed out. And they only way I know how to get back online is by rebooting my machine. Spybot and Ad-aware come up clean. But I am possitive this is all resulting from my vundo/malware issues I have been having since December 23. Any help would be very greatly appreciated. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:46 AM, on 1/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HijackThis\+duracell-.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Daily Motivator.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160051006296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5254 bytes


Mod Edit: Merged new Log for continuity ~TMacK

Edited by TMacK, 14 January 2008 - 01:17 PM.


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 15 January 2008 - 08:58 AM

Hi +duracell-,

Our apologies for the delay and that you've been doing things on your own without some helpful guidance. We are swamped with a lot of people needing help with malware so it makes it difficult to get to everyone. If you still require help, please post a new fresh log so I can see if anything has changed and where you stand now. It looks like you are essentially clean and the issues you describe are from malware damage or not at all malware related. But I'll have a better idea when I see the more extensive log I've asked for below.

If you have not done so already, please do the initial cleanup steps in the following instructions before posting your new log: Preparation Guide For Use Before Posting A Hijackthis Log

Then instead of just posting an HijackThis log, please only do the following that will include one:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

The thing about people

is they change

when they walk away.--Mipso


#7 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 15 January 2008 - 12:37 PM

Thank you so much for replying to my problem. :blink: Here are the logs you requested.


Deckard's System Scanner v20071014.68
Run by Lori B on 2008-01-15 11:54:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-01-15 16:55:12 UTC - RP11 - Deckard's System Scanner Restore Point
3: 2008-01-14 17:24:11 UTC - RP10 - Installed Windows Installer KB893803v2.
2: 2008-01-13 06:20:46 UTC - RP9 - ComboFix created restore point
1: 2008-01-13 06:12:35 UTC - RP8 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Lori B.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:01 AM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Documents and Settings\Lori B\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Lori B.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Daily Motivator.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160051006296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5297 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080113-004806-117 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20080113-004806-209 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20080113-004806-604 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080113-004806-814 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
S3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys (file missing)
S3 catchme - c:\docume~1\lorib~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
S2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
S2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe
S2 ScsiAccess - c:\windows\system32\scsiaccess.exe
S2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-01 14:53:01 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DJZ94M31-Owner).job
2008-01-01 02:29:35 506 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (LORI-Lori :thumbsup:.job
2007-12-31 23:31:11 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2004-09-05 18:49:23 408 --a------ C:\WINDOWS\Tasks\WebReg 20040905194923.job


-- Files created between 2007-12-15 and 2008-01-15 -----------------------------

2008-01-14 12:23:30 0 d-------- C:\WINDOWS\LastGood
2008-01-14 11:39:26 0 dr-h----- C:\Documents and Settings\Lori B\Recent
2008-01-14 09:41:20 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-14 09:15:17 0 d-------- C:\VundoFix Backups
2008-01-13 00:30:25 0 d-------- C:\Program Files\SpywareBlaster
2008-01-12 08:49:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-12 08:49:19 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-01-12 08:49:16 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-01-01 21:54:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-12-30 09:26:20 28672 --a------ C:\WINDOWS\System32\DSentry.exe <Not Verified; Dell - Advanced Desktop Engineering; Dell - DVDSentry>
2007-12-30 08:42:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-12-28 13:19:02 2856 --a------ C:\WINDOWS\System32\tmp.reg
2007-12-28 13:18:30 0 d-------- C:\Documents and Settings\Lori B\SmitfraudFix
2007-12-27 20:40:08 44928 --a------ C:\WINDOWS\System32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-27 15:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 12:13:04 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-27 12:12:53 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-12-27 12:12:41 11264 --a------ C:\WINDOWS\System32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-12-27 12:12:12 0 d-------- C:\WINDOWS\System32\ZoneLabs
2007-12-27 12:11:17 0 d-------- C:\WINDOWS\Internet Logs
2007-12-27 11:31:51 0 d-------- C:\WINDOWS\System32\ActiveScan
2007-12-27 09:26:55 0 d-------- C:\WINDOWS\ERUNT
2007-12-26 13:00:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-26 09:57:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-26 09:54:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 11:05:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-24 00:59:00 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 00:19:32 81984 --a------ C:\WINDOWS\System32\bdod.bin
2007-12-23 22:32:38 0 d-------- C:\WINDOWS\System32\to9
2007-12-23 22:32:38 0 d-------- C:\WINDOWS\System32\dj2
2007-12-23 22:32:34 0 d-------- C:\WINDOWS\System32\ardCo02
2007-12-23 22:32:34 0 d-------- C:\Temp


-- Find3M Report ---------------------------------------------------------------

2008-01-14 11:51:05 0 d-------- C:\Program Files\Yahoo!
2008-01-01 17:28:03 0 d-------- C:\Program Files\Viewpoint
2008-01-01 14:51:07 14053 --a------ C:\WINDOWS\System32\tablet.dat
2007-12-29 08:43:36 0 d-------- C:\Program Files\Real
2007-12-29 08:43:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-29 08:43:20 0 d-------- C:\Program Files\Common Files
2007-12-28 22:07:07 0 d-------- C:\Program Files\OpenOffice.org1.1.4
2007-12-27 21:10:09 0 d-------- C:\Program Files\Google
2007-12-27 17:52:52 0 d-------- C:\Program Files\Java
2007-12-27 15:29:56 0 d-------- C:\Program Files\Lavasoft
2007-12-27 15:29:54 0 d-------- C:\Documents and Settings\Lori B\Application Data\Lavasoft
2007-12-27 09:57:23 0 d-------- C:\Program Files\QuickTime
2007-12-27 09:57:15 0 d-------- C:\Program Files\DellSupport
2007-12-23 23:39:39 0 d-------- C:\Program Files\Windows NT
2007-12-16 17:56:32 127616 --a------ C:\Documents and Settings\Lori B\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 10:19:26 0 d-------- C:\Program Files\Quotetracker
2007-11-23 23:21:41 0 d-------- C:\Documents and Settings\Lori B\Application Data\Apple Computer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 03:59 AM C:\WINDOWS\BCMSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [12/29/2007 07:22 PM]

