Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bleeping Vundo Virus And Newjuan Trojan Attack On My Computer


  • This topic is locked This topic is locked
26 replies to this topic

#1 CAnn

CAnn

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 22 February 2008 - 05:34 PM

Hello there
This is the first time that I have used your site. My computer has been attacked by the vundo virus and newJuan trojan. I have been trying to fix everything myself for over a week now, but it's time to call in the experts!! At times, it seems like I've got this thing beat and this it's there AGAIN!! I have run the Vundo Fix and it seems like I managed to get rid of one nasty dll which I couldn't get rid of before, but the minute I go on the net I am attacked with popups galore and then I have to start the procedure all over again (running antivirus, anti spyware and malware etc.) to find everything is still there and a whole lot more. So now I am turning to you for your help! I followed your instructions prior to posting the HJT log. Here is the log:
Thanking you in advance
Charlotte

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:33 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiSpywareApp\AntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [44a5cdc3] rundll32.exe "C:\WINDOWS\system32\pkfjhkgp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpywareApp\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200597853156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8935 bytes

Edited by CAnn, 22 February 2008 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 25 February 2008 - 03:50 PM

Hello Charlotte,


We will run ComboFix.

You need to disable your Norton Antivirus, AntiSpyware and Windows Defender before running ComboFix, as they will prevent it from running.


To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.



To disable Windows Defender

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.After all of the fixes are complete it is very important that you enable Real-time Protection again.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


Make sure you Windows Defender, Norton Antivirus and AntiSpyware are disabled before running ComboFix.


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.

Edited by SifuMike, 25 February 2008 - 03:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 29 February 2008 - 04:07 PM

Thank you
I will try this and get back to you as soon as I can
I appreciate your help!!
Charlotte

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 29 February 2008 - 04:14 PM

Hi Charlotte,

No rush. I will be here. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 29 February 2008 - 11:32 PM

