Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.gen!h Troubles


  • This topic is locked This topic is locked
10 replies to this topic

#1 Kyle7

Kyle7

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 04 June 2008 - 03:30 AM

So I've gotten infected with some sort of nasty strain of the vundo trojans, I've seen my antivirus/spyware software alert me to vitrumonde, vudno, lowzones and maybe a couple other different problems along similar names. Windows one care scanner online has deemed my problem "vundo.gen!h" and since that sounds the most specific and recent I figured I'd call it that...
I usually am running symantec antivirus, spybot and adaware but nothing picked this up until it was too late...now i'll get alerts about different problems or scans, it'll tell me it cleans/deletes the problems and then the fancy virus seems to recreate itself in the regestry and never is really gone...It has pretty much hijacked firefox from half the websites and IE brings up a bunch of popups...I also think it is blocking certain web updating functions like windows update as they no longer can connect to the internet. I have tried various virtumonde fixing apps found online but they seem to do nothing and often say they cannot find an infection...any help would be greatly appreciated!

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-06-04 04:07:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 1 Restore Point(s) --
1: 2008-06-03 22:53:31 UTC - RP465 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 20.64 GiB (less than 15%) free.


-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:42 AM, on 6/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\FlashMute\flashmute.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Windows\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Users\HP_Administrator\Desktop\dss.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CF5D165-517E-48B6-B3C7-3054A24F8BF6} - C:\Windows\system32\fcccbBtu.dll
O2 - BHO: (no name) - {102FA8B1-7845-492E-976D-8FEFE768266F} - (no file)
O2 - BHO: (no name) - {133ABB57-BBBD-4D9C-AC9C-5A6815FBFEBF} - (no file)
O2 - BHO: (no name) - {185DE87D-6FBB-4BBC-BD26-60AFE7A82A0E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A3F2417-F198-4FDC-9FD5-BD665144D0B9} - (no file)
O2 - BHO: (no name) - {6885e32b-47dc-4ebb-aa75-77f61dc1780c} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {979221CA-2B6E-4C14-B856-E8076609E51E} - (no file)
O2 - BHO: (no name) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O2 - BHO: (no name) - {AD0AD95C-A1A4-45DB-B546-F8036A0B32A7} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4C2D0F8-17D8-426E-A8FA-DE4C5C9145EA} - (no file)
O2 - BHO: (no name) - {C81C8ADC-D4C7-4465-BAF6-5D1A6F37E397} - (no file)
O2 - BHO: (no name) - {cd578757-4abf-4a4b-a76f-d0d3e6ba81f5} - (no file)
O2 - BHO: (no name) - {E45C56B4-E9CD-4620-8BD1-B9581CDE2E4E} - C:\Windows\system32\ljJcYOfE.dll
O2 - BHO: (no name) - {EECB8A71-5C7C-4610-84D2-3FF46408ABCE} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BMc74eef9a] Rundll32.exe "C:\Windows\system32\lvbvkyly.dll",s
O4 - HKLM\..\Run: [c47ddc06] rundll32.exe "C:\Windows\system32\fdcjauku.dll",b
O4 - HKLM\..\RunOnce: [PCDrProfiler] C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\system32\drivers\pclepci.sys
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13581 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 BCM42RLY - \??\c:\windows\system32\bcm42rly.sys
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Not Verified; Symantec Corporation; AutoProtect>
S3 TSHWMDTCP - \??\c:\program files\intel\inteldh\intel media server\media server\bin\tshwmdtcp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AlertService (Intel® Alert Service) - "c:\program files\intel\inteldh\ccu\alertservice.exe" <Not Verified; Intel® Corporation; Intel® Viiv™ Software>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 DQLWinService - "c:\program files\common files\intel\inteldh\nms\adpplugins\dqlwinservice.exe" <Not Verified; ; DQLWinSe Application>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 ISSM (Intel® Software Services Manager) - "c:\program files\intel\inteldh\intel media server\media server\bin\issm.exe" <Not Verified; Intel® Corporation; Intel® Viiv™ Software>
S2 M1 Server (Intel® Viiv™ Media Server) - c:\program files\intel\inteldh\intel media server\media server\bin\mediaserver.exe
S2 MCLServiceATL (Intel® Application Tracker) - "c:\program files\intel\inteldh\intel media server\shells\mclserviceatl.exe" <Not Verified; Intel® Corporation; Intel® Viiv™ Software>
S2 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
S2 Remote UI Service (Intel® Remoting Service) - "c:\program files\intel\inteldh\intel media server\shells\remote ui service.exe" <Not Verified; Intel® Corporation; Intel® Viiv™ Software>
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-04 03:30:00 276 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-04 04:10:17 0 d-------- C:\Program Files\Trend Micro
2008-06-04 01:10:15 115200 --a------ C:\Windows\system32\fdcjauku.dll
2008-06-04 01:04:28 125952 --a------ C:\Windows\system32\lvbvkyly.dll
2008-06-03 13:01:12 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-06-03 13:01:10 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-06-03 01:43:41 115200 --a------ C:\Windows\system32\cmoowlpj.dll
2008-06-03 01:06:17 133120 --a------ C:\Windows\system32\sewceiea.dll
2008-06-03 01:03:57 125952 --a------ C:\Windows\system32\dbhiqynk.dll
2008-06-01 22:14:25 114176 -----n--- C:\Windows\system32\xvdumbnb.dll
2008-06-01 22:12:10 126464 --a------ C:\Windows\system32\plqvkqwx.dll
2008-06-01 12:39:26 0 d-------- C:\327882R2FWJFW
2008-06-01 01:22:25 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-31 17:59:26 132096 --a------ C:\Windows\system32\dxnuhity.dll
2008-05-31 17:57:09 126464 --a------ C:\Windows\system32\apandyql.dll
2008-05-31 01:54:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 01:02:40 262144 --a------ C:\ntuser.dat
2008-05-30 23:10:40 0 d-------- C:\VundoFix Backups
2008-05-30 22:25:46 134144 --a------ C:\Windows\system32\bmxcqjsd.dll
2008-05-30 11:36:23 115712 --a------ C:\Windows\system32\phgsxxte.dll
2008-05-30 11:30:27 125440 --a------ C:\Windows\system32\yaerfkkr.dll
2008-05-29 12:43:41 132608 --a------ C:\Windows\system32\qaetohag.dll
2008-05-29 11:35:10 116224 --a------ C:\Windows\system32\aritqaqs.dll
2008-05-29 11:29:12 126976 --a------ C:\Windows\system32\wtgukchl.dll
2008-05-28 11:28:39 125952 --a------ C:\Windows\system32\tqlyslvh.dll
2008-05-27 23:37:53 116224 --a------ C:\Windows\system32\rkajsddg.dll
2008-05-27 11:30:51 134144 --a------ C:\Windows\system32\fugilqbt.dll
2008-05-27 11:26:55 126976 --a------ C:\Windows\system32\shcltwhf.dll
2008-05-27 11:22:04 126976 --a------ C:\Windows\system32\cgbqbxxm.dll
2008-05-27 11:16:28 58880 --a------ C:\Windows\system32\fcccbBtu.dll
2008-05-26 10:43:41 134144 --a------ C:\Windows\system32\xlvhmiph.dll
2008-05-26 10:41:14 124928 --a------ C:\Windows\system32\xfjyvpev.dll
2008-05-26 10:06:38 124928 --a------ C:\Windows\system32\qpgaksgt.dll
2008-05-25 21:40:29 0 d-------- C:\Users\All Users\WindowsSearch
2008-05-25 21:24:46 136704 --a------ C:\Windows\system32\mdklmqun.dll
2008-05-25 20:37:06 136704 --a------ C:\Windows\system32\meoejtcn.dll
2008-05-25 19:55:02 136704 --a------ C:\Windows\system32\dcakifre.dll
2008-05-25 13:14:00 742072 --ahs---- C:\Windows\system32\EfOYcJjl.ini2
2008-05-25 13:13:57 370688 -----n--- C:\Windows\system32\ljJcYOfE.dll
2008-05-24 11:20:16 136192 --a------ C:\Windows\system32\jyburiut.dll
2008-05-24 10:16:28 115200 --a------ C:\Windows\system32\scduckfh.dll
2008-05-23 19:07:26 6743 --ahs---- C:\Windows\system32\lopWFNpo.ini2
2008-05-11 23:39:59 0 d-------- C:\Program Files\X3watch