C:\Documents and Settings\Lori B\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]
OpenOffice.org 1.1.4.lnk.disabled [3/8/2005 9:40:23 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [12/26/2005 9:34:58 AM]
Adobe Gamma Loader.lnk.disabled [12/25/2005 7:34:45 AM]
Adobe Reader Speed Launch.lnk.disabled [5/17/2007 10:25:13 AM]
Adobe Reader Synchronizer.lnk.disabled [5/17/2007 10:25:13 AM]
Daily Motivator.lnk.disabled [9/3/2004 3:36:14 PM]
DESKTOP.INI [9/3/2002 9:00:00 AM]
HP Digital Imaging Monitor.lnk.disabled [9/5/2004 5:33:51 PM]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [12/25/2005 7:22:53 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\jkhfe.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\Documents and Settings\Lori B\Desktop\msconfig.exe /auto
"Corel Painter Essentials 21a"=C:\Program Files\Corel\Corel Painter Essentials 2\registration .exe /title="Corel Painter Essentials 2" /date=010808 serial=PE02CBX-0000003-NMD lang=EN
"MCUpdateExe"=C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
"MCAgentExe"=C:\Program Files\McAfee.com\Agent\mcagent.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7791 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-15 11:58:12 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.20GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 254 MiB / 73.49 MiB
Pagefile Memory (total/avail): 625.41 MiB / 435.19 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.07 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.47 GiB total, 61.86 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lori B\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
COLLECTIONID=COL8795
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LORI
ComSpec=C:\WINDOWS\system32\cmd.exe
HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lori B
ITEMID=oj-22977-3
LANG=1033
LOGONSERVER=\\LORI
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPH
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONID=1133644134723htx6060cc2061:10805b273b9:-7aaf
SESSIONNAME=Console
SWUTVER=1.0.22.20030804
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LORIB~1\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\LORIB~1\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\LORIB~1\LOCALS~1\Temp\radC8182.tmp
USERDOMAIN=LORI
USERNAME=Lori B
USERPROFILE=C:\Documents and Settings\Lori B
VERSION=2.0.481.1611
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lori B (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative Installation Information\CREATIVE_MEDIASOURCE_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_NET_CONTENT_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_CDBURNER_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_MTP_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\MEDIASOURCE_PLAYER_SKINPACK_U\Setup.exe" /remove /l0x0009
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Photoshop Elements 3.0 --> MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
aspi --> MsiExec.exe /I{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BitDefender Free Edition v10 --> MsiExec.exe /I{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Comcast Toolbar --> C:\Program Files\ComcastToolbar\uninstall.exe
Corel Painter Essentials 2 --> MsiExec.exe /X{B946D46E-1302-48B4-84EE-B74C3191D975}
Cortex Command Test Build 14 --> "C:\Program Files\Data Realms\Cortex Command\unins000.exe"
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Creative MediaSource 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series (R2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
DAO --> MsiExec.exe /I{64116298-93C5-401D-B06C-39D8E3338508}
Dell Inkjet Printer J740 --> C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBJUN5C.EXE -dDell Inkjet Printer J740
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Desktop Doctor --> "C:\Program Files\Support.com\providerComcast\Uninstall.exe" /c "Remove Desktop Doctor?"
DirectX 9 Hotfix - KB839643 --> C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
DS21Patch --> MsiExec.exe /I{9B79DCB0-AAD7-456B-8D07-433C936FA24B}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
ewido anti-malware --> C:\Program Files\ewido\ewido anti-malware\Uninstall.exe
FontCreator 5.5 --> "C:\Program Files\High Logic\FontCreator\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
HTML-Kit --> "C:\Program Files\HTML-KIT\unins000.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3c0002_1294e8eb\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Laridian MyBible 4 for PalmOS --> C:\WINDOWS\ctpu.exe -uC:\Program Files\Laridian\MyBible 4\install.log -lC:\WINDOWS\ResENU.dll
Laridian MyBible American Standard Version (ASV) for PalmOS --> C:\WINDOWS\ctpu.exe -uC:\Program Files\Laridian\MyBible American Standard Version (ASV)\install.log -lC:\WINDOWS\ResENU.dll
Laridian MyBible King James Version (KJV) for PalmOS --> C:\WINDOWS\ctpu.exe -uC:\Program Files\Laridian\MyBible King James Version (KJV)\install.log -lC:\WINDOWS\ResENU.dll
Laridian MyBible TNIV New Testament for PalmOS --> C:\WINDOWS\ctpu.exe -uC:\Program Files\Laridian\MyBible TNIV New Testament\install.log -lC:\WINDOWS\ResENU.dll
McAfee.com SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee.com VirusScan Online --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Encarta Encyclopedia Standard 2003 --> MsiExec.exe /I{03410014-3975-4267-9F39-1DC4745090B7}
Microsoft Money 2003 --> MsiExec.exe /I{01F9D88C-3C86-4E82-840A-101A3221F67A}
Microsoft Money 2003 System Pack --> MsiExec.exe /I{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe D:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
nik Color Efex Pro 2.0 IE --> C:\WINDOWS\unvise32.exe C:\Program Files\Adobe\Photoshop Elements 3.0\Plug-Ins\nik Color Efex Pro 2.0 IE\uninstal.log
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OpenOffice.org 1.1.4 --> C:\Program Files\OpenOffice.org1.1.4\program\setup.exe -deinstall
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
Palm Desktop --> MsiExec.exe /X{F1E906E7-1120-428D-A124-4938C306427E}
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Real Estate Success System --> MsiExec.exe /X{9D5F3034-9EE0-48DB-8A45-1A1507E980FC}
Russ Whitney's Business Success System Software --> C:\PROGRA~1\PSS\UNWISE.EXE C:\PROGRA~1\PSS\INSTALL.LOG
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{ABE068DF-8DC4-4947-ABFC-DD2B40850225}
Shockwave --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\Install.log
Simply Track 2.2.5 P2 --> "C:\Program Files\SimplyTrack\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Tablet --> C:\Program Files\Tablet\Remove.exe /u
TD AMERITRADE StrategyDesk 2.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TD AMERITRADE\StrategyDesk\Uninst.isu"
TradeLog Demo --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TL6DEMO.INF, DefaultUninstall.ntx86
Visual Install Pack --> MsiExec.exe /X{4477B93C-01D3-48E7-AC38-8AD313F2A3C1}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
ZENcast Organizer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove


-- Application Event Log -------------------------------------------------------

Event Record #/Type2009 / Error
Event Submitted/Written: 01/15/2008 11:44:01 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type2008 / Error
Event Submitted/Written: 01/15/2008 11:44:01 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type2007 / Warning
Event Submitted/Written: 01/14/2008 02:07:12 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type2006 / Warning
Event Submitted/Written: 01/14/2008 02:06:58 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type2005 / Warning
Event Submitted/Written: 01/14/2008 01:49:32 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type33761 / Error
Event Submitted/Written: 01/15/2008 11:47:32 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type33760 / Error
Event Submitted/Written: 01/15/2008 11:47:08 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type33757 / Error
Event Submitted/Written: 01/15/2008 11:44:24 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type33756 / Error
Event Submitted/Written: 01/15/2008 11:44:11 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service ImapiService with arguments "-Service"
in order to run the server:
{520CCA63-51A5-11D3-9144-00104BA11C5E}

Event Record #/Type33755 / Error
Event Submitted/Written: 01/15/2008 11:44:07 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service ImapiService with arguments "-Service"
in order to run the server:
{520CCA63-51A5-11D3-9144-00104BA11C5E}



-- End of Deckard's System Scanner: finished at 2008-01-15 11:58:12 ------------

#8 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 20 January 2008 - 08:24 AM

are you still with me?

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 20 January 2008 - 10:53 AM

Yep, apologies for the delay once more.

You do have signs of infection, but I am not at all sure that all your problems are malware related. There are several things to go over, but I'm going to just go straight to some fixes and we will deal with the others later. One question in the meantime; why have you not installed SP2? You really should get fully updated, but don't try to yet til we get you cleaned up and deal with your other issues.

Run DSS again, using these instructions:

Click START> Run - then copy the following bold blue text and paste it into the Run box & click OK

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.

Click on Scan.

Place a checkmark next to the entries displayed when the scan is finished then Click on Fix.

Repeat the scan; you should get a message "All Associations OK!"

Next, click Save Log, and post this log in your next reply.


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

The thing about people

is they change

when they walk away.--Mipso


#10 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 20 January 2008 - 12:57 PM

Well I havent installed SP2 yet because this is my wife's computer and I was not aware
it was still on SP1...and plus I knew it should be clean before I do that.


here's the log from dss:

DAFT Log saved on 2008-01-20 12:02:30
-----------------------------------------------------------------------
All associations okay!



ComboFix 08-01-20.1 - Lori 2008-01-20 12:30:10.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.98 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-18 20:30 . 2008-01-18 21:16 <DIR> d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-01-15 11:47 . 2008-01-15 11:47 <DIR> d-------- C:\Deckard
2008-01-14 12:23 . 2008-01-18 21:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-14 09:15 . 2008-01-14 09:15 <DIR> d-------- C:\VundoFix Backups
2008-01-13 01:20 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 00:30 . 2008-01-13 00:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 09:26 . 2007-12-29 19:22 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2007-12-30 09:26 . 2007-12-29 19:22 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2007-12-29 09:37 . 2007-12-25 16:04 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2007-12-28 13:19 . 2007-12-28 13:19 2,856 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-28 13:18 . 2007-12-28 13:22 <DIR> d-------- C:\Documents and Settings\Lori\SmitfraudFix
2007-12-27 20:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2007-12-27 17:52 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-27 15:28 . 2008-01-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 12:13 . 2007-12-27 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-27 12:12 . 2008-01-14 12:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-12-27 12:12 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-12-27 12:12 . 2007-12-29 10:27 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-12-27 12:11 . 2008-01-14 12:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-27 11:32 . 2007-12-27 20:32 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-27 11:32 . 2007-12-27 20:32 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-27 11:32 . 2007-12-27 20:32 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-27 11:31 . 2007-12-27 20:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-27 09:26 . 2007-12-27 09:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-26 13:00 . 2007-12-26 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-26 09:57 . 2007-12-26 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-26 09:54 . 2008-01-01 12:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 00:59 . 2007-12-26 11:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 00:37 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-12-24 00:19 . 2007-12-28 13:41 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-12-23 22:32 . 2007-12-27 16:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\to9
2007-12-23 22:32 . 2007-12-27 16:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\dj2
2007-12-23 22:32 . 2007-12-27 23:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo02
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Temp\cEeer12
2007-12-23 22:32 . 2007-12-28 14:32 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 17:35 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-01-14 16:51 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-12 21:17 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-01 22:28 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 17:46 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
2007-12-29 14:34 145,408 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msconfig.exe
2007-12-29 13:43 --------- d-----w C:\Program Files\Real
2007-12-29 13:43 --------- d-----w C:\Program Files\Common Files\Real
2007-12-29 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 02:10 --------- d-----w C:\Program Files\Google
2007-12-27 22:52 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 --------- d-----w C:\Program Files\Lavasoft
2007-12-27 20:29 --------- d-----w C:\Documents and Settings\Lori\Application Data\Lavasoft
2007-12-27 14:57 --------- d-----w C:\Program Files\QuickTime
2007-12-27 14:57 --------- d-----w C:\Program Files\DellSupport
2007-12-16 22:56 127,616 ----a-w C:\Documents and Settings\Lori\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 15:19 --------- d-----w C:\Program Files\Quotetracker
2007-11-24 04:21 --------- d-----w C:\Documents and Settings\Lori\Application Data\Apple Computer
2006-10-18 23:03 194,512 ----a-w C:\Documents and Settings\Lori\Application Data\shb.dat
2006-07-15 18:06 349,819 ----a-w C:\WINDOWS\Fonts\LHFcafecorina.exe
2006-10-20 02:36 7,865 --sha-w C:\WINDOWS\SYSTEM32\vtuurrs.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_ 1.25.52.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 06:20:50 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 17:29:52 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 06:20:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 17:29:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 06:20:51 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 17:29:52 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 06:20:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 17:29:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 06:20:51 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 17:29:52 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 06:20:51 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 17:29:52 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2004-08-20 22:01:15 700,928 ----a-w C:\WINDOWS\LastGood\System32\DllCache\sxs.dll
+ 2004-08-20 22:01:15 700,928 ----a-w C:\WINDOWS\LastGood\System32\sxs.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 28,672 2007-12-30 00:22:19 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

----a-w 151,597 2003-10-04 13:14:04 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2007-12-27 14:44:20 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 733,184 2004-03-18 19:38:08 C:\Program Files\Corel\Corel Painter Essentials 2\bak\registration.exe