Sorry it took so long. I had company!
Here is the ComboFix log:
Charlotte


ComboFix 08-03-01 - Owner 2008-03-01 0:24:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.548 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\jlkkj.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 00:09 . 2004-08-04 00:56 388,608 --a------ C:\CF1771.exe
2008-02-26 18:46 . 2002-11-21 22:12 10,334 --a------ C:\WINDOWS\system32\drivers\cx88aud.sys
2008-02-26 18:45 . 2008-02-26 18:45 <DIR> d-------- C:\Program Files\MSI
2008-02-26 18:41 . 2003-08-28 03:14 181,574 -ra------ C:\WINDOWS\system32\drivers\CX88Vid.SYS
2008-02-26 18:41 . 2003-08-21 03:35 95,804 -ra------ C:\WINDOWS\system32\drivers\CX88Tune.SYS
2008-02-26 18:41 . 2003-03-19 01:50 9,159 -ra------ C:\WINDOWS\system32\drivers\CX88XBar.SYS
2008-02-26 18:40 . 2008-02-26 18:40 <DIR> d-------- C:\Program Files\Genesis Digital Innovations
2008-02-22 18:11 . 2008-02-22 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 16:31 . 2008-02-22 16:32 536,871,424 --a------ C:\47.tmp
2008-02-21 18:37 . 2008-02-21 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-21 17:53 . 2008-02-21 17:55 <DIR> d-------- C:\Program Files\CCleaner
2008-02-21 17:15 . 2008-02-21 17:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-21 17:07 . 2008-02-21 17:24 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-02-20 22:04 . 2008-02-20 22:04 <DIR> d-------- C:\Program Files\Hijack this
2008-02-20 18:46 . 2008-02-20 18:46 92 --a------ C:\WINDOWS\wininit.ini
2008-02-20 18:20 . 2008-02-20 18:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-20 18:20 . 2008-02-20 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 17:19 . 2008-02-20 22:52 834 ---hs---- C:\WINDOWS\system32\xioqxpsv.ini
2008-02-20 07:14 . 2008-02-20 17:14 414 --ahs---- C:\WINDOWS\system32\dkebwiqy.ini
2008-02-19 17:32 . 2008-02-19 17:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-19 17:28 . 2008-02-19 17:56 <DIR> d-------- C:\SDFix
2008-02-17 21:33 . 2008-02-17 21:34 536,871,424 --a------ C:\490.tmp
2008-02-17 21:14 . 2008-02-18 19:43 414 --ahs---- C:\WINDOWS\system32\pgkhjfkp.ini
2008-02-17 21:02 . 2008-02-17 21:04 536,871,424 --a------ C:\252.tmp
2008-02-17 17:44 . 2008-02-17 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 17:43 . 2008-02-29 16:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 17:43 . 2008-02-17 17:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 17:43 . 2008-02-17 17:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-17 17:17 . 2008-02-17 17:17 2,558 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-17 17:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 17:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 17:16 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-17 17:16 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-17 17:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-17 17:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 17:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-17 16:28 . 2008-02-17 16:28 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-17 14:21 . 2004-04-01 05:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-17 14:21 . 2004-04-02 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-17 14:21 . 2004-04-01 17:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-17 13:11 . 2008-02-29 18:17 <DIR> d-------- C:\VundoFix Backups
2008-02-16 18:27 . 2008-02-16 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-02-16 17:56 . 2008-02-16 17:56 <DIR> d-------- C:\Temp
2008-02-16 17:56 . 2008-02-16 17:59 <DIR> d-------- C:\DVDVolume
2008-02-11 11:37 . 2008-02-11 11:37 <DIR> d-------- C:\Program Files\Libronix DLS
2008-02-11 11:37 . 2008-02-11 11:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Libronix DLS
2008-02-11 11:37 . 2008-02-11 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-02-09 18:16 . 2008-02-09 18:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony
2008-02-09 18:08 . 2008-02-09 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-02-09 18:07 . 2008-02-09 18:07 <DIR> d-------- C:\Program Files\Vstplugins
2008-02-09 18:06 . 2008-02-09 18:06 <DIR> d-------- C:\Program Files\Sony Setup
2008-02-08 16:39 . 2008-02-29 17:16 <DIR> d-------- C:\Program Files\Uninstall Plus! Trial v3.2
2008-02-08 15:57 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-02-08 15:57 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-02-07 19:52 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-02-07 19:52 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-02-07 19:52 . 2004-08-03 23:10 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2008-02-07 19:52 . 2004-08-03 23:10 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2008-02-07 16:12 . 2006-09-12 07:46 227,328 -rahs---- C:\WINDOWS\system32\ac3DX.ax
2008-02-07 16:12 . 2008-02-04 15:26 151,040 --ahs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-07 16:12 . 2006-01-12 19:23 123,904 -rahs---- C:\WINDOWS\system32\AVCDX.ax
2008-02-07 16:12 . 2003-11-20 19:00 54,784 -rahs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-02-07 16:12 . 2004-04-26 19:00 37,888 -rahs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-02-07 16:12 . 2007-02-21 07:47 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2008-02-07 16:12 . 2007-12-17 09:43 27,648 --ahs---- C:\WINDOWS\system32\Smab0.dll
2008-02-07 16:12 . 2008-02-05 13:04 9,884 ---h----- C:\WINDOWS\super.chm
2008-02-07 15:59 . 2008-02-07 15:59 <DIR> d-------- C:\Program Files\eRightSoft
2008-02-07 15:59 . 2006-03-10 17:48 169,472 -rahs---- C:\WINDOWS\system32\MatroskaDX.ax
2008-02-07 15:59 . 2005-11-25 16:46 161,792 -rahs---- C:\WINDOWS\system32\RealMediaDX.ax
2008-02-07 15:27 . 2008-02-07 15:27 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-02-07 15:27 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-02-07 15:27 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-02-07 15:27 . 2007-11-13 09:31 399,360 --a------ C:\WINDOWS\system32\Smab.dll
2008-02-07 15:27 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-02-07 15:27 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-02-07 15:27 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-02-07 15:27 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-02-07 15:27 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-02-07 15:27 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-02-07 15:25 . 2005-02-12 19:00 186,880 -rahs---- C:\WINDOWS\system32\RLOgg.ax
2008-02-07 15:25 . 2005-01-17 19:26 179,200 -rahs---- C:\WINDOWS\system32\DiracSplitter.ax
2008-02-07 15:25 . 2006-08-16 10:53 175,104 -rahs---- C:\WINDOWS\system32\CoreAAC.ax
2008-02-07 15:25 . 2006-05-03 06:06 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2008-02-07 15:25 . 2005-02-05 19:00 92,672 -rahs---- C:\WINDOWS\system32\RLVorbisDec.ax
2008-02-07 15:25 . 2005-02-22 12:55 81,920 -rahs---- C:\WINDOWS\system32\aac_parser.ax
2008-02-07 15:25 . 2005-02-12 19:00 67,584 -rahs---- C:\WINDOWS\system32\RLTheoraDec.ax
2008-02-07 15:25 . 2005-02-12 19:00 51,712 -rahs---- C:\WINDOWS\system32\RLSpeexDec.ax
2008-02-04 17:09 . 2008-02-04 17:09 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 15:57 . 2008-02-20 17:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AntiSpyware
2008-02-04 15:56 . 2008-02-25 19:46 <DIR> d-------- C:\Program Files\AntiSpywareApp
2008-02-03 15:13 . 2008-02-03 15:13 <DIR> d-------- C:\Program Files\VSO
