Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Vundo Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 Travelgeek

Travelgeek

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 07 April 2008 - 10:00 PM

Hi there,

Hope you can help me.
I am just posting a lot of logs as requested on your "how to submit a request for help" file.

Here is what I did so far.
When I ended up with the "spyware threat" on my desktop, I ran smitfraudfix and it did remove the warning and cleanup my desktop.
However, the pop-ups didn't stop and worse, I wasn't able to download files using ftp in bluehost (it blocked everything using ads)

Scanned with superantispyware both in normal and in safe mode. It took care of some of the problems, right now it does come up with only one thing: Adware.Tracking cookie. Before it gave me Vundo variant and vundo-variant small2.

Downloaded vundofix and scanned. Gave me 3 files. Took more than an hour. I asked it to remove the files and it ran for more than 4 hours without blinking even once. Scanned again, took again more than an hour and gave me two different files. Remove files ran for 4 hours again till I gave up.

Then I ran vundobegone (saved in normal, ran in safe mode). Here is the log for that:

[04/07/2008, 17:22:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Karen van Loon\Desktop\VirtumundoBeGone.exe" )
[04/07/2008, 17:22:10] - Detected System Information:
[04/07/2008, 17:22:10] - Windows Version: 5.1.2600, Service Pack 2
[04/07/2008, 17:22:10] - Current Username: Karen van Loon (Admin)
[04/07/2008, 17:22:10] - Windows is in SAFE mode.
[04/07/2008, 17:22:10] - Searching for Browser Helper Objects:
[04/07/2008, 17:22:10] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/07/2008, 17:22:10] - BHO 2: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
[04/07/2008, 17:22:10] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/07/2008, 17:22:10] - BHO 4: {826A5ED9-1316-4EFD-87F8-AA400C5D551A} ()
[04/07/2008, 17:22:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/07/2008, 17:22:10] - Checking for HKLM\...\Winlogon\Notify\ssqRHxvt
[04/07/2008, 17:22:10] - Found: HKLM\...\Winlogon\Notify\ssqRHxvt - This is probably Virtumundo.
[04/07/2008, 17:22:10] - Assigning {826A5ED9-1316-4EFD-87F8-AA400C5D551A} MSEvents Object
[04/07/2008, 17:22:10] - BHO list has been changed! Starting over...
[04/07/2008, 17:22:10] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/07/2008, 17:22:10] - BHO 2: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
[04/07/2008, 17:22:10] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/07/2008, 17:22:10] - BHO 4: {826A5ED9-1316-4EFD-87F8-AA400C5D551A} (MSEvents Object)
[04/07/2008, 17:22:10] - ALERT: Found MSEvents Object!
[04/07/2008, 17:22:10] - BHO 5: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[04/07/2008, 17:22:10] - BHO 6: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
[04/07/2008, 17:22:10] - Finished Searching Browser Helper Objects
[04/07/2008, 17:22:10] - *** Detected MSEvents Object
[04/07/2008, 17:22:10] - Trying to remove MSEvents Object...
[04/07/2008, 17:22:11] - Terminating Process: IEXPLORE.EXE
[04/07/2008, 17:22:12] - Terminating Process: RUNDLL32.EXE
[04/07/2008, 17:22:12] - Disabling Automatic Shell Restart
[04/07/2008, 17:22:12] - Terminating Process: EXPLORER.EXE
[04/07/2008, 17:22:12] - Suspending the NT Session Manager System Service
[04/07/2008, 17:22:12] - Terminating Windows NT Logon/Logoff Manager
[04/07/2008, 17:22:12] - Re-enabling Automatic Shell Restart
[04/07/2008, 17:22:12] - File to disable: C:\WINDOWS\system32\ssqRHxvt.dll
[04/07/2008, 17:22:12] - Renaming C:\WINDOWS\system32\ssqRHxvt.dll -> C:\WINDOWS\system32\ssqRHxvt.dll.vir
[04/07/2008, 17:22:12] - File successfully renamed!
[04/07/2008, 17:22:12] - Removing HKLM\...\Browser Helper Objects\{826A5ED9-1316-4EFD-87F8-AA400C5D551A}
[04/07/2008, 17:22:12] - Removing HKCR\CLSID\{826A5ED9-1316-4EFD-87F8-AA400C5D551A}
[04/07/2008, 17:22:12] - Adding Kill Bit for ActiveX for GUID: {826A5ED9-1316-4EFD-87F8-AA400C5D551A}
[04/07/2008, 17:22:12] - Deleting ATLEvents/MSEvents Registry entries
[04/07/2008, 17:22:12] - Removing HKLM\...\Winlogon\Notify\ssqRHxvt
[04/07/2008, 17:22:12] - Searching for Browser Helper Objects:
[04/07/2008, 17:22:12] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/07/2008, 17:22:12] - BHO 2: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
[04/07/2008, 17:22:12] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/07/2008, 17:22:12] - BHO 4: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[04/07/2008, 17:22:12] - BHO 5: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
[04/07/2008, 17:22:12] - Finished Searching Browser Helper Objects
[04/07/2008, 17:22:12] - Finishing up...
[04/07/2008, 17:22:12] - A restart is needed.
[04/07/2008, 17:22:28] - Attempting to Restart via STOP error (Blue Screen!)