----a-w 700,416 2006-06-12 19:32:26 C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe
----a-w 700,416 2008-01-01 00:45:58 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

----a-w 49,152 2003-08-04 21:28:18 C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe
----a-w 49,152 2007-12-27 14:44:03 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

----a-w 241,664 2003-12-22 12:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 241,664 2007-12-27 14:44:06 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

----a-w 192,512 2002-09-06 23:15:48 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 192,512 2008-01-01 00:45:49 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 151,552 2002-09-04 15:28:56 C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe

----a-w 139,264 2002-10-04 20:09:40 C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe
----a-w 139,264 2007-12-27 14:44:05 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

----a-w 6,104,568 2006-10-03 18:04:38 C:\Program Files\Yahoo!\Yahoo! Music Engine\bak\YahooMusicEngine.exe

----a-w 1,728,512 2003-08-20 09:38:22 C:\WINDOWS\kdx\bak\KHost.exe

----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\bak\DSentry.exe
----a-w 28,672 2007-12-30 00:22:19 C:\WINDOWS\SYSTEM32\DSentry.exe

----a-w 114,688 2003-04-07 05:07:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 114,688 2007-12-30 00:22:26 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2003-04-07 05:19:52 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2007-12-25 21:04:48 C:\WINDOWS\SYSTEM32\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-12-31 19:46 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-29 19:22 28672]

C:\Documents and Settings\Lori\Start Menu\Programs\Startup\
OpenOffice.org 1.1.4.lnk.disabled [2005-03-08 21:40:23 925]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [2005-12-26 09:34:58 890]
Adobe Gamma Loader.lnk.disabled [2005-12-25 07:34:45 890]
Adobe Reader Speed Launch.lnk.disabled [2007-05-17 10:25:13 1746]
Adobe Reader Synchronizer.lnk.disabled [2007-05-17 10:25:13 1788]
Daily Motivator.lnk.disabled [2004-09-03 15:36:14 1601]
HP Digital Imaging Monitor.lnk.disabled [2004-09-05 17:33:51 1808]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-12-25 07:22:53 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\jkhfe.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\Documents and Settings\Lori\Desktop\msconfig.exe /auto
"Corel Painter Essentials 21a"=C:\Program Files\Corel\Corel Painter Essentials 2\registration .exe /title="Corel Painter Essentials 2" /date=010808 serial=PE02CBX-0000003-NMD lang=EN
"MCUpdateExe"=C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
"MCAgentExe"=C:\Program Files\McAfee.com\Agent\mcagent.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 04:31:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 19:53:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DJZ94M31-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-01-01 07:29:35 C:\WINDOWS\Tasks\McAfee.com Update Check (LORI-Lori).job"
- C:\PROGRA~1\McAfee.com\Agent\MCUPDA~1 .EX
- C:\PROGRA~1\McAfee.com\Agent
"2004-09-05 23:49:23 C:\WINDOWS\Tasks\WebReg 20040905194923.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe^/TaskName 20040905194923 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 12:34:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 12:36:00
ComboFix2.txt 2008-01-13 06:26:22
ComboFix3.txt 2008-01-01 15:01:12
ComboFix4.txt 2007-12-28 19:43:35
.
2007-12-27 14:16:13 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:08 PM, on 1/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\+duracell-.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Daily Motivator.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160051006296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5407 bytes

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 21 January 2008 - 10:48 AM

OK, your log is still showing a few leftovers of Vundo and revealed something else. But the log results are a bit unusual so it is unclear if this is still active or a failed attempt. The infection replaces legitimate startups with it's own file, essentially masquerading as those programs you are allowing to run on startup. Please only do only the instructions below so we can get a better idea of what is going on--don't try to remove any of those startups yet--and if you have in the meantime let me know long with what your symptoms are now.

BTW, I don't encourage the use of msconfig for startup management. It is meant to be used temporarily for troubleshooting purposes. I guess you may realize this since you are using Spybot's startup manager now, which is fine. I like Mike Lin Startup Control Panel. But I bring it up because using msconfig and even other managers prevents us from seeing all the startups we may need to deal with with HJT and sort of complicates matters. Fortunately DSS and CF shows most disabled startups so I know what to deal with--you've got one Vundo that we will fix--but the best option is to use the configuration options in your programs interface.

Print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply.


1. Click Start, then Run and type Notepad and click OK.

2. Now copy/paste the entire contents of the codebox below into the Notepad window:

DirLook::
C:\WINDOWS\System32\to9
C:\WINDOWS\System32\dj2
C:\WINDOWS\System32\ardCo02
C:\Temp

File::
C:\WINDOWS\System32\bdod.bin

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


Save this as CFScript.txt


Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html


Finally, run the Kaspersky online scanner again as you did earlier and post its log along with a fresh HijackThis log. If it takes more than one post to get all those logs I've asked for posted, that is fine.

The thing about people

is they change

when they walk away.--Mipso


#12 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 21 January 2008 - 02:29 PM

After running SDFix I could not connect to the internet even after I rebooted twice. Then I tried safe mode with networking
and that worked. And now I can connect when I reboot normally. Here are the logs:


SDFix: Version 1.129

Run by Lori on Mon 01/21/2008 at 11:35 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 11:41:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 19 Oct 2006 7,865 A.SH. --- "C:\WINDOWS\SYSTEM32\vtuurrs.dll"
Mon 25 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!


ComboFix 08-01-20.1 - Lori 2008-01-21 12:22:41.6 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\System32\bdod.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\bdod.bin