2008-02-02 20:24 . 2008-02-26 19:26 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-02 17:03 . 2008-02-02 17:04 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-02 17:03 . 2004-07-20 16:24 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-02-02 17:03 . 2004-07-20 16:24 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-02-02 17:03 . 2004-07-20 16:24 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-02-02 17:03 . 2004-07-09 08:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-02-02 17:03 . 2004-07-20 16:24 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-02-02 17:03 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-02-02 17:03 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 21:03 52,536 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 21:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-28 19:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-02-26 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 21:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 22:40 3,888 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-18 01:13 --------- d-----w C:\Program Files\Windows Defender
2008-02-18 01:12 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-18 01:11 --------- d-----w C:\Program Files\Google
2008-02-17 21:40 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-17 16:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-16 23:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-02-09 22:07 --------- d-----w C:\Program Files\Sony
2008-02-08 18:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 01:07 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-02-02 23:12 --------- d-----w C:\Program Files\InterVideo
2008-02-02 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-01 18:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-01 09:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-31 22:34 --------- d-----w C:\Program Files\QuickTime
2008-01-31 22:33 --------- d-----w C:\Program Files\Apple Software Update
2008-01-31 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-31 20:51 --------- d-----w C:\Program Files\FLVPlayer
2008-01-31 02:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\Publish Providers
2008-01-31 01:27 --------- d-----w C:\Program Files\MSBuild
2008-01-31 01:23 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-29 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 00:36 --------- d-----w C:\Program Files\Fellowes
2008-01-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-29 00:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-01-29 00:31 --------- d-----w C:\Program Files\ImgBurn
2008-01-28 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PicturesToExe
2008-01-28 18:12 --------- d-----w C:\Program Files\WnSoft PicturesToExe
2008-01-28 15:11 --------- d-----w C:\Program Files\winrar extract
2008-01-28 15:02 --------- d-----w C:\Program Files\Webroot
2008-01-26 22:37 --------- d-----w C:\Program Files\Lavasoft
2008-01-26 15:09 --------- d-----w C:\Program Files\uTorrent
2008-01-25 23:15 --------- d-----w C:\Program Files\PhotoZoom Pro 2
2008-01-25 23:10 160,528 ----a-w C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2008-01-25 23:10 --------- d-----w C:\Program Files\Sqirlz Water Reflections
2008-01-23 11:25 --------- d-----w C:\Program Files\Active Data Recovery Services
2008-01-22 22:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-22 19:28 --------- d-----w C:\Program Files\Photodex Presenter
2008-01-22 19:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Netscape
2008-01-22 19:27 --------- d-----w C:\Program Files\Photodex
2008-01-22 19:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Photodex
2008-01-22 02:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sonic
2008-01-22 02:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-01-22 02:00 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-21 20:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-21 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-01-19 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-19 00:21 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-19 00:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-19 00:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-19 00:21 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-19 00:21 --------- d-----w C:\Program Files\Symantec
2008-01-19 00:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-18 22:09 --------- d-----w C:\Program Files\Seagate
2008-01-18 22:09 --------- d-----w C:\Program Files\Memeo
2008-01-18 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tanagra
2008-01-18 01:43 --------- d-----w C:\Program Files\Common Files\CANON
2008-01-18 01:34 --------- d-----w C:\Program Files\Canon
2008-01-18 01:32 --------- d--h--w C:\Program Files\CanonBJ
2008-01-18 01:32 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-18 01:05 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-18 01:05 --------- d-----w C:\Program Files\Common Files\HP
2008-01-18 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-01-18 01:01 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-17 22:17 --------- d-----w C:\Program Files\Gspot
2008-01-17 21:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-01-17 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-17 21:19 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-17 20:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-17 04:30 --------- d-----w C:\Program Files\Quicken
2008-01-17 04:22 --------- d-----w C:\Program Files\Sonic
2008-01-17 04:22 --------- d-----w C:\Program Files\RecordNow!
2008-01-17 04:22 --------- d-----w C:\Program Files\InterMute
2008-01-17 04:22 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-01-17 04:22 --------- d-----w C:\Program Files\Common Files\Sonic
2008-01-17 03:37 4,050 --sha-r C:\WINDOWS\system32\drivers\HP_PC028A-ABA a620n_YC_Pavi_QMXM433_E43NAheBLU3_4_IKelut_SASUSTek Computer INC._V2.02_B3.09_T040709_WXH1_L409_M1024_J160_7AMD_8Athlon XP 3200+_92.2_111063044_N11063065_P_Z11C1048C_K_A11063059_U11063038_G10025046_O_DACR077C.MRK
2008-01-17 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-17 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\InterVideo
2008-01-17 02:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-01-17 02:05 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-17 02:05 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-01-17 01:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-17 01:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-15 13:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 09:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 22:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 01:03 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-27 20:01 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 20:04 52736]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 07:15 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-13 20:43 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 00:53 714608]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=C:\WINDOWS\pss\AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44a5cdc3]
C:\WINDOWS\system32\pkfjhkgp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-13 21:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 19:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 07:23 49152 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6700DMon]
--a------ 2006-03-16 14:47 61440 C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2003-07-10 15:26 654848 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-27 20:01 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-01 04:41 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\copies of programs on computer\\uTorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=