The HJT log looks like this:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:37 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karen van Loon\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [401577a5] rundll32.exe "C:\WINDOWS\system32\nnkjhgcj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [DX4TH7zJOH] C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu\lapcxyxu.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra 'Tools' menuitem: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121243402187
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.imf.org/dana-cached/setup/J...perSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RamRunOnce - {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - C:\WINDOWS\Installer\{eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3}\RamRunOnce.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 9685 bytes


Then I tried to scan with Karpersky, but for some reason it keeps on saying "update failed, no scan possible" so no log for that.

DSS gave me the following logs:

Main.txt:

Deckard's System Scanner v20071014.68
Run by Karen van Loon on 2008-04-07 22:18:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-08 02:19:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Karen van Loon.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:35 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Karen van Loon\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\KARENV~1\Desktop\Karen van Loon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [401577a5] rundll32.exe "C:\WINDOWS\system32\nnkjhgcj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [DX4TH7zJOH] C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu\lapcxyxu.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra 'Tools' menuitem: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121243402187
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.imf.org/dana-cached/setup/J...perSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RamRunOnce - {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - C:\WINDOWS\Installer\{eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3}\RamRunOnce.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 9771 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 dsNcAdpt (Juniper Network Connect Adapter) - c:\windows\system32\drivers\dsncadpt.sys <Not Verified; Juniper Networks; Network Connect>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20040831.004\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 dsNcService (Juniper Network Connect Service) - c:\program files\juniper networks\common files\dsncservice.exe <Not Verified; Juniper Networks; Network Connect>

S2 NICSer_WMP11 - c:\program files\linksys\wireless-b pci adapter\nicserv.exe
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: InstallDriver Table Manager
Device ID: ROOT\LEGACY_IDRIVERT\0000
Manufacturer:
Name: InstallDriver Table Manager
PNP Device ID: ROOT\LEGACY_IDRIVERT\0000
Service:

Class GUID:
Description: iPod Service
Device ID: ROOT\LEGACY_IPOD_SERVICE\0000
Manufacturer:
Name: iPod Service
PNP Device ID: ROOT\LEGACY_IPOD_SERVICE\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-07 22:22:15 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-04-07 17:26:44 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2004-12-25 21:12:41 372 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1096158938.job


-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 22:11:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-07 22:11:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-07 22:10:56 0 d-------- C:\WINDOWS\LastGood
2008-04-07 18:17:41 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-07 17:39:13 0 d-------- C:\VundoFix Backups
2008-04-07 17:21:04 0 d-------- C:\WINDOWS\CSC
2008-04-07 13:12:05 85056 -----n--- C:\WINDOWS\system32\nnkjhgcj.dll
2008-04-07 13:11:02 256755 --ahs---- C:\WINDOWS\system32\iRrYJkkj.ini2
2008-04-06 12:40:09 200439 --ahs---- C:\WINDOWS\system32\Tsrtutwa.ini2
2008-04-03 09:39:06 3442 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-03 09:37:33 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-03 09:37:33 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-03 09:37:32 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-03 09:37:31 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-03 09:37:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-03 09:37:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-03 09:37:30 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-03 09:12:50 182412 --ahs---- C:\WINDOWS\system32\IQXwHRqr.ini2
2008-04-03 08:17:26 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-04-03 08:16:46 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-03 08:16:46 0 d-------- C:\Documents and Settings\Karen van Loon\Application Data\SUPERAntiSpyware.com
2008-04-03 08:16:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 07:38:30 1728 --a------ C:\WINDOWS\system32\fnnodchs.exe
2008-04-03 07:38:16 1767 --a------ C:\WINDOWS\system32\micfkhis.dll
2008-04-02 17:00:24 0 d-------- C:\Program Files\AskSBar
2008-04-02 16:59:28 164 --a------ C:\install.dat
2008-04-02 16:55:34 178353 --ahs---- C:\WINDOWS\system32\UFPoqtwa.ini2
2008-04-02 14:44:43 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-02 14:44:42 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-02 14:44:42 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-02 14:44:39 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-02 14:44:38 4096 --a------ C:\WINDOWS\a.bat
2008-04-02 14:44:37 0 d-------- C:\Documents and Settings\Karen van Loon\Desktopvirii
2008-04-02 14:44:36 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-02 14:44:36 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-02 14:44:36 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-02 14:44:36 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-02 14:44:36 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-02 14:44:36 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-02 14:44:35 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-02 14:44:35 0 d-------- C:\WINDOWS\system32smp
2008-04-02 14:44:35 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-02 14:44:35 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-02 14:44:34 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-02 14:44:34 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-02 14:44:34 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-02 14:44:33 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-02 14:44:33 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-02 14:44:33 0 d-------- C:\Program Files\Inet Delivery
2008-04-02 14:44:32 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-02 14:44:31 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-02 14:44:31 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-02 14:44:31 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-02 14:44:31 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-02 14:44:31 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-02 14:44:31 4096 --a------ C:\Documents and Settings\Karen van Loon\Desktopfilemanagerclient.exe
2008-04-02 14:44:29 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-02 14:44:29 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-02 14:44:29 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-02 14:44:29 4096 --a------ C:\Documents and Settings\Karen van Loon\DesktopFWebdEditor.exe
2008-04-02 14:44:29 4096 --a------ C:\Documents and Settings\Karen van Loon\Desktopfwebd.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-02 14:44:28 4096 --a------ C:\WINDOWS\bdn.com
2008-04-02 14:44:27 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-02 14:44:27 0 d-------- C:\WINDOWS\mslagent
2008-04-02 14:44:26 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-02 14:44:14 262144 --a------ C:\WINDOWS\sxfnewqb.dll
2008-04-02 14:44:14 241664 --a------ C:\WINDOWS\svpekgonlmf.dll
2008-04-02 14:43:49 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu
2008-03-30 16:55:51 0 d-------- C:\Documents and Settings\verhoevens\Application Data\InstallShield