-- Find3M Report ---------------------------------------------------------------

2008-06-03 01:57:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-01 20:15:20 0 d-------- C:\Users\HP_Administrator\AppData\Roaming\uTorrent
2008-05-31 01:55:56 0 d-------- C:\Program Files\Lavasoft
2008-05-31 01:54:09 0 d-------- C:\Program Files\Common Files
2008-05-31 01:32:29 0 d-------- C:\Program Files\Java
2008-05-30 15:50:14 0 d-------- C:\Program Files\Last.fm
2008-05-25 16:18:09 0 d-------- C:\Users\HP_Administrator\AppData\Roaming\Ruckus Network
2008-05-20 07:26:40 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-17 16:21:55 0 d-------- C:\Program Files\AIM6
2008-05-17 01:31:05 0 d-------- C:\Users\HP_Administrator\AppData\Roaming\goombah
2008-05-14 11:53:22 0 d-------- C:\Program Files\Windows Mail
2008-05-11 23:42:30 0 d-------- C:\Users\HP_Administrator\AppData\Roaming\x3watch
2008-04-20 22:31:01 174 --ahs---- C:\Program Files\desktop.ini
2008-04-20 22:20:36 0 d-------- C:\Program Files\Windows Sidebar
2008-04-20 22:20:36 0 d-------- C:\Program Files\Windows Calendar
2008-04-20 22:20:36 0 d-------- C:\Program Files\Movie Maker
2008-04-20 22:20:33 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-20 22:20:29 0 d-------- C:\Program Files\Windows Defender
2008-04-19 12:54:56 0 d-------- C:\Program Files\Apple Software Update
2008-04-15 19:27:10 0 d-------- C:\Users\HP_Administrator\AppData\Roaming\gemsweeperextractedgfx
2008-04-15 19:15:14 0 d-------- C:\Program Files\Gemsweeper
2008-04-15 19:11:46 0 d-------- C:\Program Files\ReflexiveArcade
2008-04-12 23:45:02 96577 --a------ C:\Windows\hpqins16.dat
2008-04-10 12:09:03 0 d-------- C:\Program Files\Ruckus Player
2008-04-10 12:05:29 0 d-------- C:\Program Files\Emergent Music LLC
2008-04-05 10:09:25 0 d-------- C:\Program Files\iTunes
2008-04-05 10:09:20 0 d-------- C:\Program Files\iPod
2008-04-05 10:07:48 0 d-------- C:\Program Files\QuickTime
2008-04-04 21:22:56 0 d-------- C:\Program Files\Western Digital Technologies
2008-03-27 13:41:10 148917 --a------ C:\Windows\hpoins19.dat
2008-03-22 12:14:17 2548 --a------ C:\Windows\unins000.dat
2008-03-22 12:13:26 691545 --a------ C:\Windows\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}]
05/23/2008 05:02 PM 58880 --a------ C:\Windows\system32\fcccbBtu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{102FA8B1-7845-492E-976D-8FEFE768266F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{133ABB57-BBBD-4D9C-AC9C-5A6815FBFEBF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185DE87D-6FBB-4BBC-BD26-60AFE7A82A0E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A3F2417-F198-4FDC-9FD5-BD665144D0B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6885e32b-47dc-4ebb-aa75-77f61dc1780c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{979221CA-2B6E-4C14-B856-E8076609E51E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD0AD95C-A1A4-45DB-B546-F8036A0B32A7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4C2D0F8-17D8-426E-A8FA-DE4C5C9145EA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C81C8ADC-D4C7-4465-BAF6-5D1A6F37E397}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd578757-4abf-4a4b-a76f-d0d3e6ba81f5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E45C56B4-E9CD-4620-8BD1-B9581CDE2E4E}]
05/25/2008 01:13 PM 370688 --------- C:\Windows\system32\ljJcYOfE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EECB8A71-5C7C-4610-84D2-3FF46408ABCE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/02/2006 10:49 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/16/2006 01:34 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 01:14 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/01/2006 11:18 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [04/19/2007 06:11 PM]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" [09/28/2007 08:50 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 08:51 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/22/2006 06:12 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [11/28/2006 07:34 AM]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [09/11/2006 03:58 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"BMc74eef9a"="C:\Windows\system32\lvbvkyly.dll" [06/04/2008 01:04 AM]
"c47ddc06"="C:\Windows\system32\fdcjauku.dll" [06/04/2008 01:10 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [01/30/2008 02:17 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 AM]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [01/24/2008 01:32 PM]
"FlashMute"="C:\Program Files\FlashMute\FlashMute.exe" [03/11/2006 03:49 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"PCDrProfiler"=C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 10:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}"= C:\Windows\system32\fcccbBtu.dll [05/23/2008 05:02 PM 58880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\ljJcYOfE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc
iissvcs w3svc was
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
apphost apphostsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-04 04:11:51 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 2045.76 MiB / 922.96 MiB
Pagefile Memory (total/avail): 4326.8 MiB / 2765.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1882.79 MiB

C: is Fixed (NTFS) - 224.23 GiB total, 20.64 GiB free.
D: is Fixed (FAT32) - 8.63 GiB total, 0.37 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Fixed (FAT32) - 232.83 GiB total, 97.84 GiB free.
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3250820AS - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 224.23 GiB - C:
\PARTITION1 - Unknown - 8.64 GiB - D:

\\.\PHYSICALDRIVE2 - Generic- Compact Flash USB Device

\\.\PHYSICALDRIVE5 - Generic- MS/MS-Pro USB Device

\\.\PHYSICALDRIVE4 - Generic- SD/MMC USB Device

\\.\PHYSICALDRIVE3 - Generic- SM/xD-Picture USB Device

\\.\PHYSICALDRIVE1 - WD 2500BEV External USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Unknown - 232.88 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus v10.2.0.276 (Symantec Corporation)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Symantec AntiVirus v10.2.0.276 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\HP_Administrator\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPY
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\HP_Administrator
LOCALAPPDATA=C:\Users\HP_Administrator\AppData\Local
LOGONSERVER=\\COMPY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;c:\Python22;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
RoxioCentral=c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\HP_ADM~1\AppData\Local\Temp
TMP=C:\Users\HP_ADM~1\AppData\Local\Temp
USERDOMAIN=COMPY
USERNAME=HP_Administrator
USERPROFILE=C:\Users\HP_Administrator
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

HP_Administrator (admin)
IUSR_NMPR (new local, net ready)
Administrator (new local)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE /a C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
--> MsiExec.exe /I{3BF1390E-9EAE-4C2A-B30C-3992233FBCBA}
.sol Editor 1.1.0.1 --> C:\Program Files\Sol Edit\uninst.exe
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
A.F.5 Rename your files 1.1 --> MsiExec.exe /I{A725C340-77EE-11D6-BBC2-0000CB591583}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BIAS SoundSoap PE 2.1 --> MsiExec.exe /I{42442CA9-90E6-4011-BB55-7C263F6D5EC1}
BIAS SoundSoap PE 2.1.1 --> MsiExec.exe /I{8709C596-C0B4-415D-9281-AC846B39EA76}
Bible Explorer 4 Download Edition --> "C:\ProgramData\{10659AF2-4F35-499C-A058-D29D27AEE138}\Setup.exe" REMOVE=TRUE MODIFY=FALSE
Bonjour Core for Windows --> MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
Bookworm Adventures Deluxe 1.0 --> C:\Program Files\PopCap Games\Bookworm Adventures Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bookworm Adventures Deluxe\Install.log"
Cheat Engine 5.3 --> "C:\Program Files\Cheat Engine\unins000.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
dBpoweramp AAC Encoder --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp AAC Encoder.dat
dBpoweramp FLAC Codec --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp m4a Codec --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
dBpoweramp m4a Utilities --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4a Utilities.dat
dBpoweramp m4b Audio book Encoder --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4b Audio book Encoder.dat
dBpoweramp Music Converter --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
DHTML Editing Component --> MsiExec.exe /I{2EA870FA-585F-4187-903D-CB9FFD21E2E0}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Play --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
e-Sword --> MsiExec.exe /I{87791AF4-4D4C-43DC-97BF-05EEEE5187F2}
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
FixTunes (remove only) --> "C:\Program Files\Cloudbrain\FixTunes\uninstall.exe"
FlashMute --> "C:\Program Files\FlashMute\uninstall.exe"
Games n Music --> "C:\Program Files\Datel\Games n Music\unins000.exe"
Gemsweeper --> "C:\Program Files\Gemsweeper\ReflexiveArcade\unins000.exe"
Google Earth --> MsiExec.exe /I{374F03BB-9C09-4DB3-9C9B-C71E63292950}
Goombah Partner COM Server --> MsiExec.exe /I{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}
Hardware Diagnostic Tools --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Hotfix for Microsoft .NET Framework 3.0 (KB932471) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
HP Boot Optimizer --> MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Photosmart for Media Center PC --> c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B --> C:\Program Files\HP\Digital Imaging\{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}\setup\hpzscr01.exe -datfile hposcr19.dat -onestop -showdisconnect -forcereboot
HP Picasso Media Center Add-In --> MsiExec.exe /I{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel® Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
Intel® Network Connections Drivers --> Prounstl.exe
Intel® Viiv™ Software --> MsiExec.exe /X{6E7BF6EC-C3E7-43A7-8A03-0D204E3EC01B} /qb!
iQuiz Maker --> MsiExec.exe /I{46F42615-BA31-45A0-BE10-2D2119749E95}
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
ITWorx Prayer Times Gadget --> MsiExec.exe /I{B06D7D13-9780-4BC3-9425-284D268FE819}
iView Catalog Reader (remove only) --> C:\Program Files\iView Catalog Reader\Uninst.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Juno 5.1.83 --> C:\Program Files\Juno\bin\Uninstall.exe
K-Lite Codec Pack 3.4.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Last.fm 1.5.1.29527 --> "C:\Program Files\Last.fm\unins000.exe"
LightScribe System Software 1.12.29.2 --> MsiExec.exe /X{CF8C077A-B467-4C43-8DB5-3A9B94FF9681}
LightScribeTemplateLabeler --> MsiExec.exe /X{305D4B08-5807-4475-B1C8-D54685534864}
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Magic MP3 Tagger 2.2.4d --> "C:\Program Files\Magic MP3 Tagger\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
MusicBrainz Picard 0.7.2 --> C:\Program Files\MusicBrainz Picard\uninst.exe
muvee autoProducer 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB4740B3-2530-452D-A825-F7AB246CA7DF}\setup.exe" -l0x9
muvee autoProducer unPlugged 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}\setup.exe" -l0x9
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OcxSetup --> MsiExec.exe /I{C3DC29BC-A8CF-4578-9DFC-37F049C44771}
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0x9 UNINSTALL
Pradis Do Not Remove --> MsiExec.exe /I{2B6E2126-4438-4CF1-BDDE-3C4355092860}
Pradis: NIV Holy Bible --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7298D123-15A2-4B51-AA8E-BB4AF4745F0E}
proDAD Heroglyph 2.5 --> "C:\Program Files\proDAD\Heroglyph-2.5\uninstall.exe" uninstall spcp PATHVERSION 2.5 MAINNAME Heroglyph
proDAD Vitascene 1.0 --> "C:\Program Files\proDAD\Vitascene-1.0\uninstall.exe" uninstall spcp PATHVERSION 1.0 MAINNAME Vitascene
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
QuickTime for Windows (32-bit) --> C:\WINDOWS\QTW32DEL.EXE
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Roxio Creator Audio --> MsiExec.exe /X{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9 --> MsiExec.exe /X{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy --> MsiExec.exe /X{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /X{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive --> MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools --> MsiExec.exe /X{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9 --> MsiExec.exe /X{E4A02A3F-4F8A-4D94-BB99-68BC1D1CF6DB}
Ruckus Player --> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
Samsung USB Driver (MCCI 4.16) --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1485ABFA-12D7-4107-9148-54EE30CDBA67}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shop for HP Supplies --> C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\Windows\unins000.exe"
Starcraft --> C:\Windows\SCunin.exe C:\Windows\SCunin.dat
Studio 11 --> C:\Program Files\InstallShield Installation Information\{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}\Setup2.exe -runfromtemp -l0x0009 UNINSTALL -removeonly
Studio 11 Bonus DVD --> C:\Program Files\InstallShield Installation Information\{45A1BF92-700A-4408-B95E-79F462E3D67D}\setup.exe -runfromtemp -l0x0009 UNINSTALL -removeonly
Studio Ultimate --> C:\Program Files\InstallShield Installation Information\{CC874CBB-BD87-4126-9465-AE73BB62D6E0}\setup.exe -runfromtemp -l0x0009 -removeonly
Symantec AntiVirus --> MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Tune Transfer Patch --> C:\Program Files\InstallShield Installation Information\{56436A13-5DEC-48C8-9A15-911727981AEB}\setup.exe -runfromtemp -l0x0009 -removeonly
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Watson --> MsiExec.exe /I{9B88DD94-1AAE-41C4-BD95-2D8737D5E9E2}
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Genuine Advantage Validation Tool (KB892130) -->
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
X3watch 5.0.5 --> "C:\Program Files\X3watch\unins000.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Desktop Login --> MsiExec.exe /I{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type28652 / Error
Event Submitted/Written: 06/04/2008 01:20:27 AM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Trojan.LowZones in File: C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RKKPLKXQ\kb713501[1] by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Event Record #/Type28651 / Error
Event Submitted/Written: 06/04/2008 01:20:05 AM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Risk Found!Risk: Trojan.LowZones in File: C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RKKPLKXQ\kb713501[1] by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Event Record #/Type28650 / Error
Event Submitted/Written: 06/04/2008 01:20:05 AM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Trojan.LowZones in File: C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RKKPLKXQ\kb713501[1] by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Event Record #/Type28623 / Error
Event Submitted/Written: 06/03/2008 03:19:11 AM
Event ID/Source: 1002 / Application Hang
Event Description:
The program gta_sa.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 107c
Start Time: 01c8c544278bcae0
Termination Time: 781