R2 CX23880;MSI 8606 Video Capture;C:\WINDOWS\system32\drivers\CX88Vid.SYS [2003-08-28 03:14]
R2 CX88XBAR;MSI 8606 Crossbar;C:\WINDOWS\system32\drivers\CX88XBar.SYS [2003-03-19 01:50]
R2 CXTUNE;MSI 8606 Tuner;C:\WINDOWS\system32\drivers\CX88Tune.SYS [2003-08-21 03:35]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 20:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 20:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 04:04:56 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2008-02-25 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 04:03:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-26 00:00:11 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 00:26:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 0:27:20
ComboFix-quarantined-files.txt 2008-03-01 04:27:02
.
2008-02-29 00:46:44 --- E O F ---

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 01 March 2008 - 12:09 AM

Hi CAnn,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\pkfjhkgp.dll
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\xioqxpsv.ini
C:\WINDOWS\system32\dkebwiqy.ini
C:\47.tmp
C:\490.tmp
C:\252.tmp

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44a5cdc3]


Name the Notepad file CFScript.txt and Save it to your desktop.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 March 2008 - 06:53 AM

Hi
Here are both my new combofix and HJT logs:

ComboFix 08-03-01 - Owner 2008-03-01 7:44:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 00:09 . 2004-08-04 00:56 388,608 --a------ C:\CF1771.exe
2008-02-26 18:46 . 2002-11-21 22:12 10,334 --a------ C:\WINDOWS\system32\drivers\cx88aud.sys
2008-02-26 18:45 . 2008-02-26 18:45 <DIR> d-------- C:\Program Files\MSI
2008-02-26 18:41 . 2003-08-28 03:14 181,574 -ra------ C:\WINDOWS\system32\drivers\CX88Vid.SYS
2008-02-26 18:41 . 2003-08-21 03:35 95,804 -ra------ C:\WINDOWS\system32\drivers\CX88Tune.SYS
2008-02-26 18:41 . 2003-03-19 01:50 9,159 -ra------ C:\WINDOWS\system32\drivers\CX88XBar.SYS
2008-02-26 18:40 . 2008-02-26 18:40 <DIR> d-------- C:\Program Files\Genesis Digital Innovations
2008-02-22 18:11 . 2008-02-22 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 16:31 . 2008-02-22 16:32 536,871,424 --a------ C:\47.tmp
2008-02-21 18:37 . 2008-02-21 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-21 17:53 . 2008-02-21 17:55 <DIR> d-------- C:\Program Files\CCleaner
2008-02-21 17:15 . 2008-02-21 17:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-21 17:07 . 2008-02-21 17:24 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-02-20 22:04 . 2008-02-20 22:04 <DIR> d-------- C:\Program Files\Hijack this
2008-02-20 18:46 . 2008-02-20 18:46 92 --a------ C:\WINDOWS\wininit.ini
2008-02-20 18:20 . 2008-02-20 18:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-20 18:20 . 2008-02-20 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 17:19 . 2008-02-20 22:52 834 ---hs---- C:\WINDOWS\system32\xioqxpsv.ini
2008-02-20 07:14 . 2008-02-20 17:14 414 --ahs---- C:\WINDOWS\system32\dkebwiqy.ini
2008-02-19 17:32 . 2008-02-19 17:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-19 17:28 . 2008-02-19 17:56 <DIR> d-------- C:\SDFix
2008-02-17 21:33 . 2008-02-17 21:34 536,871,424 --a------ C:\490.tmp
2008-02-17 21:14 . 2008-02-18 19:43 414 --ahs---- C:\WINDOWS\system32\pgkhjfkp.ini
2008-02-17 21:02 . 2008-02-17 21:04 536,871,424 --a------ C:\252.tmp
2008-02-17 17:44 . 2008-02-17 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 17:43 . 2008-02-29 16:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 17:43 . 2008-02-17 17:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 17:43 . 2008-02-17 17:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-17 17:17 . 2008-02-17 17:17 2,558 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-17 17:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 17:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 17:16 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-17 17:16 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-17 17:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-17 17:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 17:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-17 16:28 . 2008-02-17 16:28 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-17 14:21 . 2004-04-01 05:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-17 14:21 . 2004-04-02 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-17 14:21 . 2004-04-01 17:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-17 13:11 . 2008-02-29 18:17 <DIR> d-------- C:\VundoFix Backups
2008-02-16 18:27 . 2008-02-16 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-02-16 17:56 . 2008-02-16 17:56 <DIR> d-------- C:\Temp
2008-02-16 17:56 . 2008-02-16 17:59 <DIR> d-------- C:\DVDVolume
2008-02-11 11:37 . 2008-02-11 11:37 <DIR> d-------- C:\Program Files\Libronix DLS
2008-02-11 11:37 . 2008-02-11 11:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Libronix DLS
2008-02-11 11:37 . 2008-02-11 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-02-09 18:16 . 2008-02-09 18:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony
2008-02-09 18:08 . 2008-02-09 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-02-09 18:07 . 2008-02-09 18:07 <DIR> d-------- C:\Program Files\Vstplugins
2008-02-09 18:06 . 2008-02-09 18:06 <DIR> d-------- C:\Program Files\Sony Setup
2008-02-08 16:39 . 2008-02-29 17:16 <DIR> d-------- C:\Program Files\Uninstall Plus! Trial v3.2
2008-02-08 15:57 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-02-08 15:57 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-02-07 19:52 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-02-07 19:52 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-02-07 19:52 . 2004-08-03 23:10 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2008-02-07 19:52 . 2004-08-03 23:10 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2008-02-07 16:12 . 2006-09-12 07:46 227,328 -rahs---- C:\WINDOWS\system32\ac3DX.ax
2008-02-07 16:12 . 2008-02-04 15:26 151,040 --ahs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-07 16:12 . 2006-01-12 19:23 123,904 -rahs---- C:\WINDOWS\system32\AVCDX.ax
2008-02-07 16:12 . 2003-11-20 19:00 54,784 -rahs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-02-07 16:12 . 2004-04-26 19:00 37,888 -rahs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-02-07 16:12 . 2007-02-21 07:47 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2008-02-07 16:12 . 2007-12-17 09:43 27,648 --ahs---- C:\WINDOWS\system32\Smab0.dll
2008-02-07 16:12 . 2008-02-05 13:04 9,884 ---h----- C:\WINDOWS\super.chm
2008-02-07 15:59 . 2008-02-07 15:59 <DIR> d-------- C:\Program Files\eRightSoft
2008-02-07 15:59 . 2006-03-10 17:48 169,472 -rahs---- C:\WINDOWS\system32\MatroskaDX.ax
2008-02-07 15:59 . 2005-11-25 16:46 161,792 -rahs---- C:\WINDOWS\system32\RealMediaDX.ax
2008-02-07 15:27 . 2008-02-07 15:27 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-02-07 15:27 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-02-07 15:27 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-02-07 15:27 . 2007-11-13 09:31 399,360 --a------ C:\WINDOWS\system32\Smab.dll
2008-02-07 15:27 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-02-07 15:27 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-02-07 15:27 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-02-07 15:27 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-02-07 15:27 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-02-07 15:27 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-02-07 15:25 . 2005-02-12 19:00 186,880 -rahs---- C:\WINDOWS\system32\RLOgg.ax
2008-02-07 15:25 . 2005-01-17 19:26 179,200 -rahs---- C:\WINDOWS\system32\DiracSplitter.ax
2008-02-07 15:25 . 2006-08-16 10:53 175,104 -rahs---- C:\WINDOWS\system32\CoreAAC.ax
2008-02-07 15:25 . 2006-05-03 06:06 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2008-02-07 15:25 . 2005-02-05 19:00 92,672 -rahs---- C:\WINDOWS\system32\RLVorbisDec.ax
2008-02-07 15:25 . 2005-02-22 12:55 81,920 -rahs---- C:\WINDOWS\system32\aac_parser.ax
2008-02-07 15:25 . 2005-02-12 19:00 67,584 -rahs---- C:\WINDOWS\system32\RLTheoraDec.ax
2008-02-07 15:25 . 2005-02-12 19:00 51,712 -rahs---- C:\WINDOWS\system32\RLSpeexDec.ax