-- Find3M Report ---------------------------------------------------------------

2008-04-03 08:16:17 0 dr------- C:\Program Files\Common Files
2008-04-02 19:10:52 0 d-------- C:\Documents and Settings\Karen van Loon\Application Data\Lavasoft
2008-04-01 16:45:41 0 d-------- C:\Program Files\Internet Content Filter
2008-02-13 09:14:21 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-11 17:23:14 287232 --a------ C:\WINDOWS\system32\seinst.dll <Not Verified; InternetSafety.com, Inc.; Safe Eyes>
2008-02-11 17:22:40 275968 --a------ C:\WINDOWS\sediag.exe <Not Verified; InternetSafety.com, Inc.; Winsock Diagnostics>
2008-02-07 18:09:08 260608 --a------ C:\WINDOWS\system32\ICF.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
04/02/2008 05:00 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/02/2008 05:00 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 03:56 AM C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [04/02/2003 07:40 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [06/26/2002 09:36 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"vptray"="C:\Program Files\NavNT\vptray.exe" [06/03/2002 02:09 PM]
"vdrdpup"="C:\WINDOWS\system32\C:\WINDOWS\system32\vdrdpup.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52 AM]
"@"="" []
"Zone Labs Client"="C:\Program Files\Zone Labs\Integrity Client\iclient.exe" [02/07/2005 03:42 AM]
"ICF"="C:\Program Files\Internet Content Filter\SafeEyes.exe" [02/25/2008 03:56 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"401577a5"="C:\WINDOWS\system32\nnkjhgcj.dll" [04/07/2008 01:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 4:06:58 AM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [4/6/2003 3:37:38 AM]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe [2/20/2006 12:30:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"DX4TH7zJOH"=C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu\lapcxyxu.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamRunOnce"= {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - C:\WINDOWS\Installer\{eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3}\RamRunOnce.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkJYrRi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-07 22:28:09 ------------


extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 254.8 MiB / 98.43 MiB
Pagefile Memory (total/avail): 623.82 MiB / 164.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 15.27 GiB total, 3.9 GiB free.
D: is Fixed (FAT32) - 15.26 GiB total, 7.9 GiB free.
E: is Fixed (NTFS) - 45.77 GiB total, 42.48 GiB free.
H: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 76.33 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 15.27 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 61.05 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntivirusOverride is set.