Event Record #/Type28620 / Error
Event Submitted/Written: 06/03/2008 02:34:54 AM
Event ID/Source: 1002 / Application Hang
Event Description:
The program gta_sa.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: e94
Start Time: 01c8c54193bb7060
Termination Time: 536



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type504895 / Error
Event Submitted/Written: 06/04/2008 03:51:28 AM
Event ID/Source: 10016 / DCOM
Event Description:
machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}COMPYHP_AdministratorS-1-5-21-1343216726-186962121-1077989821-1007LocalHost (Using LRPC)

Event Record #/Type504894 / Error
Event Submitted/Written: 06/04/2008 03:51:22 AM
Event ID/Source: 10016 / DCOM
Event Description:
machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}COMPYHP_AdministratorS-1-5-21-1343216726-186962121-1077989821-1007LocalHost (Using LRPC)

Event Record #/Type504893 / Error
Event Submitted/Written: 06/04/2008 03:50:42 AM
Event ID/Source: 10016 / DCOM
Event Description:
machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}COMPYHP_AdministratorS-1-5-21-1343216726-186962121-1077989821-1007LocalHost (Using LRPC)

Event Record #/Type504892 / Error
Event Submitted/Written: 06/04/2008 03:50:42 AM
Event ID/Source: 10016 / DCOM
Event Description:
machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}COMPYHP_AdministratorS-1-5-21-1343216726-186962121-1077989821-1007LocalHost (Using LRPC)

Event Record #/Type504891 / Error
Event Submitted/Written: 06/04/2008 03:50:40 AM
Event ID/Source: 10016 / DCOM
Event Description:
machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}COMPYHP_AdministratorS-1-5-21-1343216726-186962121-1077989821-1007LocalHost (Using LRPC)



-- End of Deckard's System Scanner: finished at 2008-06-04 04:11:51 ------------


KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 3:50:31 AM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 825827
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 446368
Number of viruses found 23
Number of infected objects 42
Number of suspicious objects 0
Duration of the scan process 05:06:19

Infected Object Name Virus Name Last Action
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\FlashMute\uninstall.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ih skipped
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.aeh skipped
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe NSIS: infected - 1 skipped
C:\Program Files\Online Services\Vonage\Xtras\regxtra121.x32 Infected: Backdoor.Win32.RAdmin.ag skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_7328777b-fb1b-4981-8f19-ce7f2d7b36cb Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.302.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.302.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010021.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010021.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010021.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy7208.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfE6D5.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfE6D6.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-06032008-044613.log Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\LiveUpdate\2008-06-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\4590DC1E.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\5B507E6C.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09F80000\4FFC4F46.VBN Infected: Backdoor.Win32.Hupigon.evc skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA00002.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.trl skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB40000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.trp skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40000\4FF531D7.VBN Infected: Trojan.Win32.Vapsup.lp skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680001.VBN/UGA6P_0001_N122M2802NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680001.VBN CAB: infected - 1 skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680001.VBN CryptZ: infected - 1 skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\ads\logs\USER0001.lo$ Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\client.lo$ Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\crashlog.lo$ Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\eventlog.lo$ Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\jsps.log Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\USER0001\mailbox.atr Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\JN\JN Data1\USER0001\mailbox.bdb Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Last.fm\Client\Last.fm.log Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008060320080604\index.dat Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{9401bb0e-42c5-11dc-8e38-0018f3cc2151}.TM.blf Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{9401bb0e-42c5-11dc-8e38-0018f3cc2151}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{9401bb0e-42c5-11dc-8e38-0018f3cc2151}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows Defender\FileTracker\{6AFD66C3-4880-454E-9628-66ABBE099A96} Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\HP_Administrator\AppData\Local\Temp\tmp00015c71 Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Users\HP_Administrator\AppData\Local\Temp\tmp00015ef0 Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Users\HP_Administrator\AppData\Local\Temp\tmp00020b84 Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Users\HP_Administrator\AppData\Local\Temp\tmp0002adbb Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Users\HP_Administrator\AppData\Local\Temp\tmp00044c4b Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Users\HP_Administrator\AppData\Local\Temp\tmp001dd806 Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Users\HP_Administrator\AppData\Local\Temp\~DF7BEF.tmp Object is locked skipped
C:\Users\HP_Administrator\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Users\HP_Administrator\ntuser.dat.LOG1 Object is locked skipped
C:\Users\HP_Administrator\ntuser.dat.LOG2 Object is locked skipped
C:\Users\HP_Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\HP_Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\HP_Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\sawkip.exe Infected: Trojan.Win32.Vapsup.lr skipped
C:\Windows\SchedLgU.Txt Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\apandyql.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Windows\System32\aritqaqs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\Windows\System32\bmxcqjsd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wdd skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\dxnuhity.dll Infected: Trojan-Downloader.Win32.ConHook.apx skipped
C:\Windows\System32\fcccbBtu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trk skipped
C:\Windows\System32\fugilqbt.dll Infected: Trojan-Downloader.Win32.ConHook.te skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\phgsxxte.dll Infected: Trojan.Win32.Monder.le skipped
C:\Windows\System32\plqvkqwx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Windows\System32\qaetohag.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.xjc skipped
C:\Windows\System32\qpgaksgt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\Windows\System32\rkajsddg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vjr skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\IntelDH.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\System32\wtgukchl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped
C:\Windows\System32\xfjyvpev.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\Windows\System32\xlvhmiph.dll Infected: Trojan-Downloader.Win32.ConHook.te skipped
C:\Windows\System32\xvdumbnb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\Windows\System32\yaerfkkr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqf skipped
C:\Windows\Temp\nmsmc_DQLWinService.log Object is locked skipped
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe WiseSFXDropper: infected - 2 skipped
Scan process completed.