2008-02-04 17:09 . 2008-02-04 17:09 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 15:57 . 2008-02-20 17:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AntiSpyware
2008-02-04 15:56 . 2008-02-25 19:46 <DIR> d-------- C:\Program Files\AntiSpywareApp
2008-02-03 15:13 . 2008-02-03 15:13 <DIR> d-------- C:\Program Files\VSO
2008-02-02 20:24 . 2008-02-26 19:26 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-02 17:03 . 2008-02-02 17:04 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-02 17:03 . 2004-07-20 16:24 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-02-02 17:03 . 2004-07-20 16:24 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-02-02 17:03 . 2004-07-20 16:24 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-02-02 17:03 . 2004-07-09 08:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-02-02 17:03 . 2004-07-20 16:24 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-02-02 17:03 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-02-02 17:03 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 21:03 52,536 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 21:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-28 19:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-02-26 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 21:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 22:40 3,888 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-18 01:13 --------- d-----w C:\Program Files\Windows Defender
2008-02-18 01:12 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-18 01:11 --------- d-----w C:\Program Files\Google
2008-02-17 21:40 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-17 16:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-16 23:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-02-09 22:07 --------- d-----w C:\Program Files\Sony
2008-02-08 18:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 01:07 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-02-02 23:12 --------- d-----w C:\Program Files\InterVideo
2008-02-02 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-01 18:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-01 09:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-31 22:34 --------- d-----w C:\Program Files\QuickTime
2008-01-31 22:33 --------- d-----w C:\Program Files\Apple Software Update
2008-01-31 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-31 20:51 --------- d-----w C:\Program Files\FLVPlayer
2008-01-31 02:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\Publish Providers
2008-01-31 01:27 --------- d-----w C:\Program Files\MSBuild
2008-01-31 01:23 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-29 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 00:36 --------- d-----w C:\Program Files\Fellowes
2008-01-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-29 00:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-01-29 00:31 --------- d-----w C:\Program Files\ImgBurn
2008-01-28 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PicturesToExe
2008-01-28 18:12 --------- d-----w C:\Program Files\WnSoft PicturesToExe
2008-01-28 15:11 --------- d-----w C:\Program Files\winrar extract
2008-01-28 15:02 --------- d-----w C:\Program Files\Webroot
2008-01-26 22:37 --------- d-----w C:\Program Files\Lavasoft
2008-01-26 15:09 --------- d-----w C:\Program Files\uTorrent
2008-01-25 23:15 --------- d-----w C:\Program Files\PhotoZoom Pro 2
2008-01-25 23:10 160,528 ----a-w C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2008-01-25 23:10 --------- d-----w C:\Program Files\Sqirlz Water Reflections
2008-01-23 11:25 --------- d-----w C:\Program Files\Active Data Recovery Services
2008-01-22 22:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-22 19:28 --------- d-----w C:\Program Files\Photodex Presenter
2008-01-22 19:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Netscape
2008-01-22 19:27 --------- d-----w C:\Program Files\Photodex
2008-01-22 19:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Photodex
2008-01-22 02:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sonic
2008-01-22 02:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-01-22 02:00 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-21 20:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-21 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-01-19 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-19 00:21 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-19 00:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-19 00:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-19 00:21 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-19 00:21 --------- d-----w C:\Program Files\Symantec
2008-01-19 00:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-18 22:09 --------- d-----w C:\Program Files\Seagate
2008-01-18 22:09 --------- d-----w C:\Program Files\Memeo
2008-01-18 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tanagra
2008-01-18 01:43 --------- d-----w C:\Program Files\Common Files\CANON
2008-01-18 01:34 --------- d-----w C:\Program Files\Canon
2008-01-18 01:32 --------- d--h--w C:\Program Files\CanonBJ
2008-01-18 01:32 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-18 01:05 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-18 01:05 --------- d-----w C:\Program Files\Common Files\HP
2008-01-18 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-01-18 01:01 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-17 22:17 --------- d-----w C:\Program Files\Gspot
2008-01-17 21:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-01-17 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-17 21:19 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-17 20:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-17 04:30 --------- d-----w C:\Program Files\Quicken
2008-01-17 04:22 --------- d-----w C:\Program Files\Sonic
2008-01-17 04:22 --------- d-----w C:\Program Files\RecordNow!
2008-01-17 04:22 --------- d-----w C:\Program Files\InterMute
2008-01-17 04:22 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-01-17 04:22 --------- d-----w C:\Program Files\Common Files\Sonic
2008-01-17 03:37 4,050 --sha-r C:\WINDOWS\system32\drivers\HP_PC028A-ABA a620n_YC_Pavi_QMXM433_E43NAheBLU3_4_IKelut_SASUSTek Computer INC._V2.02_B3.09_T040709_WXH1_L409_M1024_J160_7AMD_8Athlon XP 3200+_92.2_111063044_N11063065_P_Z11C1048C_K_A11063059_U11063038_G10025046_O_DACR077C.MRK
2008-01-17 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-17 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\InterVideo
2008-01-17 02:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-01-17 02:05 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-17 02:05 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-01-17 01:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-17 01:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-15 13:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 09:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 22:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 01:03 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-27 20:01 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 20:04 52736]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 07:15 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-13 20:43 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 00:53 714608]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=C:\WINDOWS\pss\AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44a5cdc3]
C:\WINDOWS\system32\pkfjhkgp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-13 21:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 19:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 07:23 49152 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6700DMon]
--a------ 2006-03-16 14:47 61440 C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2003-07-10 15:26 654848 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-27 20:01 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-01 04:41 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\copies of programs on computer\\uTorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=