FW: Integrity Flex Firewall v5.1.556.168 (Zone Labs, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os530.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os530.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osD8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osD8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osDA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osDA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osDC.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osDC.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osDE.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osDE.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os18.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os18.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os1A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os1A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os1C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os1C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os1E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os1E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os20.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os20.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os22.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os22.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE2.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE2.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os24.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os24.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE4.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os26.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os26.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE6.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE6.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os28.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os28.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~osE8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os36.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os36.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os38.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os38.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os3A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os3A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os3C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os3C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os3E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os3E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os40.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os40.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os42.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os42.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os44.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os44.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os46.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os46.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os48.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os48.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os4A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os4A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os4C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os4C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os4E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os4E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os50.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os50.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os52.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os52.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os54.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os54.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os56.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os56.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os58.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os58.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os5A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os5A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os5C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os5C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os5E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os5E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os60.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os60.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os62.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os62.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os64.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os64.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os66.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os66.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os6C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os6C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os6E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os6E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os70.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os70.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os72.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os72.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os74.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os74.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os76.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os76.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os78.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os78.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os7A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os7A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os7C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os7C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os7E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os7E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os80.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os80.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os82.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os82.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os84.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os84.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os86.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os86.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os88.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os88.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os8A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os8A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os8C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os8C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os8E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os8E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os90.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os90.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os92.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os92.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os94.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os94.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os96.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os96.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os98.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os98.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os9A.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os9A.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os9C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os9C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os9E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~os9E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA2.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA2.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA4.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA6.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA6.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osA8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osAA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osAA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osAC.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osAC.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osAE.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osAE.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB2.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB2.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB4.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB6.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB6.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osB8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osBA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osBA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osBC.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osBC.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osBE.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osBE.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC2.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC2.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC4.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC6.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC6.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osC8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osCA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osCA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osCC.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osCC.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osCE.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osCE.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD2.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD2.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD4.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD6.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD6.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osD8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osDA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osDA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osDC.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osDC.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osDE.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osDE.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE2.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE2.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"c:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE4.tmp\\ossproxy.exe"="c:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE4.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE6.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE6.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE8.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osE8.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osEA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osEA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osEC.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osEC.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osEE.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osEE.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osF0.tmp\\ossproxy.exe"="C:\\Documents and Settings\\verhoevens\\Local Settings\\Temp\\~osF0.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os389.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os389.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os38E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os38E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os391.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os391.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os394.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os394.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os397.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os397.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os399.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os399.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os39B.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os39B.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os39D.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os39D.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os39F.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os39F.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os3A1.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os3A1.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os3A3.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Karen van Loon\\Local Settings\\Temp\\~os3A3.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Karen van Loon\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KARENVANLOON
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Karen van Loon
LOGONSERVER=\\KARENVANLOON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\KARENV~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\KARENV~1\LOCALS~1\Temp
USERDOMAIN=KARENVANLOON
USERNAME=Karen van Loon
USERPROFILE=C:\Documents and Settings\Karen van Loon
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Karen van Loon (admin)
verhoevens (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE4CEC16-DD42-42E5-BE73-F8E65AD530C9}\Setup.exe" -l0x9 UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
<LINK> Navigation Bar 0.70 --> "C:\WINDOWS\system32\unins000.exe"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobeź Photoshopź Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
AWhere-ACT 3.6 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{30E37920-9B70-4A9E-BC9F-53367ED39B5D}
Cimaware OfficeFIX 4 --> C:\Program Files\Cimaware\OfficeFix4\uninst.exe
Citrix ICA Client --> C:\WINDOWS\ISUNINST.EXE -fC:\PROGRA~1\Citrix\ICACLI~1\Uninst.isu -cC:\PROGRA~1\Citrix\ICACLI~1\uninstpn.dll
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative DVD Audio Plugin for Audigy Series --> "C:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
EmPipe --> C:\Program Files\EmPipe\UNINSTAL.EXE
EOL Universal Printer Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD4776A5-A39D-4208-AC34-AF4373C81967}\Setup.exe" /u
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Documents and Settings\Karen van Loon\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
hp officejet 6100 series --> MsiExec.exe /X{12BB7942-1E1F-43D9-B441-4668C1629425}
hp officejet 6100 series --> rundll32 hpzcon07.dll,VendorJettison hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp officejet 6100 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
HyperStudio 4 Player --> C:\WINDOWS\Unwise32.exe C:\WINDOWS\HSPLAYER.LOG
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD 5 --> "C:\Program Files\InstallShield Installation Information\{1B399A41-C1D0-40A2-9E4F-095868EFAF01}\setup.exe" REMOVEALL
iPod for Windows 2005-02-07 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{78B50D1D-642C-4B89-BCC7-352EAE3614D7} /l1033
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{47808F78-F178-49DC-B708-15FE538B16FF}
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Juniper Networks Network Connect 5.2.0 --> "C:\Program Files\Juniper Networks\Network Connect 5.2.0\uninstall.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\Install.log
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Publisher 2003 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
NTI CD-Maker 2000 Plus --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NewTech Infosystems\NTI CD-Maker 2000 Plus\Uninst.isu"
NTI DriveBackup! --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NewTech Infosystems\NTI DriveBackup!\Uninst.isu"
NTI FileCD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NewTech Infosystems\FileCD\Uninst.isu"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
OLYMPUS CAMEDIA Master 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\Setup.exe" CAMEDIA Master 4.03
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
OpenMG Limited Patch 3.2-03-01-31-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-01-31-01\HotFixSetup\setup.exe /u
OpenMG Limited Patch 3.2-03-02-07-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-07-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62F33B80-6244-4A70-A233-0DA13B640364}\setup.exe" -l0x9 UNINSTALL
PhotoFiltre --> "C:\Program Files\PhotoFiltre\Uninst.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Safe Eyes --> C:\Program Files\InstallShield Installation Information\{C3FA280D-3AE4-43F3-AFB5-D459B36A05B7}\setup.exe -runfromtemp -l0x0009 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SideCar 32 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SideCar\Uninst.isu"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SonicStage Simple Burner 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A0E8EB8-85C9-461A-B0C1-0DB7C21FA89A}\setup.exe" -l0x9 /UNINSTALL
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Verizon Online --> C:\WINDOWS\system32\VerizonUninstaller.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Wireless-B PCI Adapter WLAN Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6956F3-B586-4674-BCD0-CCF7EC1DF766}\Setup.exe" -l0x9
Yahoo! Messenger Explorer Bar --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\COMPAN~1\Modules\messmod4\v6\yhexbmes.dll
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type13657 / Error
Event Submitted/Written: 04/07/2008 07:10:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hpoevm08.exe, version 4.2.0.20, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [hpoevm08.exe!ws!]