Thanks!
Kyle

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:43 PM

Posted 11 June 2008 - 02:38 PM

Hello Kyle7,

This is the current latest Java 6 Update 6 so do not uninstall it.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following by double-clicking on the following entries:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 6 Update 2
Java 6 Update 3
Java 6 Update 5
Java SE Runtime Environment 6 Update 1


Reboot your computer.

**************************


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Reboot your computer.

**************************

Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
    (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\FlashMute\uninstall.exe
    C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe
    C:\Program Files\Online Services\Vonage\Xtras\regxtra121.x32
    C:\Users\HP_Administrator\AppData\Local\Temp\tmp00015c71
    C:\Users\HP_Administrator\AppData\Local\Temp\tmp00015ef0
    C:\Users\HP_Administrator\AppData\Local\Temp\tmp00020b84
    C:\Users\HP_Administrator\AppData\Local\Temp\tmp0002adbb
    C:\Users\HP_Administrator\AppData\Local\Temp\tmp00044c4b
    C:\Users\HP_Administrator\AppData\Local\Temp\tmp001dd806
    C:\Windows\sawkip.exe
    C:\Windows\System32\apandyql.dll
    C:\Windows\System32\aritqaqs.dll
    C:\Windows\System32\bmxcqjsd.dll
    C:\Windows\System32\dxnuhity.dll
    C:\Windows\System32\fcccbBtu.dll
    C:\Windows\System32\fugilqbt.dll
    C:\Windows\System32\phgsxxte.dll
    C:\Windows\System32\plqvkqwx.dll
    C:\Windows\System32\qaetohag.dll
    C:\Windows\System32\qpgaksgt.dll
    C:\Windows\System32\rkajsddg.dll
    C:\Windows\System32\wtgukchl.dll
    C:\Windows\System32\xfjyvpev.dll
    C:\Windows\System32\xlvhmiph.dll
    C:\Windows\System32\xvdumbnb.dll
    C:\Windows\System32\yaerfkkr.dll
    D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe
    D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


**************************



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

Edited by SifuMike, 11 June 2008 - 02:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Kyle7

Kyle7
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 June 2008 - 10:27 AM

Thanks for the assistance!
I guess i didn't need 8 versions of java on my computer, did i? haha...and it wouldnt remove viewpoint right now but i'll try again when everything else is sorted out...that is one of those things i delete and always manages to get reinstalled by stuff.

moveit log
C:\Program Files\FlashMute\uninstall.exe moved successfully.
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe moved successfully.
C:\Program Files\Online Services\Vonage\Xtras\regxtra121.x32 moved successfully.
File/Folder C:\Users\HP_Administrator\AppData\Local\Temp\tmp00015c71 not found.
File/Folder C:\Users\HP_Administrator\AppData\Local\Temp\tmp00015ef0 not found.
File/Folder C:\Users\HP_Administrator\AppData\Local\Temp\tmp00020b84 not found.
File/Folder C:\Users\HP_Administrator\AppData\Local\Temp\tmp0002adbb not found.
File/Folder C:\Users\HP_Administrator\AppData\Local\Temp\tmp00044c4b not found.
File/Folder C:\Users\HP_Administrator\AppData\Local\Temp\tmp001dd806 not found.
C:\Windows\sawkip.exe moved successfully.
File/Folder C:\Windows\System32\apandyql.dll not found.
File/Folder C:\Windows\System32\aritqaqs.dll not found.
LoadLibrary failed for C:\Windows\System32\bmxcqjsd.dll
C:\Windows\System32\bmxcqjsd.dll NOT unregistered.
File move failed. C:\Windows\System32\bmxcqjsd.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\System32\dxnuhity.dll
C:\Windows\System32\dxnuhity.dll NOT unregistered.
C:\Windows\System32\dxnuhity.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\fcccbBtu.dll
C:\Windows\System32\fcccbBtu.dll NOT unregistered.
C:\Windows\System32\fcccbBtu.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\fugilqbt.dll
C:\Windows\System32\fugilqbt.dll NOT unregistered.
C:\Windows\System32\fugilqbt.dll moved successfully.
LoadLibrary failed for C:\Windows\System32\phgsxxte.dll
C:\Windows\System32\phgsxxte.dll NOT unregistered.
File move failed. C:\Windows\System32\phgsxxte.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\Windows\System32\plqvkqwx.dll
C:\Windows\System32\plqvkqwx.dll NOT unregistered.
File move failed. C:\Windows\System32\plqvkqwx.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\System32\qaetohag.dll
C:\Windows\System32\qaetohag.dll NOT unregistered.
C:\Windows\System32\qaetohag.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\qpgaksgt.dll
C:\Windows\System32\qpgaksgt.dll NOT unregistered.
C:\Windows\System32\qpgaksgt.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\rkajsddg.dll
C:\Windows\System32\rkajsddg.dll NOT unregistered.
C:\Windows\System32\rkajsddg.dll moved successfully.
LoadLibrary failed for C:\Windows\System32\wtgukchl.dll
C:\Windows\System32\wtgukchl.dll NOT unregistered.
File move failed. C:\Windows\System32\wtgukchl.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\System32\xfjyvpev.dll
C:\Windows\System32\xfjyvpev.dll NOT unregistered.
C:\Windows\System32\xfjyvpev.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\xlvhmiph.dll
C:\Windows\System32\xlvhmiph.dll NOT unregistered.
C:\Windows\System32\xlvhmiph.dll moved successfully.
File/Folder C:\Windows\System32\xvdumbnb.dll not found.
LoadLibrary failed for C:\Windows\System32\yaerfkkr.dll
C:\Windows\System32\yaerfkkr.dll NOT unregistered.
File move failed. C:\Windows\System32\yaerfkkr.dll scheduled to be moved on reboot.
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe moved successfully.
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06122008_105202

Files moved on Reboot...
File C:\Windows\System32\bmxcqjsd.dll not found!
File C:\Windows\System32\phgsxxte.dll not found!
File C:\Windows\System32\plqvkqwx.dll not found!
File C:\Windows\System32\wtgukchl.dll not found!
File C:\Windows\System32\yaerfkkr.dll not found!