R2 CX23880;MSI 8606 Video Capture;C:\WINDOWS\system32\drivers\CX88Vid.SYS [2003-08-28 03:14]
R2 CX88XBAR;MSI 8606 Crossbar;C:\WINDOWS\system32\drivers\CX88XBar.SYS [2003-03-19 01:50]
R2 CXTUNE;MSI 8606 Tuner;C:\WINDOWS\system32\drivers\CX88Tune.SYS [2003-08-21 03:35]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 20:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 20:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 07:00:01 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2008-02-25 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 04:03:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-26 00:00:11 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 07:46:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 7:47:18
ComboFix-quarantined-files.txt 2008-03-01 11:47:01
ComboFix2.txt 2008-03-01 04:27:21
.
2008-02-29 00:46:44 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:55 AM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200597853156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7437 bytes


I am hoping I am now free from this bleeping *$@ virus! Thaks for your help!!!
Charlotte

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 01 March 2008 - 12:24 PM

Hi Charlotte,


Looks like the CFScript fix did not work. :blink: I see bad files and folders are still there in your log.

I should be seeing the files and folders deleted in your log.

Lets try it again. :thumbsup:

There are several reason why this fix did not work.
Make sure you use NotePad and no other text editor.
Also, when you copy and paste the text in the code box, do not include the word CODE when you cut and paste.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\pkfjhkgp.dll
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\xioqxpsv.ini
C:\WINDOWS\system32\dkebwiqy.ini
C:\47.tmp
C:\490.tmp
C:\252.tmp

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44a5cdc3]


Name the Notepad file CFScript.txt and Save it to your desktop.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Edited by SifuMike, 01 March 2008 - 01:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 March 2008 - 01:46 PM

