Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, May Be Virtumunde And Vundo


  • This topic is locked This topic is locked
2 replies to this topic

#1 ventyerrage

ventyerrage

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 05 May 2008 - 01:19 PM

I am getting out of control pop-ups. I have tried various removal tools but nothing has worked yet. Any help is greatly appreciated!

Here are the logs -

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-05-05 13:52:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:08 PM, on 05/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: (no name) - {3713F9EE-C059-4540-B697-987EF263A088} - (no file)
O2 - BHO: (no name) - {575BAE2D-C76B-4B6B-A6EC-599A0D294E36} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: (no name) - {B045F09B-6F49-45BD-97F8-32950DC16484} - (no file)
O2 - BHO: (no name) - {B617545E-8224-4365-8E5A-E429D0A7F20D} - C:\WINDOWS\system32\ssqRHWOG.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: Add to Vbuzzer RSS list - C:\Program Files\vbuzzer\addurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1180121139281
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181731714781
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: wVpPiFyx - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14294 bytes

-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 13:42:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 13:42:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 13:42:49 0 d-------- C:\WINDOWS\LastGood
2008-05-04 18:16:13 0 d-------- C:\WINDOWS\CSC
2008-05-04 14:40:41 164 --a------ C:\install.dat
2008-05-04 13:59:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-04 13:52:50 311560 --ahs---- C:\WINDOWS\system32\GOWHRqss.ini2
2008-05-02 17:12:50 299040 --ahs---- C:\WINDOWS\system32\XbeKkUvw.ini2
2008-05-02 16:44:02 0 d-------- C:\VundoFix Backups
2008-05-02 15:05:27 0 d-------- C:\Program Files\Trend Micro
2008-05-02 14:52:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 13:40:26 4766 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-02 13:40:07 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-02 13:40:07 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-02 13:40:07 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-02 13:40:07 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-02 13:40:07 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-02 13:40:07 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-02 13:40:07 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-02 13:40:07 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-01 19:42:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\phpDesigner 2008
2008-05-01 19:41:55 0 d-------- C:\Program Files\phpDesigner 2008
2008-05-01 19:29:14 233472 --a------ C:\WINDOWS\system32\Ilda32.dll <Not Verified; Creative Development LTD; >
2008-05-01 19:29:13 0 d-------- C:\Program Files\CoffeeCup Software
2008-05-01 19:01:42 322828 --ahs---- C:\WINDOWS\system32\fihjkRqr.ini2
2008-05-01 03:01:17 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-29 13:48:23 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 13:48:18 0 d-------- C:\Program Files\Windows Live
2008-04-29 13:48:07 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-23 10:37:57 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Google
2008-04-22 21:38:26 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-22 21:36:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-22 21:35:59 0 d-------- C:\Program Files\Google
2008-04-21 12:44:24 0 d-------- C:\Program Files\Common Files\Corel
2008-04-21 12:39:57 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\InstallShield
2008-04-21 11:14:35 0 d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-20 18:02:53 0 d-------- C:\WINDOWS\system32\h
2008-04-20 15:15:46 0 d-------- C:\Documents and Settings\HP_Administrator\EurekaLog
2008-04-18 20:15:25 0 d-------- C:\Program Files\Disk Doctors Undelete
2008-04-18 20:14:19 4 --a------ C:\WINDOWS\vx86036.dat
2008-04-18 20:14:13 69632 --a------ C:\WINDOWS\system32\Crypserv.exe <Not Verified; CrypKey (Canada) Ltd.; CrypKey Software Licensing System>
2008-04-18 20:14:13 31846 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-04-18 20:14:13 27648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-04-18 20:14:13 18432 --a------ C:\WINDOWS\Setup_ck.dll
2008-04-18 20:14:13 11776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-04-18 20:14:13 165888 --a------ C:\WINDOWS\Ckconfig.exe <Not Verified; Kenonic Controls; CKCONFIG Application>
2008-04-18 20:14:11 0 d-------- C:\Program Files\Disk Doctors NTFS Data Recovery
2008-04-18 15:37:05 0 d-------- C:\Program Files\GetData
2008-04-18 15:37:04 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 15:28:21 0 d-------- C:\Program Files\Ontrack
2008-04-18 14:26:35 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Thinstall
2008-04-16 19:56:19 0 d-------- C:\Program Files\Wide Angle Software
2008-04-16 15:41:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-04-16 15:40:52 8 -rahs---- C:\WINDOWS\system32\6B3C462850.dll
2008-04-09 14:10:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\BonkEnc
2008-04-09 14:10:29 0 d-------- C:\Program Files\BonkEnc
2008-04-07 16:41:10 0 d-------- C:\Program Files\iPod
2008-04-07 16:41:05 0 d-------- C:\Program Files\iTunes
2008-04-07 16:37:57 0 d-------- C:\Program Files\Apple Software Update