Event Record #/Type13655 / Warning
Event Submitted/Written: 04/07/2008 07:09:48 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type13649 / Warning
Event Submitted/Written: 04/07/2008 05:17:44 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type13643 / Warning
Event Submitted/Written: 04/07/2008 01:21:47 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type13640 / Error
Event Submitted/Written: 04/07/2008 01:07:36 PM
Event ID/Source: 5007 / TrueVector Service
Event Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\KARENVANLOON.ldb" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB84.tmp". File "C:\WINDOWS\Internet Logs\KARENVANLOON.ldb" was corrupt and has been deleted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type202664 / Warning
Event Submitted/Written: 04/07/2008 10:11:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%KARENVANLOON27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %KARENVANLOON27 can't undo changes that you allow.

For more information please see the following:
%KARENVANLOON275

Scan ID: {3AF2E05B-43EA-44E4-BE3F-05EAD9BBF1A5}

User: KARENVANLOON\Karen van Loon

Name: %KARENVANLOON271

ID: %KARENVANLOON272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %KARENVANLOON276

Alert Type: %KARENVANLOON278

Detection Type: 1.1.1593.02

Event Record #/Type202629 / Warning
Event Submitted/Written: 04/07/2008 05:54:33 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\ANNA on the network \Device\NetBT_Tcpip_{4F98DB68-EA93-42B2-B724-972107315C35}.
The data is the error code.

Event Record #/Type202592 / Error
Event Submitted/Written: 04/07/2008 05:21:40 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type202587 / Error
Event Submitted/Written: 04/07/2008 05:20:09 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type202586 / Error
Event Submitted/Written: 04/07/2008 05:20:04 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-04-07 22:28:09 ------------

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:35 AM

Posted 08 April 2008 - 05:59 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 08 April 2008 - 07:35 AM

Thanks!!!

Ran superantispyware this morning and it gives:
Adware vundo variant
Adware tracking cookie (2)

Haven't done anything else since posting the logs above....

Computer is still incredibly slow...

Karen

Edited by Travelgeek, 08 April 2008 - 07:36 AM.


#4 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 08 April 2008 - 11:37 AM

I know you are going to be very annoyed with me (you specifically told me to not make any changes yet...), but I couldn't get into my webserver and I really needed to update a couple of websites, so the tech guy at my hubbies job advised me to run Malwarebytes Anti-Malware.

I did and this is the log. I can now get into bluehost.com again, but pop ups are still there....

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Full Scan (C:\|)
Objects scanned: 80972
Time elapsed: 34 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen van Loon\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\svpekgonlmf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sxfnewqb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\silc_dll.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssqRHxvt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\WEB\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen van Loon\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen van Loon\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen van Loon\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen van Loon\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen van Loon\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\LDPackage.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.

Karen

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:35 AM

Posted 08 April 2008 - 02:19 PM

Hello Travelgeek,

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Ask Toolbar
- Read about that software here <-


Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 08 April 2008 - 08:26 PM

Thanks a million!

Removed Ask Toolbar.
I know when that one all of a sudden appeared: I got a pop-up telling me my media player needed updated and I clicked it (even though I know I shouldn't, just too busy to pay attention...) and that is when all hell broke loose...

Uninstalled Superantispyware (as it didn't seem to remove what it needed to remove).

Turned off defender, zonelab firewall, norton antivirus (corporate edition) and ran combofix. Here is the log:

ComboFix 08-04-08.7 - Karen van Loon 2008-04-08 21:05:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -4:00]
Running from: C:\Documents and Settings\Karen van Loon\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Karen van Loon\Desktopblackbird.jpg
C:\Documents and Settings\Karen van Loon\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Karen van Loon\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Karen van Loon\Desktopfilemanagerclient.exe
C:\Documents and Settings\Karen van Loon\Desktopfkwp1.5.exe
C:\Documents and Settings\Karen van Loon\Desktopfkwp2.0.exe
C:\Documents and Settings\Karen van Loon\Desktopfwebd.exe
C:\Documents and Settings\Karen van Loon\DesktopFWebdEditor.exe
C:\Documents and Settings\Karen van Loon\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\Installer\{eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3}\RamRunOnce.dll
C:\WINDOWS\SYSTEM32\afeqypps.ini
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\SYSTEM32\fsrvbaya.ini
C:\WINDOWS\SYSTEM32\IQXwHRqr.ini
C:\WINDOWS\SYSTEM32\IQXwHRqr.ini2
C:\WINDOWS\SYSTEM32\iRrYJkkj.ini
C:\WINDOWS\SYSTEM32\iRrYJkkj.ini2
C:\WINDOWS\SYSTEM32\jcghjknn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\ppypmwth.ini
C:\WINDOWS\SYSTEM32\rgmjnuxl.ini
C:\WINDOWS\SYSTEM32\srqkfocu.ini
C:\WINDOWS\SYSTEM32\Tsrtutwa.ini
C:\WINDOWS\SYSTEM32\Tsrtutwa.ini2
C:\WINDOWS\SYSTEM32\UFPoqtwa.ini
C:\WINDOWS\SYSTEM32\UFPoqtwa.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 10:31 . 2008-04-08 10:31 <DIR> d-------- C:\Documents and Settings\Karen van Loon\Application Data\Malwarebytes
2008-04-08 10:31 . 2008-04-08 10:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-04-07 22:18 . 2008-04-07 22:18 <DIR> d-------- C:\Deckard
2008-04-07 18:17 . 2008-04-07 18:17 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-04-07 17:39 . 2008-04-07 23:12 <DIR> d-------- C:\VundoFix Backups
2008-04-03 09:39 . 2008-04-03 09:54 3,442 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-03 09:37 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-03 09:37 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-03 09:37 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-03 09:37 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-03 09:37 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-03 09:37 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-03 09:37 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-03 08:17 . 2008-04-03 08:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-04-03 08:16 . 2008-04-08 20:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-03 08:16 . 2008-04-08 20:12 <DIR> d-------- C:\Documents and Settings\Karen van Loon\Application Data\SUPERAntiSpyware.com
2008-04-03 07:38 . 2008-04-03 07:38 1,767 --a------ C:\WINDOWS\SYSTEM32\micfkhis.dll
2008-04-03 07:38 . 2008-04-03 07:38 1,728 --a------ C:\WINDOWS\SYSTEM32\fnnodchs.exe
2008-04-02 16:59 . 2008-04-02 16:59 164 --a------ C:\install.dat
2008-04-02 14:43 . 2008-04-03 08:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu
2008-03-30 16:55 . 2008-03-30 16:55 <DIR> d-------- C:\Documents and Settings\verhoevens\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 00:57 --------- d-----w C:\Documents and Settings\verhoevens\Application Data\Lavasoft
2008-04-02 23:10 --------- d-----w C:\Documents and Settings\Karen van Loon\Application Data\Lavasoft
2008-04-01 20:45 --------- d-----w C:\Program Files\Internet Content Filter
2008-02-13 13:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-11 21:22 275,968 ----a-w C:\WINDOWS\sediag.exe
2005-10-16 14:28 19,088 ----a-w C:\Documents and Settings\verhoevens\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 20:51 19,088 ----a-w C:\Documents and Settings\Karen van Loon\Application Data\GDIPFONTCACHEV1.DAT
2003-09-15 12:37 266 --sh--w C:\Program Files\desktop.ini
2003-09-15 12:37 11,079 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2BE4AEDC-423D-4A44-8592-A948D90D6C3C}"= "C:\WINDOWS\system32\LinkBar.dll" [2007-06-01 13:52 204800]

[HKEY_CLASSES_ROOT\clsid\{2be4aedc-423d-4a44-8592-a948d90d6c3c}]
[HKEY_CLASSES_ROOT\LinkBar.NavBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{06ED62EF-9BD8-4B88-82C4-633EFF7EBA07}]
[HKEY_CLASSES_ROOT\LinkBar.NavBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-04-02 19:40 323584 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 21:36 90112]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2002-06-03 14:09 73728]
"vdrdpup"="C:\WINDOWS\system32\vdrdpup.dll" [2003-10-22 15:08 71168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"Zone Labs Client"="C:\Program Files\Zone Labs\Integrity Client\iclient.exe" [2005-02-07 03:42 861960]
"ICF"="C:\Program Files\Internet Content Filter\SafeEyes.exe" [2008-02-25 15:56 1252864]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"401577a5"="C:\WINDOWS\system32\nnkjhgcj.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 04:06:58 28672]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-06 03:37:38 147456]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe [2006-02-20 00:30:08 4638720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DX4TH7zJOH"= C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu\lapcxyxu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-01-29 18:12]
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2003-07-10 11:09]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 00:22:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2004-12-26 01:12:41 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1096158938.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-04-09 01:14:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 21:14:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\ICF.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-04-08 21:17:08 - machine was rebooted [Karen van Loon]
ComboFix-quarantined-files.txt 2008-04-09 01:17:03
Pre-Run: 3,899,910,656 bytes free
Post-Run: 3,807,355,392 bytes free
.
2008-04-06 20:16:50 --- E O F ---



And here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:41 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Karen van Loon\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [401577a5] rundll32.exe "C:\WINDOWS\system32\nnkjhgcj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [DX4TH7zJOH] C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu\lapcxyxu.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra 'Tools' menuitem: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121243402187
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.imf.org/dana-cached/setup/J...perSetupSP1.cab
O21 - SSODL: RamRunOnce - {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - (no file)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 9184 bytes

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:35 AM

Posted 10 April 2008 - 04:36 AM

Hello

Navigation Bar «- Do you install this toolbar?