Okay
I tried again and di everything just as you said. Let's see what it looks like now:
ComboFix 08-03-01 - Owner 2008-03-01 14:38:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 00:09 . 2004-08-04 00:56 388,608 --a------ C:\CF1771.exe
2008-02-26 18:46 . 2002-11-21 22:12 10,334 --a------ C:\WINDOWS\system32\drivers\cx88aud.sys
2008-02-26 18:45 . 2008-02-26 18:45 <DIR> d-------- C:\Program Files\MSI
2008-02-26 18:41 . 2003-08-28 03:14 181,574 -ra------ C:\WINDOWS\system32\drivers\CX88Vid.SYS
2008-02-26 18:41 . 2003-08-21 03:35 95,804 -ra------ C:\WINDOWS\system32\drivers\CX88Tune.SYS
2008-02-26 18:41 . 2003-03-19 01:50 9,159 -ra------ C:\WINDOWS\system32\drivers\CX88XBar.SYS
2008-02-26 18:40 . 2008-02-26 18:40 <DIR> d-------- C:\Program Files\Genesis Digital Innovations
2008-02-22 18:11 . 2008-02-22 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 16:31 . 2008-02-22 16:32 536,871,424 --a------ C:\47.tmp
2008-02-21 18:37 . 2008-02-21 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-21 17:53 . 2008-02-21 17:55 <DIR> d-------- C:\Program Files\CCleaner
2008-02-21 17:15 . 2008-02-21 17:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-21 17:07 . 2008-02-21 17:24 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-02-20 22:04 . 2008-02-20 22:04 <DIR> d-------- C:\Program Files\Hijack this
2008-02-20 18:46 . 2008-02-20 18:46 92 --a------ C:\WINDOWS\wininit.ini
2008-02-20 18:20 . 2008-02-20 18:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-20 18:20 . 2008-02-20 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 17:19 . 2008-02-20 22:52 834 ---hs---- C:\WINDOWS\system32\xioqxpsv.ini
2008-02-20 07:14 . 2008-02-20 17:14 414 --ahs---- C:\WINDOWS\system32\dkebwiqy.ini
2008-02-19 17:32 . 2008-02-19 17:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-19 17:28 . 2008-02-19 17:56 <DIR> d-------- C:\SDFix
2008-02-17 21:33 . 2008-02-17 21:34 536,871,424 --a------ C:\490.tmp
2008-02-17 21:14 . 2008-02-18 19:43 414 --ahs---- C:\WINDOWS\system32\pgkhjfkp.ini
2008-02-17 21:02 . 2008-02-17 21:04 536,871,424 --a------ C:\252.tmp
2008-02-17 17:44 . 2008-02-17 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 17:43 . 2008-03-01 14:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 17:43 . 2008-02-17 17:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 17:43 . 2008-02-17 17:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-17 17:17 . 2008-02-17 17:17 2,558 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-17 17:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 17:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 17:16 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-17 17:16 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-17 17:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-17 17:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 17:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-17 16:28 . 2008-02-17 16:28 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-17 14:21 . 2004-04-01 05:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-17 14:21 . 2004-04-02 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-17 14:21 . 2004-04-01 17:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-17 13:11 . 2008-02-29 18:17 <DIR> d-------- C:\VundoFix Backups
2008-02-16 18:27 . 2008-02-16 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-02-16 17:56 . 2008-02-16 17:56 <DIR> d-------- C:\Temp
2008-02-16 17:56 . 2008-02-16 17:59 <DIR> d-------- C:\DVDVolume
2008-02-11 11:37 . 2008-02-11 11:37 <DIR> d-------- C:\Program Files\Libronix DLS
2008-02-11 11:37 . 2008-02-11 11:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Libronix DLS
2008-02-11 11:37 . 2008-02-11 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Libronix DLS
2008-02-09 18:16 . 2008-02-09 18:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony
2008-02-09 18:08 . 2008-02-09 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-02-09 18:07 . 2008-02-09 18:07 <DIR> d-------- C:\Program Files\Vstplugins
2008-02-09 18:06 . 2008-02-09 18:06 <DIR> d-------- C:\Program Files\Sony Setup
2008-02-08 16:39 . 2008-02-29 17:16 <DIR> d-------- C:\Program Files\Uninstall Plus! Trial v3.2
2008-02-08 15:57 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-02-08 15:57 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-02-07 19:52 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-02-07 19:52 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-02-07 19:52 . 2004-08-03 23:10 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2008-02-07 19:52 . 2004-08-03 23:10 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2008-02-07 16:12 . 2006-09-12 07:46 227,328 -rahs---- C:\WINDOWS\system32\ac3DX.ax
2008-02-07 16:12 . 2008-02-04 15:26 151,040 --ahs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-07 16:12 . 2006-01-12 19:23 123,904 -rahs---- C:\WINDOWS\system32\AVCDX.ax
2008-02-07 16:12 . 2003-11-20 19:00 54,784 -rahs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-02-07 16:12 . 2004-04-26 19:00 37,888 -rahs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-02-07 16:12 . 2007-02-21 07:47 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2008-02-07 16:12 . 2007-12-17 09:43 27,648 --ahs---- C:\WINDOWS\system32\Smab0.dll
2008-02-07 16:12 . 2008-02-05 13:04 9,884 ---h----- C:\WINDOWS\super.chm
2008-02-07 15:59 . 2008-02-07 15:59 <DIR> d-------- C:\Program Files\eRightSoft
2008-02-07 15:59 . 2006-03-10 17:48 169,472 -rahs---- C:\WINDOWS\system32\MatroskaDX.ax
2008-02-07 15:59 . 2005-11-25 16:46 161,792 -rahs---- C:\WINDOWS\system32\RealMediaDX.ax
2008-02-07 15:27 . 2008-02-07 15:27 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-02-07 15:27 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-02-07 15:27 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-02-07 15:27 . 2007-11-13 09:31 399,360 --a------ C:\WINDOWS\system32\Smab.dll
2008-02-07 15:27 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-02-07 15:27 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-02-07 15:27 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-02-07 15:27 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-02-07 15:27 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-02-07 15:27 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-02-07 15:25 . 2005-02-12 19:00 186,880 -rahs---- C:\WINDOWS\system32\RLOgg.ax
2008-02-07 15:25 . 2005-01-17 19:26 179,200 -rahs---- C:\WINDOWS\system32\DiracSplitter.ax
2008-02-07 15:25 . 2006-08-16 10:53 175,104 -rahs---- C:\WINDOWS\system32\CoreAAC.ax
2008-02-07 15:25 . 2006-05-03 06:06 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2008-02-07 15:25 . 2005-02-05 19:00 92,672 -rahs---- C:\WINDOWS\system32\RLVorbisDec.ax
2008-02-07 15:25 . 2005-02-22 12:55 81,920 -rahs---- C:\WINDOWS\system32\aac_parser.ax
2008-02-07 15:25 . 2005-02-12 19:00 67,584 -rahs---- C:\WINDOWS\system32\RLTheoraDec.ax
2008-02-07 15:25 . 2005-02-12 19:00 51,712 -rahs---- C:\WINDOWS\system32\RLSpeexDec.ax
2008-02-04 17:09 . 2008-02-04 17:09 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 15:57 . 2008-02-20 17:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AntiSpyware
2008-02-04 15:56 . 2008-02-25 19:46 <DIR> d-------- C:\Program Files\AntiSpywareApp
2008-02-03 15:13 . 2008-02-03 15:13 <DIR> d-------- C:\Program Files\VSO
2008-02-02 20:24 . 2008-02-26 19:26 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-02 17:03 . 2008-02-02 17:04 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-02 17:03 . 2004-07-20 16:24 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-02-02 17:03 . 2004-07-20 16:24 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-02-02 17:03 . 2004-07-20 16:24 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-02-02 17:03 . 2004-07-09 08:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-02-02 17:03 . 2004-07-20 16:24 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-02-02 17:03 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-02-02 17:03 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 21:03 52,536 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 21:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-28 19:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-02-26 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 21:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 22:40 3,888 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-18 01:13 --------- d-----w C:\Program Files\Windows Defender
2008-02-18 01:12 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-18 01:11 --------- d-----w C:\Program Files\Google
2008-02-17 21:40 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-17 16:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-16 23:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-02-09 22:07 --------- d-----w C:\Program Files\Sony
2008-02-08 18:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 01:07 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-02-02 23:12 --------- d-----w C:\Program Files\InterVideo
2008-02-02 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-01 18:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-01 09:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-31 22:34 --------- d-----w C:\Program Files\QuickTime
2008-01-31 22:33 --------- d-----w C:\Program Files\Apple Software Update
2008-01-31 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-31 20:51 --------- d-----w C:\Program Files\FLVPlayer
2008-01-31 02:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\Publish Providers
2008-01-31 01:27 --------- d-----w C:\Program Files\MSBuild
2008-01-31 01:23 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-29 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 00:36 --------- d-----w C:\Program Files\Fellowes
2008-01-29 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-29 00:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-01-29 00:31 --------- d-----w C:\Program Files\ImgBurn
2008-01-28 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PicturesToExe
2008-01-28 18:12 --------- d-----w C:\Program Files\WnSoft PicturesToExe
2008-01-28 15:11 --------- d-----w C:\Program Files\winrar extract
2008-01-28 15:02 --------- d-----w C:\Program Files\Webroot
2008-01-26 22:37 --------- d-----w C:\Program Files\Lavasoft
2008-01-26 15:09 --------- d-----w C:\Program Files\uTorrent
2008-01-25 23:15 --------- d-----w C:\Program Files\PhotoZoom Pro 2
2008-01-25 23:10 160,528 ----a-w C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2008-01-25 23:10 --------- d-----w C:\Program Files\Sqirlz Water Reflections
2008-01-23 11:25 --------- d-----w C:\Program Files\Active Data Recovery Services
2008-01-22 22:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-22 19:28 --------- d-----w C:\Program Files\Photodex Presenter
2008-01-22 19:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Netscape
2008-01-22 19:27 --------- d-----w C:\Program Files\Photodex
2008-01-22 19:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Photodex
2008-01-22 02:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sonic
2008-01-22 02:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-01-22 02:00 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-21 20:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-21 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-01-19 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-19 00:21 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-19 00:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-19 00:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-19 00:21 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-19 00:21 --------- d-----w C:\Program Files\Symantec
2008-01-19 00:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-18 22:09 --------- d-----w C:\Program Files\Seagate
2008-01-18 22:09 --------- d-----w C:\Program Files\Memeo
2008-01-18 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tanagra
2008-01-18 01:43 --------- d-----w C:\Program Files\Common Files\CANON
2008-01-18 01:34 --------- d-----w C:\Program Files\Canon
2008-01-18 01:32 --------- d--h--w C:\Program Files\CanonBJ
2008-01-18 01:32 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-18 01:05 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-18 01:05 --------- d-----w C:\Program Files\Common Files\HP
2008-01-18 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-01-18 01:01 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-17 22:17 --------- d-----w C:\Program Files\Gspot
2008-01-17 21:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-01-17 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-17 21:19 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-17 20:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-17 04:30 --------- d-----w C:\Program Files\Quicken
2008-01-17 04:22 --------- d-----w C:\Program Files\Sonic
2008-01-17 04:22 --------- d-----w C:\Program Files\RecordNow!
2008-01-17 04:22 --------- d-----w C:\Program Files\InterMute
2008-01-17 04:22 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-01-17 04:22 --------- d-----w C:\Program Files\Common Files\Sonic
2008-01-17 03:37 4,050 --sha-r C:\WINDOWS\system32\drivers\HP_PC028A-ABA a620n_YC_Pavi_QMXM433_E43NAheBLU3_4_IKelut_SASUSTek Computer INC._V2.02_B3.09_T040709_WXH1_L409_M1024_J160_7AMD_8Athlon XP 3200+_92.2_111063044_N11063065_P_Z11C1048C_K_A11063059_U11063038_G10025046_O_DACR077C.MRK
2008-01-17 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-17 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\InterVideo
2008-01-17 02:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-01-17 02:05 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-17 02:05 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-01-17 01:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-17 01:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-15 13:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 09:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 22:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 01:03 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-27 20:01 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 20:04 52736]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 07:15 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-13 20:43 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 00:53 714608]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=C:\WINDOWS\pss\AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44a5cdc3]
C:\WINDOWS\system32\pkfjhkgp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-13 21:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 19:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 07:23 49152 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6700DMon]
--a------ 2006-03-16 14:47 61440 C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2003-07-10 15:26 654848 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-27 20:01 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-01 04:41 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\copies of programs on computer\\uTorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=