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 11:30 . 2008-01-21 11:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-18 20:30 . 2008-01-18 21:16 <DIR> d-------- C:\Documents and Settings\Lori Barker\.housecall6.6
2008-01-15 11:47 . 2008-01-15 11:47 <DIR> d-------- C:\Deckard
2008-01-14 12:23 . 2008-01-18 21:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-14 09:15 . 2008-01-14 09:15 <DIR> d-------- C:\VundoFix Backups
2008-01-13 01:20 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 00:30 . 2008-01-13 00:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 09:26 . 2007-12-29 19:22 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2007-12-30 09:26 . 2007-12-29 19:22 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2007-12-29 09:37 . 2007-12-25 16:04 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2007-12-28 13:19 . 2007-12-28 13:19 2,856 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-28 13:18 . 2007-12-28 13:22 <DIR> d-------- C:\Documents and Settings\Lori\SmitfraudFix
2007-12-27 20:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2007-12-27 17:52 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-27 15:28 . 2008-01-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 12:13 . 2007-12-27 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-27 12:12 . 2008-01-14 12:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-12-27 12:12 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-12-27 12:12 . 2007-12-29 10:27 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-12-27 12:11 . 2008-01-14 12:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-27 11:32 . 2007-12-27 20:32 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-27 11:32 . 2007-12-27 20:32 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-27 11:32 . 2007-12-27 20:32 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-27 11:31 . 2007-12-27 20:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-26 13:00 . 2007-12-26 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-26 09:57 . 2007-12-26 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-26 09:54 . 2008-01-01 12:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 00:59 . 2007-12-26 11:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 00:37 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-12-23 22:32 . 2007-12-27 16:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\to9
2007-12-23 22:32 . 2007-12-27 16:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\dj2
2007-12-23 22:32 . 2007-12-27 23:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo02
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Temp\cEeer12
2007-12-23 22:32 . 2007-12-28 14:32 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 17:35 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-01-14 16:51 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-12 21:17 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-01 22:28 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 17:46 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
2007-12-29 14:34 145,408 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msconfig.exe
2007-12-29 13:43 --------- d-----w C:\Program Files\Real
2007-12-29 13:43 --------- d-----w C:\Program Files\Common Files\Real
2007-12-29 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 02:10 --------- d-----w C:\Program Files\Google
2007-12-27 22:52 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 --------- d-----w C:\Program Files\Lavasoft
2007-12-27 20:29 --------- d-----w C:\Documents and Settings\Lori\Application Data\Lavasoft
2007-12-27 14:57 --------- d-----w C:\Program Files\QuickTime
2007-12-27 14:57 --------- d-----w C:\Program Files\DellSupport
2007-12-16 22:56 127,616 ----a-w C:\Documents and Settings\Lori\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 15:19 --------- d-----w C:\Program Files\Quotetracker
2007-11-24 04:21 --------- d-----w C:\Documents and Settings\Lori\Application Data\Apple Computer
2006-10-18 23:03 194,512 ----a-w C:\Documents and Settings\Lori\Application Data\shb.dat
2006-07-15 18:06 349,819 ----a-w C:\WINDOWS\Fonts\LHFcafecorina.exe
2006-10-20 02:36 7,865 --sha-w C:\WINDOWS\SYSTEM32\vtuurrs.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2007-12-23 22:32 1858 --a------ C:\Temp\cEeer12\skAt.log

---- Directory of C:\WINDOWS\System32\ardCo02 ----


---- Directory of C:\WINDOWS\System32\dj2 ----


---- Directory of C:\WINDOWS\System32\to9 ----



((((((((((((((((((((((((((((( snapshot@2008-01-13_ 1.25.52.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 06:20:50 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 17:22:21 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 06:20:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 17:22:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 06:20:51 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 17:22:21 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 06:20:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 17:22:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 06:20:51 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-21 17:22:22 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 06:20:51 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 17:22:22 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-12-24 05:54:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-19 12:25:21 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2007-12-27 14:27:24 1,175,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-21 16:31:14 6,193,152 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-27 14:27:24 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-21 16:31:15 483,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-12-24 05:54:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-19 12:25:21 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
- 2007-12-27 14:27:09 1,175,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-21 16:30:55 6,193,152 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
- 2007-12-27 14:27:09 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-01-21 16:30:56 483,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2004-08-20 22:01:15 700,928 ----a-w C:\WINDOWS\LastGood\System32\DllCache\sxs.dll
+ 2004-08-20 22:01:15 700,928 ----a-w C:\WINDOWS\LastGood\System32\sxs.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 28,672 2007-12-30 00:22:19 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

----a-w 151,597 2003-10-04 13:14:04 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2007-12-27 14:44:20 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 733,184 2004-03-18 19:38:08 C:\Program Files\Corel\Corel Painter Essentials 2\bak\registration.exe

----a-w 700,416 2006-06-12 19:32:26 C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe
----a-w 700,416 2008-01-01 00:45:58 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

----a-w 49,152 2003-08-04 21:28:18 C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe
----a-w 49,152 2007-12-27 14:44:03 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

----a-w 241,664 2003-12-22 12:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 241,664 2007-12-27 14:44:06 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

----a-w 192,512 2002-09-06 23:15:48 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 192,512 2008-01-01 00:45:49 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 151,552 2002-09-04 15:28:56 C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe

----a-w 139,264 2002-10-04 20:09:40 C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe
----a-w 139,264 2007-12-27 14:44:05 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

----a-w 6,104,568 2006-10-03 18:04:38 C:\Program Files\Yahoo!\Yahoo! Music Engine\bak\YahooMusicEngine.exe

----a-w 1,728,512 2003-08-20 09:38:22 C:\WINDOWS\kdx\bak\KHost.exe

----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\bak\DSentry.exe
----a-w 28,672 2007-12-30 00:22:19 C:\WINDOWS\SYSTEM32\DSentry.exe

----a-w 114,688 2003-04-07 05:07:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 114,688 2007-12-30 00:22:26 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2003-04-07 05:19:52 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2007-12-25 21:04:48 C:\WINDOWS\SYSTEM32\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-12-31 19:46 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-29 19:22 28672]

C:\Documents and Settings\Lori\Start Menu\Programs\Startup\
OpenOffice.org 1.1.4.lnk.disabled [2005-03-08 21:40:23 925]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [2005-12-26 09:34:58 890]
Adobe Gamma Loader.lnk.disabled [2005-12-25 07:34:45 890]
Adobe Reader Speed Launch.lnk.disabled [2007-05-17 10:25:13 1746]
Adobe Reader Synchronizer.lnk.disabled [2007-05-17 10:25:13 1788]
Daily Motivator.lnk.disabled [2004-09-03 15:36:14 1601]
HP Digital Imaging Monitor.lnk.disabled [2004-09-05 17:33:51 1808]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-12-25 07:22:53 106496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\Documents and Settings\Lori\Desktop\msconfig.exe /auto
"Corel Painter Essentials 21a"=C:\Program Files\Corel\Corel Painter Essentials 2\registration .exe /title="Corel Painter Essentials 2" /date=010808 serial=PE02CBX-0000003-NMD lang=EN
"MCUpdateExe"=C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
"MCAgentExe"=C:\Program Files\McAfee.com\Agent\mcagent.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 04:31:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 19:53:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DJZ94M31-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-01-01 07:29:35 C:\WINDOWS\Tasks\McAfee.com Update Check (LORI-Lori).job"
- C:\PROGRA~1\McAfee.com\Agent\MCUPDA~1 .EX
- C:\PROGRA~1\McAfee.com\Agent
"2004-09-05 23:49:23 C:\WINDOWS\Tasks\WebReg 20040905194923.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe^/TaskName 20040905194923 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 12:26:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 12:28:07
ComboFix-quarantined-files.txt 2008-01-21 17:27:59
ComboFix2.txt 2008-01-20 17:36:01
ComboFix3.txt 2008-01-13 06:26:22
ComboFix4.txt 2008-01-01 15:01:12
ComboFix5.txt 2007-12-28 19:43:35
.
2007-12-27 14:16:13 --- E O F ---