# Step nș 1 #

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


# Step nș 2 #

Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/140619/possible-vundo-virus/
Collect::
C:\WINDOWS\system32\nnkjhgcj.dll
File::
C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
C:\Documents and Settings\Karen van Loon\Application Data\SUPERAntiSpyware.com
C:\WINDOWS\SYSTEM32\micfkhis.dll
C:\WINDOWS\SYSTEM32\fnnodchs.exe
C:\install.dat
Folder::
C:\Program Files\SUPERAntiSpyware
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmfcfuxu
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"401577a5"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DX4TH7zJOH"=-
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.
# Step nș 3 #

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
# Step nș 4 #

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\LinkBar.dll

Please post back the results of the scan in your next post.

You also can try the same at Virustotal: http://www.virustotal.com/


# Step nș 5 #

Please go to the following url: http://www.bleepingcomputer.com/submit-malware.php?channel=20
  • "Link to topic where this file was requested:" - please insert the link to this topic in the text box
  • "Browse to the file you want to submit:" - please click on browse and navigate to:
    C:\WINDOWS\system32\LinkBar.dll
  • "Leave any comments, further information about this file, or contact information:" - please mention in the text box that Lusitano requested you to submit the file & insert the results from Jotti or virustotal obtained in the previous step
  • Click Submit
# Step nș 6 #

In your next reply, please post:
  • The results from ComboFix (step nș 2)
  • The results from Jotti's or Virustotal analyse (step nș 5)
  • A new HijackThis log and let me know how your computer its running now.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 10 April 2008 - 08:53 AM

<link> Navigation Bar
Don't know anything about that, I did not install it.

So, husband came home from a three week trip to Nigeria, listened to my computer trouble and ran spybot (even though I explicitly asked him to leave the computer alone). He did not leave me any info on what spybot found, I just found a sticky note saying "ran Spybot, found a lot, removed it all". He uninstalled spybot.
Hope that doesn't mess things up...

Ran the combofix with the CFScript.txt included. It ran fine till it produced a log onscreen and then after a couple of minutes the screen went blank and the only thing I saw was my usual desktop wallpaper. I waited for about an hour, but nothing happened, so I restarted the computer. So, the last two bullets from step 2 have not been done.
The Comlog.txt that it did produce and put on my desktop is empty. Do you need me to run it again?
There is a notepad file that says log.txt, but that one is empty as well.

I updated java. For some reason the first time it downloaded a file called 1207833211798-integrated.jnpl on my desktop, so after I removed all old Java files and rebooted the computer I again clicked on the java link and managed to download the complete update.

Then I ran Jotti and it says "found nothing" on all lines.

I followed instructions on step 5 and clicked submit. It says it was successfully send.

Haven't really tried how the computer is running after doing the previous, but yesterday it ran significantly faster and it also started up significantly faster.

Hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:53 AM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Karen van Loon\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra 'Tools' menuitem: <Link> Navigation Bar - {2BE4AEDC-423D-4A44-8592-A948D90D6C3C} - C:\WINDOWS\system32\LinkBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121243402187
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.imf.org/dana-cached/setup/J...perSetupSP1.cab
O21 - SSODL: RamRunOnce - {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - (no file)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 8989 bytes

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:35 AM

Posted 15 April 2008 - 03:54 AM

Hello Travelgeek,

Thanks for uploading the Navigation Bar. Thats give us a chance to study this toolbar.

What our team can see about that toolbar, thats no malware detections at Virus total and can see nothing malicious about it.
What we found wierd about it is the search bar only accepts up to 6 characters.

You can read more information abou Navigation Bar at:
http://www.castlecops.com/tk37671-Navigation_Bar.html
http://www.draig.de/LinkBar/index.en.html

So, the conclusion thats a legit software and its your choice if you want it uninstalled.
If you choose uninstall them, please go to Add/Remove Programs.
To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Navigation Bar



About the ComboFix issue, its probably related to the TeaTimer of the Spybot or to your antivirus or firewall. No problem.


# Step 1 #

Your log shows that you have run HijackThis from a non recomendable localization!
To ensure that backups made when items are fixed are secure, we need to get HijackThis set up properly.

Click START, then My Computer, right click Local Disk (usually (C:) for most people) and -> Explore.
Right click an open area in the main panel.
Select New -> Folder.
Type in HJT & press Enter

Now We have Created C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.