R2 CX23880;MSI 8606 Video Capture;C:\WINDOWS\system32\drivers\CX88Vid.SYS [2003-08-28 03:14]
R2 CX88XBAR;MSI 8606 Crossbar;C:\WINDOWS\system32\drivers\CX88XBar.SYS [2003-03-19 01:50]
R2 CXTUNE;MSI 8606 Tuner;C:\WINDOWS\system32\drivers\CX88Tune.SYS [2003-08-21 03:35]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 20:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 20:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 17:16:21 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2008-02-25 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 04:03:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-26 00:00:11 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 14:40:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 14:41:44
ComboFix-quarantined-files.txt 2008-03-01 18:41:28
ComboFix2.txt 2008-03-01 11:47:18
ComboFix3.txt 2008-03-01 04:27:21
.
2008-02-29 00:46:44 --- E O F ---


The HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:46 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200597853156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7437 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 01 March 2008 - 02:17 PM

Hi Charlotte,

Nope, still the same. No file, folder deletions were done by ComboFix.

A quick question. :blink:

When you did this:

Copy/paste the text in the code box below into notepad:

, did you omit the word Code from the text.
If the word Code is included, then the fix will not work.

And did you use NotePad? (no other text editor will work). :thumbsup: Thanks.

Edited by SifuMike, 01 March 2008 - 02:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 March 2008 - 02:46 PM

Hi
I only copied the text that was in the box. Starting where it said "file". Here is a copy of the script that I copied , saved and dragged onto combofix icon. I had all antivirus etc. turned off as before.
This is what is in the CFScript file that I copied:

File::
C:\WINDOWS\system32\pkfjhkgp.dll
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\xioqxpsv.ini
C:\WINDOWS\system32\dkebwiqy.ini
C:\47.tmp
C:\490.tmp
C:\252.tmp

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44a5cdc3]

Wonder what I must be doing wrong?? Should I re-download and run ComboFix again?
Charlotte

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 01 March 2008 - 02:54 PM

Hi Charlotte,

Wonder what I must be doing wrong?? Should I re-download and run ComboFix again?


No dont do anything yet.

I think ComboFix is having a problem. :blink: Another person is having the same problem as you.

Before I go to plan B, let me contact sUBs, the maker of the tool.

ComboFix renames the CFScript to cfscript_used<date>@<time>.txt

Example:
C:\Documents and Settings\Owner\Desktop\cfscript_used_2007-10-09@0.26.txt .


Please copy and post cfscript_used<date>@<time>.txt to this thread.

Thanks. :thumbsup:

Edited by SifuMike, 01 March 2008 - 03:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 March 2008 - 04:08 PM

Hmm...I don't have a "cfscript_used<date>@<time>.txt" anywhere on my computer. I did a search and thre was no such file anywhere. When the log came up on my computer, I did not save it , but rather just copied and pasted it to this forum. Should I redo the last step and re-run combofix and save as cfscript_used<date>@<time>.txt
Charlotte

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:02 PM

Posted 01 March 2008 - 04:20 PM

Should I redo the last step and re-run combofix and save as cfscript_used<date>@<time>.txt


No, lets do this (I am thinking it is a problem with the verision of ComboFix you are using):

1. Delete the version of ComboFix you have on your desktop.

2. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 01 March 2008 - 04:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 CAnn

CAnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 March 2008 - 04:27 PM

Do I need to readd windows xp recovery console to this new copy of ComboFix?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users