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 01/21/2008
The current time is: 12:44:38.01


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\KDX\BAK

08/20/2003 04:38 AM 1,728,512 KHost.exe
1 File(s) 1,728,512 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/14/2002 06:22 PM 28,672 DSentry.exe
04/07/2003 12:07 AM 114,688 hkcmd.exe
04/07/2003 12:19 AM 155,648 igfxtray.exe
3 File(s) 299,008 bytes

Directory of C:\PROGRA~1\COREL\CORELP~1\BAK

03/18/2004 02:38 PM 733,184 registration.exe
1 File(s) 733,184 bytes

Directory of C:\PROGRA~1\CREATIVE\SYNCMA~1\BAK

06/12/2006 02:32 PM 700,416 CTSyncU.exe
1 File(s) 700,416 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 04:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/06/2002 06:15 PM 192,512 mcagent.exe
09/04/2002 10:28 AM 151,552 McUpdate.exe
2 File(s) 344,064 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

10/04/2002 03:09 PM 139,264 mcvsshld.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\YAHOO!~1\BAK

10/03/2006 01:04 PM 6,104,568 YahooMusicEngine.exe
1 File(s) 6,104,568 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/04/2003 08:14 AM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1728512 Aug 20 2003 "C:\WINDOWS\kdx\bak\KHost.exe"
28672 Dec 29 2007 "C:\WINDOWS\SYSTEM32\DSentry.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
114688 Apr 7 2003 "C:\DRIVERS\VIDEO\HKCMD.EXE"
114688 Dec 29 2007 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Apr 7 2003 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Dec 25 2007 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
22486 Dec 24 2007 "C:\WINDOWS\Installer\{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}\register_icon.exe"
733184 Mar 18 2004 "C:\Program Files\Corel\Corel Painter Essentials 2\bak\registration.exe"
700416 Dec 31 2007 "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
700416 Jun 12 2006 "C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe"
241664 Dec 27 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Dec 27 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
192512 Dec 31 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
192512 Sep 6 2002 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
151552 Sep 4 2002 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
139264 Dec 27 2007 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
139264 Oct 4 2002 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
6104568 Oct 3 2006 "C:\Program Files\Yahoo!\Yahoo! Music Engine\bak\YahooMusicEngine.exe"
28672 Dec 29 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
151597 Dec 27 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Oct 4 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report


I couldnt get Jotti to load but I uploaded the files to virustotal and the scans didnt seem to find
anything:

MD5: a05da809ac0d86d916d09e3a908d3a06
Date: 01.21.2008 18:57:26 (CET) [<1D]
Results: 0/32
Permalink: analisis/5e29dd2daa4ec3cd3afc53ca612537a7


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 2:16:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 525897
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 64066
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:55:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lori\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Lori\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Lori\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped
C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lori\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\vtuurrs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:38 PM, on 1/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\+duracell-.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Daily Motivator.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160051006296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5376 bytes

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 25 January 2008 - 02:25 PM

Apologies for another long delay. Are you sure you lost connection after running just SDFix or was it after running ComboFix as well? The latter will sometimes cause that.

You've got one malware file that I missed first time around, but I can't find anywhere in the logs to show how it is getting loaded so it should just be a leftover.

The ComboFix log indcated you were suffering from an AWF type infection. It is tricky and time consuming to deal with. Because it will copy several of your legitimate files that are legit and normally running in the background and then put them in a bak folder (as a backup) and then puts a malware file of the same name in its place in the legitimate folder. So in essence you would have several malware files masquerading as legit files and you won't notice any change in your startups.

However, you can tell the bad from the good by the difference in file sizes when you compare the file in the legit folder location and the one in the backup folder. In your case the sizes are the same, so it appears that either the correct uninfected files are back in their proper place or it has been corrected by other means, perhaps one of your security programs or you have done something prior to posting the log.

To clarify, let's use the files I had you scan at VT as an example. This is what showed in the CF log:

----a-w 151,597 2003-10-04 13:14:04 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2007-12-27 14:44:20 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

The file size is listed in red. If it were a malware file is should be something other than 151,597 in the C:\Program Files\Common Files\Real\Update_OB folder.

I've also highlighted the file creation dates in blue. There is a bit of concern that the files in the right folder location are newly created. But since the file size and MD5 check out for that file it should still be the good uninfected one.

In the above example I've also highlighted the bak folder. Since you only posted the MD5 and related data once, can you confirm that you had both copies of realsched.exe scanned at VT? I have to ask because some people don't notice such details and get in a hurry. Altho I don't see it as likely, it is possible that the newly created file is malware and was engineered to be the same siaze as the legit one it replaced. One would think that Kaspersky would flag it if so, but I would like to be more sure.

So we're going to go thru the process of an AWF fix anyway--you don't need those bak folders.


Copy the file paths in the Quotebox below to the clipboard (highlight all of them then right-click and choose copy or press Ctrl+C:

"C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
"C:\Program Files\Corel\Corel Painter Essentials 2\bak\registration.exe"
"C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe
C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe
C:\WINDOWS\SYSTEM32\bak\DSentry.exe
C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
C:\WINDOWS\SYSTEM32\bak\igfxtray.exe


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\vtuurrs.dll

Folder::
C:\Temp
C:\WINDOWS\System32\ardCo02
C:\WINDOWS\System32\dj2
C:\WINDOWS\System32\to9


Save this as CFScript.txt


Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


We'll deal with some other issues after I see these logs. One is that you seem to be having trouble with MSI--appears you've tried to reinstall it numerous times. Let me know what you've done there and what symptoms you're having now.