mbam log
Malwarebytes' Anti-Malware 1.17
Database version: 850

11:10:29 AM 6/12/2008
mbam-log-6-12-2008 (11-10-29).txt

Scan type: Quick Scan
Objects scanned: 42506
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\ewfunldu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{521c3fed-e9f2-4322-9c31-0c3017ba5b5c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{521c3fed-e9f2-4322-9c31-0c3017ba5b5c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0cf5d165-517e-48b6-b3c7-3054a24f8bf6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cf5d165-517e-48b6-b3c7-3054a24f8bf6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0cf5d165-517e-48b6-b3c7-3054a24f8bf6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMc74eef9a (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\cmoowlpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jplwoomc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ewfunldu.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\udlnufwe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fdcjauku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ukuajcdf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ljJcYOfE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\EfOYcJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\EfOYcJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\scduckfh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hfkcudcs.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jyburiut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\tqlyslvh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mapxcyks.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:24 AM, on 6/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\FlashMute\flashmute.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\SearchFilterHost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CF5D165-517E-48B6-B3C7-3054A24F8BF6} - (no file)
O2 - BHO: (no name) - {102FA8B1-7845-492E-976D-8FEFE768266F} - (no file)
O2 - BHO: (no name) - {133ABB57-BBBD-4D9C-AC9C-5A6815FBFEBF} - (no file)
O2 - BHO: (no name) - {185DE87D-6FBB-4BBC-BD26-60AFE7A82A0E} - (no file)
O2 - BHO: (no name) - {1C404ACE-FC7D-4E73-A527-1F3C2C41A6C0} - (no file)
O2 - BHO: (no name) - {521C3FED-E9F2-4322-9C31-0C3017BA5B5C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A3F2417-F198-4FDC-9FD5-BD665144D0B9} - (no file)
O2 - BHO: (no name) - {6885e32b-47dc-4ebb-aa75-77f61dc1780c} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {979221CA-2B6E-4C14-B856-E8076609E51E} - (no file)
O2 - BHO: (no name) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O2 - BHO: (no name) - {AD0AD95C-A1A4-45DB-B546-F8036A0B32A7} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4C2D0F8-17D8-426E-A8FA-DE4C5C9145EA} - (no file)
O2 - BHO: (no name) - {C81C8ADC-D4C7-4465-BAF6-5D1A6F37E397} - (no file)
O2 - BHO: (no name) - {cd578757-4abf-4a4b-a76f-d0d3e6ba81f5} - (no file)
O2 - BHO: {c1691027-fa86-95d9-de24-66e1077b282d} - {d282b770-1e66-42ed-9d59-68af7201961c} - C:\Windows\system32\dcqrqugq.dll
O2 - BHO: (no name) - {E45C56B4-E9CD-4620-8BD1-B9581CDE2E4E} - (no file)
O2 - BHO: (no name) - {EECB8A71-5C7C-4610-84D2-3FF46408ABCE} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [PCDrProfiler] C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\system32\drivers\pclepci.sys
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13754 bytes

thanks!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:43 PM

Posted 12 June 2008 - 01:00 PM

Hi Kyle7,

It looks like you are still infected, so lets run another tool. :thumbsup:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.


Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

If the file is too big to attach, then you can upload the new scan log to me here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Kyle7

Kyle7
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 June 2008 - 06:47 PM

It was too big to attach so I submitted it.
Thanks!

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:43 PM

Posted 12 June 2008 - 09:28 PM

Hi Kyle,

I am looking at your monster log now and see you ran VundoFix, VundoBegone, FxVMonde and ComboFix. :thumbsup:

None of these tools are designed to work with Vista. :)

Further, you should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert!
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using ComboFix incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Edited by SifuMike, 12 June 2008 - 10:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Kyle7

Kyle7
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 13 June 2008 - 06:04 AM

yeah...before coming here i think i was fairly desperate to get my system fixed so i tried following various guides online with nothing working...pretty much all those programs just told me there was nothing to be fixed. did i make matters worse?

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:43 PM

Posted 13 June 2008 - 11:45 AM

Hi Kyle,

did i make matters worse?


No way to tell. :thumbsup: Using tools that are not ment to be run on your Vista OS is never good.