-- Find3M Report ---------------------------------------------------------------

2008-05-05 13:51:32 0 d-------- C:\Program Files\MagicISO
2008-05-04 14:13:46 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2008-05-02 13:57:11 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2008-05-02 13:47:08 0 d-------- C:\Program Files\eMule
2008-05-02 13:34:12 0 d-------- C:\Program Files\The Logo Creator v4
2008-05-02 13:34:04 25204 --a------ C:\Documents and Settings\HP_Administrator\Application Data\phpdesigner2008.xml
2008-05-02 13:19:58 7514 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-02 13:19:06 168 -rahs---- C:\WINDOWS\system32\A3CB8959CB.sys
2008-05-02 11:48:38 504 --a------ C:\WINDOWS\ONSPCLCK.exe
2008-05-02 11:23:37 0 d-------- C:\Program Files\Bonjour
2008-05-01 19:34:39 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2008-05-01 13:09:15 0 d-------- C:\Program Files\Quicken
2008-05-01 13:09:09 0 d-------- C:\Program Files\Common Files
2008-05-01 13:05:59 0 d-------- C:\Program Files\GemMaster
2008-05-01 13:05:49 0 d-------- C:\Program Files\Gadget Buster
2008-04-29 10:16:29 467 --a------ C:\WINDOWS\system32\Datei9
2008-04-29 10:16:29 467 --a------ C:\WINDOWS\system32\Datei8
2008-04-29 10:16:29 469 --a------ C:\WINDOWS\system32\Datei7
2008-04-29 10:16:29 465 --a------ C:\WINDOWS\system32\Datei6
2008-04-29 10:16:29 469 --a------ C:\WINDOWS\system32\Datei5
2008-04-29 10:16:29 471 --a------ C:\WINDOWS\system32\Datei4
2008-04-29 10:16:29 470 --a------ C:\WINDOWS\system32\Datei3
2008-04-29 10:16:29 471 --a------ C:\WINDOWS\system32\Datei2
2008-04-29 10:16:29 467 --a------ C:\WINDOWS\system32\Datei10
2008-04-29 10:16:29 470 --a------ C:\WINDOWS\system32\Datei1
2008-04-29 10:16:29 468 --a------ C:\WINDOWS\system32\Datei0
2008-04-27 18:16:02 0 d-------- C:\Program Files\The Logo Creator v5
2008-04-27 12:07:12 0 d-------- C:\Program Files\Replay Converter
2008-04-22 21:38:16 0 d-------- C:\Program Files\Common Files\Real
2008-04-21 15:07:40 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Image Zone Express
2008-04-21 12:47:39 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Corel
2008-04-21 12:44:24 0 d-------- C:\Program Files\Corel
2008-04-20 15:15:51 0 d-------- C:\Program Files\MediaMonkey
2008-04-19 14:13:44 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2008-04-18 14:12:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-17 16:16:37 0 d-------- C:\Program Files\Real
2008-04-17 15:22:18 0 d-------- C:\Program Files\Azureus
2008-04-16 19:53:09 0 d-------- C:\Program Files\Image-Line
2008-04-07 16:40:05 0 d-------- C:\Program Files\QuickTime
2008-04-07 14:25:44 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
28/06/2007 05:25 PM 57344 --a------ C:\Program Files\real\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3713F9EE-C059-4540-B697-987EF263A088}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{575BAE2D-C76B-4B6B-A6EC-599A0D294E36}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B045F09B-6F49-45BD-97F8-32950DC16484}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B617545E-8224-4365-8E5A-E429D0A7F20D}]
C:\WINDOWS\system32\ssqRHWOG.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [29/09/2005 06:01 PM]
"ftutil2"="ftutil2.dll" [07/06/2004 10:05 AM C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [13/06/2006 04:05 PM C:\WINDOWS\RTHDCPL.EXE]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/06/2006 08:44 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [23/06/2006 08:40 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [06/07/2006 11:15 AM]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [13/04/2006 06:05 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [22/07/2005 07:14 PM]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [15/02/2006 07:34 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [08/05/2007 04:24 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [08/03/2005 09:13 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [27/08/2003 02:20 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [09/04/2007 08:23 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [22/04/2008 09:37 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [18/05/2006 11:29 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 06:30 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [16/04/2008 10:25 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 03:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [20/09/2007 09:51 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [19/02/2006 4:21:22 AM]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [10/01/2007 11:11:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wVpPiFyx]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqRHWOG


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87c060da-0d69-11dc-afb2-0018f3a5927e}]
AutoRun\command- K:\ONSPCLCK.exe




-- End of Deckard's System Scanner: finished at 2008-05-05 13:52:24 ------------

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 PM

Posted 08 May 2008 - 03:54 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

There is likely hidden vundo involved, I suggest you keep the computer offline except when troubleshooting your issues until we get you clean. Before we start, we have another issue to resolve, it is hard to troubleshoot when we do not know which of the issues is caused by conflicting antivirus programs. I would like you to do this.

1) Read the directions posted above and pinned to the top of the forum.

2) Tell me what other "removal tools" you have used so far.

3) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.n...000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/conte...5120300087.html
http://www.smartcomputing.com/editorial/ar...38s07/38s07.asp

C:\Program Files\Symantec\
C:\PROGRA~1\Grisoft\AVG7\
(uninstall one of those)

Post a new HJT log along with the information I requested and any comments you think will help.

Thanks

If your issues are resolved, post to let me know so I may close your topic.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 PM

Posted 15 May 2008 - 07:00 PM

There has been no response to this topic in a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users