The thing about people

is they change

when they walk away.--Mipso


#14 +duracell-

+duracell-
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 26 January 2008 - 12:32 AM

Are you sure you lost connection after running just SDFix or was it after running ComboFix as well? The latter will sometimes cause that.


I dont remember exactly. It probably was the combofix that did it.


Since you only posted the MD5 and related data once, can you confirm that you had both copies of realsched.exe scanned at VT?


Yes I had both scanned. The same report was generated.


Here are the logs:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 01/25/2008
The current time is: 22:59:57.12


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\KDX\BAK

08/20/2003 04:38 AM 1,728,512 KHost.exe
1 File(s) 1,728,512 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/14/2002 06:22 PM 28,672 DSentry.exe
04/07/2003 12:07 AM 114,688 hkcmd.exe
04/07/2003 12:19 AM 155,648 igfxtray.exe
3 File(s) 299,008 bytes

Directory of C:\PROGRA~1\COREL\CORELP~1\BAK

03/18/2004 02:38 PM 733,184 registration.exe
1 File(s) 733,184 bytes

Directory of C:\PROGRA~1\CREATIVE\SYNCMA~1\BAK

06/12/2006 02:32 PM 700,416 CTSyncU.exe
1 File(s) 700,416 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 04:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/06/2002 06:15 PM 192,512 mcagent.exe
09/04/2002 10:28 AM 151,552 McUpdate.exe
2 File(s) 344,064 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

10/04/2002 03:09 PM 139,264 mcvsshld.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\YAHOO!~1\BAK

10/03/2006 01:04 PM 6,104,568 YahooMusicEngine.exe
1 File(s) 6,104,568 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/04/2003 08:14 AM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1728512 Aug 20 2003 "C:\WINDOWS\kdx\bak\KHost.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\DSentry.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
114688 Apr 7 2003 "C:\DRIVERS\VIDEO\HKCMD.EXE"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Apr 7 2003 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
733184 Mar 18 2004 "C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe"
22486 Dec 24 2007 "C:\WINDOWS\Installer\{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}\register_icon.exe"
733184 Mar 18 2004 "C:\Program Files\Corel\Corel Painter Essentials 2\bak\registration.exe"
700416 Jun 12 2006 "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
700416 Jun 12 2006 "C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe"
241664 Dec 27 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
192512 Dec 31 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
192512 Sep 6 2002 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
151552 Sep 4 2002 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
139264 Dec 27 2007 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
139264 Oct 4 2002 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
6104568 Oct 3 2006 "C:\Program Files\Yahoo!\Yahoo! Music Engine\bak\YahooMusicEngine.exe"
28672 Dec 29 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
151597 Dec 27 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Oct 4 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report


ComboFix 08-01-20.1 - Lori 2008-01-25 23:08:55.7 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.107 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\vtuurrs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\System32\ardCo02
C:\WINDOWS\System32\dj2
C:\WINDOWS\System32\to9
C:\WINDOWS\SYSTEM32\vtuurrs.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-21 11:30 . 2008-01-21 11:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-18 20:30 . 2008-01-18 21:16 <DIR> d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-01-15 11:47 . 2008-01-15 11:47 <DIR> d-------- C:\Deckard
2008-01-14 12:23 . 2008-01-18 21:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-14 09:15 . 2008-01-14 09:15 <DIR> d-------- C:\VundoFix Backups
2008-01-13 01:20 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 00:30 . 2008-01-13 00:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-12 08:49 . 2008-01-12 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 09:26 . 2003-04-07 00:07 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2007-12-30 09:26 . 2002-08-14 18:22 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2007-12-29 09:37 . 2003-04-07 00:19 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2007-12-28 13:19 . 2007-12-28 13:19 2,856 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-28 13:18 . 2007-12-28 13:22 <DIR> d-------- C:\Documents and Settings\Lori\SmitfraudFix
2007-12-27 20:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2007-12-27 17:52 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-27 15:28 . 2008-01-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 12:13 . 2007-12-27 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-27 12:12 . 2008-01-14 12:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-12-27 12:12 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-12-27 12:12 . 2007-12-29 10:27 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-12-27 12:11 . 2008-01-14 12:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-27 11:32 . 2007-12-27 20:32 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-27 11:32 . 2007-12-27 20:32 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-27 11:32 . 2007-12-27 20:32 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-27 11:31 . 2007-12-27 20:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-26 13:00 . 2007-12-26 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-26 09:57 . 2007-12-26 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-26 09:54 . 2008-01-01 12:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 17:35 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-01-14 16:51 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-12 21:17 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-01 22:28 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 17:46 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
2007-12-29 14:34 145,408 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msconfig.exe
2007-12-29 13:43 --------- d-----w C:\Program Files\Real
2007-12-29 13:43 --------- d-----w C:\Program Files\Common Files\Real
2007-12-29 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 02:10 --------- d-----w C:\Program Files\Google
2007-12-27 22:52 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 --------- d-----w C:\Program Files\Lavasoft
2007-12-27 20:29 --------- d-----w C:\Documents and Settings\Lori\Application Data\Lavasoft
2007-12-27 14:57 --------- d-----w C:\Program Files\QuickTime
2007-12-27 14:57 --------- d-----w C:\Program Files\DellSupport
2007-12-26 16:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-16 22:56 127,616 ----a-w C:\Documents and Settings\Lori\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 15:19 --------- d-----w C:\Program Files\Quotetracker
2006-10-18 23:03 194,512 ----a-w C:\Documents and Settings\Lori\Application Data\shb.dat
2006-07-15 18:06 349,819 ----a-w C:\WINDOWS\Fonts\LHFcafecorina.exe
.