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%allusersprofile%\pskt.ini
%systemroot%\system32\bnbmudvx.ini
%systemroot%\system32\cgbqbxxm.dll
%systemroot%\system32\dcakifre.dll
%systemroot%\system32\dcqrqugq.dll
%systemroot%\system32\ecbjetvc.dll
%systemroot%\system32\etxxsghp.ini
%systemroot%\system32\gddsjakr.ini
%systemroot%\system32\hvbhxkqm.dll
%systemroot%\system32\itakdjra.ini
%systemroot%\system32\kkscsnoe.dll
%systemroot%\system32\lkkfmaor.dll
%systemroot%\system32\lopwfnpo.ini
%systemroot%\system32\lopwfnpo.ini2
%systemroot%\system32\mdklmqun.dll
%systemroot%\system32\meoejtcn.dll
%systemroot%\system32\mhwhopxf.ini
%systemroot%\system32\rsiklmyc.ini
%systemroot%\system32\shcltwhf.dll
%systemroot%\system32\sqaqtira.ini
%systemroot%\system32\tciuduvn.dll
%systemroot%\system32\vwxloqrm.ini
%systemroot%\system32\wgvgujwy.dll
%userprofile%\desktop\virtumundobegone.exe
%userprofile%\desktop\vundofix.exe
Folders to delete:
%systemdrive%\vundofix backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {0CF5D165-517E-48B6-B3C7-3054A24F8BF6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {102FA8B1-7845-492E-976D-8FEFE768266F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {133ABB57-BBBD-4D9C-AC9C-5A6815FBFEBF} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {185DE87D-6FBB-4BBC-BD26-60AFE7A82A0E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {1C404ACE-FC7D-4E73-A527-1F3C2C41A6C0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {521C3FED-E9F2-4322-9C31-0C3017BA5B5C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5A3F2417-F198-4FDC-9FD5-BD665144D0B9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {6885e32b-47dc-4ebb-aa75-77f61dc1780c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {979221CA-2B6E-4C14-B856-E8076609E51E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {AD0AD95C-A1A4-45DB-B546-F8036A0B32A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {C4C2D0F8-17D8-426E-A8FA-DE4C5C9145EA} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {C81C8ADC-D4C7-4465-BAF6-5D1A6F37E397} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {cd578757-4abf-4a4b-a76f-d0d3e6ba81f5} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {d282b770-1e66-42ed-9d59-68af7201961c} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\dcqrqugq.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {E45C56B4-E9CD-4620-8BD1-B9581CDE2E4E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {EECB8A71-5C7C-4610-84D2-3FF46408ABCE} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
[Files/Folders - Created Within 30 days]
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> bnbmudvx.ini -> %SystemRoot%\System32\bnbmudvx.ini
NY -> cgbqbxxm.dll -> %SystemRoot%\System32\cgbqbxxm.dll
NY -> dcakifre.dll -> %SystemRoot%\System32\dcakifre.dll
NY -> dcqrqugq.dll -> %SystemRoot%\System32\dcqrqugq.dll
NY -> ecbjetvc.dll -> %SystemRoot%\System32\ecbjetvc.dll
NY -> etxxsghp.ini -> %SystemRoot%\System32\etxxsghp.ini
NY -> gddsjakr.ini -> %SystemRoot%\System32\gddsjakr.ini
NY -> hvbhxkqm.dll -> %SystemRoot%\System32\hvbhxkqm.dll
NY -> itakdjra.ini -> %SystemRoot%\System32\itakdjra.ini
NY -> 11 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp
NY -> kkscsnoe.dll -> %SystemRoot%\System32\kkscsnoe.dll
NY -> lkkfmaor.dll -> %SystemRoot%\System32\lkkfmaor.dll
NY -> lopWFNpo.ini -> %SystemRoot%\System32\lopWFNpo.ini
NY -> lopWFNpo.ini2 -> %SystemRoot%\System32\lopWFNpo.ini2
NY -> mdklmqun.dll -> %SystemRoot%\System32\mdklmqun.dll
NY -> meoejtcn.dll -> %SystemRoot%\System32\meoejtcn.dll
NY -> mhwhopxf.ini -> %SystemRoot%\System32\mhwhopxf.ini
NY -> rsiklmyc.ini -> %SystemRoot%\System32\rsiklmyc.ini
NY -> shcltwhf.dll -> %SystemRoot%\System32\shcltwhf.dll
NY -> sqaqtira.ini -> %SystemRoot%\System32\sqaqtira.ini
NY -> tciuduvn.dll -> %SystemRoot%\System32\tciuduvn.dll
NY -> vwxloqrm.ini -> %SystemRoot%\System32\vwxloqrm.ini
NY -> wgvgujwy.dll -> %SystemRoot%\System32\wgvgujwy.dll
NY -> 2 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> pskt.ini -> %AllUsersProfile%\pskt.ini
NY -> VirtumundoBeGone.exe -> %UserProfile%\Desktop\VirtumundoBeGone.exe
NY -> VundoFix.exe -> %UserProfile%\Desktop\VundoFix.exe
[Files/Folders - Modified Within 30 days]
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> bnbmudvx.ini -> %SystemRoot%\System32\bnbmudvx.ini
NY -> 11 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp
NY -> cgbqbxxm.dll -> %SystemRoot%\System32\cgbqbxxm.dll
NY -> dcakifre.dll -> %SystemRoot%\System32\dcakifre.dll
NY -> dcqrqugq.dll -> %SystemRoot%\System32\dcqrqugq.dll
NY -> ecbjetvc.dll -> %SystemRoot%\System32\ecbjetvc.dll
NY -> etxxsghp.ini -> %SystemRoot%\System32\etxxsghp.ini
NY -> gddsjakr.ini -> %SystemRoot%\System32\gddsjakr.ini
NY -> hvbhxkqm.dll -> %SystemRoot%\System32\hvbhxkqm.dll
NY -> itakdjra.ini -> %SystemRoot%\System32\itakdjra.ini
NY -> kkscsnoe.dll -> %SystemRoot%\System32\kkscsnoe.dll
NY -> lkkfmaor.dll -> %SystemRoot%\System32\lkkfmaor.dll
NY -> lopWFNpo.ini -> %SystemRoot%\System32\lopWFNpo.ini
NY -> lopWFNpo.ini2 -> %SystemRoot%\System32\lopWFNpo.ini2
NY -> mdklmqun.dll -> %SystemRoot%\System32\mdklmqun.dll
NY -> meoejtcn.dll -> %SystemRoot%\System32\meoejtcn.dll
NY -> mhwhopxf.ini -> %SystemRoot%\System32\mhwhopxf.ini
NY -> rsiklmyc.ini -> %SystemRoot%\System32\rsiklmyc.ini
NY -> shcltwhf.dll -> %SystemRoot%\System32\shcltwhf.dll
NY -> sqaqtira.ini -> %SystemRoot%\System32\sqaqtira.ini
NY -> tciuduvn.dll -> %SystemRoot%\System32\tciuduvn.dll
NY -> vwxloqrm.ini -> %SystemRoot%\System32\vwxloqrm.ini
NY -> wgvgujwy.dll -> %SystemRoot%\System32\wgvgujwy.dll
NY -> 2 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> pskt.ini -> %AllUsersProfile%\pskt.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:


    • File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here:The Avenger report (c:\Avenger.txt). This will be a short log, so you can post it.

The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. ) This will be a short log, so you can post it.

The new OTScanIt scan log This will be a long log, so you can upload the it to me here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Edited by SifuMike, 13 June 2008 - 11:50 AM.
spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Kyle7

Kyle7
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 14 June 2008 - 11:20 AM

the scans seemed to go fine with one exception...after rebooting with the avenger scan i got this "windows no disk error" that said "exception processing message 0xc0000012 parameters 0x762092A0 0x00000004 0x762092A0 0x762092A0" with "cancel continue and try again" as options after trying "try again" and "continue" several times with the same box popping up, continue finally worked...the only other strange thing is at some point some desktop.ini files showed up on the desktop, looks like like hidden files

the computer itself seems to be running better, firefox is cooperating again at least

here are the logs
avenger

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\ProgramData\pskt.ini" deleted successfully.
File "C:\Windows\system32\bnbmudvx.ini" deleted successfully.
File "C:\Windows\system32\cgbqbxxm.dll" deleted successfully.
File "C:\Windows\system32\dcakifre.dll" deleted successfully.
File "C:\Windows\system32\dcqrqugq.dll" deleted successfully.
File "C:\Windows\system32\ecbjetvc.dll" deleted successfully.
File "C:\Windows\system32\etxxsghp.ini" deleted successfully.
File "C:\Windows\system32\gddsjakr.ini" deleted successfully.
File "C:\Windows\system32\hvbhxkqm.dll" deleted successfully.
File "C:\Windows\system32\itakdjra.ini" deleted successfully.
File "C:\Windows\system32\kkscsnoe.dll" deleted successfully.
File "C:\Windows\system32\lkkfmaor.dll" deleted successfully.
File "C:\Windows\system32\lopwfnpo.ini" deleted successfully.
File "C:\Windows\system32\lopwfnpo.ini2" deleted successfully.
File "C:\Windows\system32\mdklmqun.dll" deleted successfully.
File "C:\Windows\system32\meoejtcn.dll" deleted successfully.
File "C:\Windows\system32\mhwhopxf.ini" deleted successfully.
File "C:\Windows\system32\rsiklmyc.ini" deleted successfully.
File "C:\Windows\system32\shcltwhf.dll" deleted successfully.
File "C:\Windows\system32\sqaqtira.ini" deleted successfully.
File "C:\Windows\system32\tciuduvn.dll" deleted successfully.
File "C:\Windows\system32\vwxloqrm.ini" deleted successfully.
File "C:\Windows\system32\wgvgujwy.dll" deleted successfully.
File "C:\Users\HP_Administrator\desktop\virtumundobegone.exe" deleted successfully.
File "C:\Users\HP_Administrator\desktop\vundofix.exe" deleted successfully.
Folder "C:\vundofix backups" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