# Step 2 #

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Also please disable Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"
# Step 3 #

Go to Start » Run » type: Notepad » OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).
@ECHO OFF
sc stop "VundoFixSvc"
sc config "VundoFixSvc" start= disabled
sc delete "VundoFixSvc"
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it fixsvc.bat and save it on your desktop.
  • Double click fixsvc.bat.
# Step 4 #

Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present":

O21 - SSODL: RamRunOnce - {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - (no file)

Click on Posted Image button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



# Step 5 #

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


# Step 6 #

Please go here to run an online scannner from ESET:
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a descript

# Step 7 #

In your next reply, please post:
  • The results from Eset online scan (step nș 6)
  • A new HijackThis log.
  • Let me know how your computer its running now.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 17 April 2008 - 09:40 PM

I removed to <link>navigation bar, but it said that certain parts can only be removed manually. Haven't done that.

{About the ComboFix issue, its probably related to the TeaTimer of the Spybot or to your antivirus or firewall. No problem.}

That would be strange as I removed spybot (by using the add/remove thing from the control panel) and turned off defender, zonealarm and norton before running it. But if it isn't a problem, it isn't a problem, right?

{# step 1 #
Now We have Created C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.}

Did that, but somehow it tells me it is a shortcut to hijack this, I assume that is ok? I will run a final HijackThis from the c: drive.


# Step 2 #

I removed Spybot Search & Destroy, before running the previous scan. Should I install it again and disable the teatimer?

# Step 3 #

* Double click fixsvc.bat.

Did that.

# Step 4 #


O21 - SSODL: RamRunOnce - {eee2d9bf-3aa8-4ad7-b074-34ddaa3f1af3} - (no file)

It was still present, so I "fix checked"-ed it.

# Step 5 #

Ran ETF cleaner, saved my firefox passwords.

# Step 6 and Step 7 #

Ran ESET. It took forever.

Here is the log from ESET
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3035 (20080417)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=889c5af5aa087e42ab7f59fad8047f45
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-04-18 02:19:04
# local_time=2008-04-17 10:19:04 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=282302
# found=0
# scan_time=5479

And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:26 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\Hpqdirec.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Karen van Loon\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2025429265-764733703-839522115-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'verhoevens')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121243402187
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.imf.org/dana-cached/setup/J...perSetupSP1.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8600 bytes



* Let me know how your computer its running now.

The computer is running much faster and I have no pop-ups at all. I do however need to restart it once a day, as it somehow simply freezes (this is new). In itself not a problem as it now reboots so much faster, but annoying still.
Thank you so much for taking me by the hand in trying to clean my computer, I really appreciate it!

#11 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:35 AM

Posted 22 April 2008 - 04:03 AM

Hello

Your HijackThis still not properly instaled. Please right click on HiJackThis.exe » cut; then open HJT folder » right click » paste.
Now, right click again on Hijackthis.exe » send to » desktop (create shortcut)


That would be strange as I removed spybot (by using the add/remove thing from the control panel) and turned off defender, zonealarm and norton before running it. But if it isn't a problem, it isn't a problem, right?

Its not a big problem and you can fix them by fix the entry & re-install Spybot if you desire.


Are you Norton works OK? Fully accessable and can you make updates or the Norton?

Thanks and sorry for the delay.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 24 April 2008 - 10:23 AM

Please find below a new HijackThis log, this time from the properly installed program!

I will not re-install spybot, as the free version does not offer real-time protection and I do have defender, zonealarm and norton running, all with real-time protection.
And yes, norton is updated regularly, it is the corporate version.

I haven't had anything going wrong with the computer, no pop-ups, and I don't have to restart the computer anymore (so it doesn't freeze anymore). Hope you can give me the all-clean after analyzing the HijackThis file!

And again, thanks a million!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:20 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2025429265-764733703-839522115-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'verhoevens')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O10 - Unknown file in Winsock LSP: icf.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121243402187
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.imf.org/dana-cached/setup/J...perSetupSP1.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8808 bytes

#13 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:35 AM

Posted 28 April 2008 - 03:53 AM

Good job, yours logs are clean :thumbsup:

I will not re-install spybot, as the free version does not offer real-time protection and I do have defender, zonealarm and norton running, all with real-time protection.

Ok, so please uninstall Spybot. If no add/remove entry for it, you have to re-install it then uninstall it. If you want's to keep it though -- that's fine.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Posted Image

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Glad i was able to help and please let me know if you still need assistence.Posted Image
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#14 Travelgeek

Travelgeek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 28 April 2008 - 07:54 AM

Thanks a million for spending so much time on this!!
Will do all things advised and hopefully this will never happen again!

Karen

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:35 AM

Posted 29 April 2008 - 03:56 AM

Hi,

Since the topic has been resolved, thread is now closed.
If you need it re-opened please PM your helper or a member of the Moderating team with a link to your topic.
New issues please start a new topic.

Keep well & surf safe!

Thank you

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users