((((((((((((((((((((((((((((( snapshot_2008-01-21_12.27.38.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 17:22:21 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 04:08:36 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-21 17:22:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 04:08:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-21 17:22:21 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 04:08:37 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-21 17:22:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 04:08:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-21 17:22:22 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 04:08:37 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-21 17:22:22 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 04:08:37 483,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 28,672 2007-12-30 00:22:19 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

----a-w 151,597 2003-10-04 13:14:04 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2007-12-27 14:44:20 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 733,184 2004-03-18 19:38:08 C:\Program Files\Corel\Corel Painter Essentials 2\bak\registration.exe
----a-w 733,184 2004-03-18 19:38:08 C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe

----a-w 700,416 2006-06-12 19:32:26 C:\Program Files\Creative\Sync Manager Unicode\bak\CTSyncU.exe
----a-w 700,416 2006-06-12 19:32:26 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

----a-w 49,152 2003-08-04 21:28:18 C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe
----a-w 49,152 2003-08-04 21:28:18 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

----a-w 241,664 2003-12-22 12:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 241,664 2007-12-27 14:44:06 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

----a-w 192,512 2002-09-06 23:15:48 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 192,512 2008-01-01 00:45:49 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 151,552 2002-09-04 15:28:56 C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe

----a-w 139,264 2002-10-04 20:09:40 C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe
----a-w 139,264 2007-12-27 14:44:05 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

----a-w 6,104,568 2006-10-03 18:04:38 C:\Program Files\Yahoo!\Yahoo! Music Engine\bak\YahooMusicEngine.exe

----a-w 1,728,512 2003-08-20 09:38:22 C:\WINDOWS\kdx\bak\KHost.exe

----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\bak\DSentry.exe
----a-w 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\DSentry.exe

----a-w 114,688 2003-04-07 05:07:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 114,688 2003-04-07 05:07:38 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2003-04-07 05:19:52 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2003-04-07 05:19:52 C:\WINDOWS\SYSTEM32\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-12-31 19:46 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-29 19:22 28672]

C:\Documents and Settings\Lori\Start Menu\Programs\Startup\
OpenOffice.org 1.1.4.lnk.disabled [2005-03-08 21:40:23 925]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [2005-12-26 09:34:58 890]
Adobe Gamma Loader.lnk.disabled [2005-12-25 07:34:45 890]
Adobe Reader Speed Launch.lnk.disabled [2007-05-17 10:25:13 1746]
Adobe Reader Synchronizer.lnk.disabled [2007-05-17 10:25:13 1788]
Daily Motivator.lnk.disabled [2004-09-03 15:36:14 1601]
HP Digital Imaging Monitor.lnk.disabled [2004-09-05 17:33:51 1808]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-12-25 07:22:53 106496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\Documents and Settings\Lori\Desktop\msconfig.exe /auto
"Corel Painter Essentials 21a"=C:\Program Files\Corel\Corel Painter Essentials 2\registration .exe /title="Corel Painter Essentials 2" /date=010808 serial=PE02CBX-0000003-NMD lang=EN
"MCUpdateExe"=C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
"MCAgentExe"=C:\Program Files\McAfee.com\Agent\mcagent.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 04:31:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 19:53:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DJZ94M31-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-01-01 07:29:35 C:\WINDOWS\Tasks\McAfee.com Update Check (LORI-Lori).job"
- C:\PROGRA~1\McAfee.com\Agent\MCUPDA~1 .EX
- C:\PROGRA~1\McAfee.com\Agent
"2004-09-05 23:49:23 C:\WINDOWS\Tasks\WebReg 20040905194923.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe^/TaskName 20040905194923 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 23:11:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 23:12:08
ComboFix-quarantined-files.txt 2008-01-26 04:11:55
ComboFix2.txt 2008-01-21 17:28:07
ComboFix3.txt 2008-01-20 17:36:01
ComboFix4.txt 2008-01-13 06:26:22
ComboFix5.txt 2008-01-01 15:01:12
.
2007-12-27 14:16:13 --- E O F ---


As far as the MSI situtation, some things will uninstall via add/remove programs and some won't.
Bitdefender and Ad-Aware will hang for a sec and then the "Windows installer service could not be
accessed" error will pop up. Also, I have no sound anymore. If I try to open Volume Control I get
"There are no active mixer devices available" error. And my printer is no longer shown in the control
panel. If I try to add a printer I am told "Operation could not be completed".

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 01 February 2008 - 11:16 AM

Apologies once again for the long delay.

I'm still not seeing any active infections any longer. The symptoms you describe are most likely damage caused by the malware you had on your system--looks like MSI is borked and possibly some other damage as well.

To get rid of the useless bak folders please do the following:

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\COREL\CORELP~1\BAK
C:\PROGRA~1\CREATIVE\SYNCMA~1\BAK
C:\PROGRA~1\HP\HPCORE~1\BAK
C:\PROGRA~1\HP\HPSOFT~1\BAK
C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
C:\PROGRA~1\MCAFEE.COM\VSO\BAK
C:\PROGRA~1\YAHOO!\MESSEN~1\BAK
C:\PROGRA~1\YAHOO!\YAHOO!~1\BAK
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.


This should only free up some disk space for you, but if you do have change in symptoms after this let me know.

The reason I asked about MSI is because the DSS log indicates you may have tried to reinstall it.

-- Last 4 Restore Point(s) --
3: 2008-01-14 17:24:11 UTC - RP10 - Installed Windows Installer KB893803v2.


Could you confirm that you did attempt to install MSI? Correcting this could be difficult--one thing is if you did install MSI that was meant for SP2, which you don't have installed, you may have version mismatches that are time consuming to correct. As proof of this see all the methods listed in this Microsoft article: http://support.microsoft.com/kb/555175/en-us

Following is an attempt to correct this problem. If it doesn't work you may be better served to post about it in the Windows XP Home and Professional or
Hardware forums as it is no longer a malware issue.

There is also items listed repeatedly in your DSS uninstall list that may be MSI related but also could indicate a problem with hardware--motherboard or processor. I'm going to consult with a colleague on it and get back to you since I aqm unsure, but I think if it were me, I would strongly consider doing a reformat of the PC. This way you could immediately go to Windows Update, install SP2 and all the other patches and start fresh. It's going to be time consuming either way you go.


Download Dial-a-fix and unzip it to your desktop or wherever you like. In any event, back up all your important data before the next step--we can't guarantee anything when dealing with an unstable system.

Double-click the Dial-a-fix icon to run it.

Put a check in the box next to Fix Windows Installer: in the MSI section.
--Be sure all the other boxes in the MSI section are checked when you do that.

Then click GO and reboot your system.

Please do not use Dial-a-fix to attempt any other repairs unless instructed to do so.

When done, please post a fresh HijackThis log and let me know what is going on now. Your Java also needs to be updated and I don't think McAfee.com is adequate AV protection, but you need to have MSI functioning correctly to fix that.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users