otscanitfix
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{102FA8B1-7845-492E-976D-8FEFE768266F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{102FA8B1-7845-492E-976D-8FEFE768266F}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{133ABB57-BBBD-4D9C-AC9C-5A6815FBFEBF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{133ABB57-BBBD-4D9C-AC9C-5A6815FBFEBF}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{185DE87D-6FBB-4BBC-BD26-60AFE7A82A0E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{185DE87D-6FBB-4BBC-BD26-60AFE7A82A0E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C404ACE-FC7D-4E73-A527-1F3C2C41A6C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C404ACE-FC7D-4E73-A527-1F3C2C41A6C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{521C3FED-E9F2-4322-9C31-0C3017BA5B5C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{521C3FED-E9F2-4322-9C31-0C3017BA5B5C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A3F2417-F198-4FDC-9FD5-BD665144D0B9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5A3F2417-F198-4FDC-9FD5-BD665144D0B9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6885e32b-47dc-4ebb-aa75-77f61dc1780c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6885e32b-47dc-4ebb-aa75-77f61dc1780c}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{979221CA-2B6E-4C14-B856-E8076609E51E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{979221CA-2B6E-4C14-B856-E8076609E51E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD0AD95C-A1A4-45DB-B546-F8036A0B32A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD0AD95C-A1A4-45DB-B546-F8036A0B32A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4C2D0F8-17D8-426E-A8FA-DE4C5C9145EA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4C2D0F8-17D8-426E-A8FA-DE4C5C9145EA}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C81C8ADC-D4C7-4465-BAF6-5D1A6F37E397}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C81C8ADC-D4C7-4465-BAF6-5D1A6F37E397}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cd578757-4abf-4a4b-a76f-d0d3e6ba81f5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cd578757-4abf-4a4b-a76f-d0d3e6ba81f5}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d282b770-1e66-42ed-9d59-68af7201961c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d282b770-1e66-42ed-9d59-68af7201961c}\ deleted successfully.
File C:\Windows\System32\dcqrqugq.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E45C56B4-E9CD-4620-8BD1-B9581CDE2E4E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E45C56B4-E9CD-4620-8BD1-B9581CDE2E4E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EECB8A71-5C7C-4610-84D2-3FF46408ABCE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EECB8A71-5C7C-4610-84D2-3FF46408ABCE}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
[Files/Folders - Created Within 30 days]
File C:\VundoFix Backups not found!
File C:\Windows\System32\bnbmudvx.ini not found!
File C:\Windows\System32\cgbqbxxm.dll not found!
File C:\Windows\System32\dcakifre.dll not found!
File C:\Windows\System32\dcqrqugq.dll not found!
File C:\Windows\System32\ecbjetvc.dll not found!
File C:\Windows\System32\etxxsghp.ini not found!
File C:\Windows\System32\gddsjakr.ini not found!
File C:\Windows\System32\hvbhxkqm.dll not found!
File C:\Windows\System32\itakdjra.ini not found!
File C:\Windows\System32\kkscsnoe.dll not found!
File C:\Windows\System32\lkkfmaor.dll not found!
File C:\Windows\System32\lopWFNpo.ini not found!
File C:\Windows\System32\lopWFNpo.ini2 not found!
File C:\Windows\System32\mdklmqun.dll not found!
File C:\Windows\System32\meoejtcn.dll not found!
File C:\Windows\System32\mhwhopxf.ini not found!
File C:\Windows\System32\rsiklmyc.ini not found!
File C:\Windows\System32\shcltwhf.dll not found!
File C:\Windows\System32\sqaqtira.ini not found!
File C:\Windows\System32\tciuduvn.dll not found!
File C:\Windows\System32\vwxloqrm.ini not found!
File C:\Windows\System32\wgvgujwy.dll not found!
C:\Windows\NV41924196.TMP folder deleted successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\ProgramData\pskt.ini not found!
File C:\Users\HP_Administrator\Desktop\VirtumundoBeGone.exe not found!
File C:\Users\HP_Administrator\Desktop\VundoFix.exe not found!
[Files/Folders - Modified Within 30 days]
File C:\VundoFix Backups not found!
File C:\Windows\System32\bnbmudvx.ini not found!
File C:\Windows\System32\cgbqbxxm.dll not found!
File C:\Windows\System32\dcakifre.dll not found!
File C:\Windows\System32\dcqrqugq.dll not found!
File C:\Windows\System32\ecbjetvc.dll not found!
File C:\Windows\System32\etxxsghp.ini not found!
File C:\Windows\System32\gddsjakr.ini not found!
File C:\Windows\System32\hvbhxkqm.dll not found!
File C:\Windows\System32\itakdjra.ini not found!
File C:\Windows\System32\kkscsnoe.dll not found!
File C:\Windows\System32\lkkfmaor.dll not found!
File C:\Windows\System32\lopWFNpo.ini not found!
File C:\Windows\System32\lopWFNpo.ini2 not found!
File C:\Windows\System32\mdklmqun.dll not found!
File C:\Windows\System32\meoejtcn.dll not found!
File C:\Windows\System32\mhwhopxf.ini not found!
File C:\Windows\System32\rsiklmyc.ini not found!
File C:\Windows\System32\shcltwhf.dll not found!
File C:\Windows\System32\sqaqtira.ini not found!
File C:\Windows\System32\tciuduvn.dll not found!
File C:\Windows\System32\vwxloqrm.ini not found!
File C:\Windows\System32\wgvgujwy.dll not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\ProgramData\pskt.ini not found!
[Empty Temp Folders]
File delete failed. C:\Users\HP_Administrator\AppData\Local\Temp\~DFE9BE.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.15 fix logfile created on 06132008_150636

Files moved on Reboot...
C:\Users\HP_Administrator\AppData\Local\Temp\~DFE9BE.tmp moved successfully.
File move failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be moved on reboot.

f.secure
Scanning Report
Friday, June 13, 2008 15:25:14 - 23:38:58

Computer name: COMPY
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ G:\
Result: 18 malware found
Tracking Cookie (spyware)

* System

Trojan-Downloader.Win32.ConHook.apx (virus)

* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\DXNUHITY.DLL (Renamed & Submitted)

Trojan-Downloader.Win32.ConHook.te (virus)

* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\FUGILQBT.DLL (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\XLVHMIPH.DLL (Renamed & Submitted)

Trojan.Win32.Vapsup.lr (virus)

* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SAWKIP.EXE (Renamed & Submitted)

Vundo.gen179 (virus)

* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\FCCCBBTU.DLL (Submitted)
* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\QAETOHAG.DLL (Submitted)
* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\QPGAKSGT.DLL (Submitted)
* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\RKAJSDDG.DLL (Submitted)
* C:\_OTMOVEIT\MOVEDFILES\06122008_105202\WINDOWS\SYSTEM32\XFJYVPEV.DLL (Submitted)
* C:\DECKARD\SYSTEM SCANNER\BACKUP\USERS\HP_ADM~1\APPDATA\LOCAL\TEMP\TMP00015C71 (Submitted)
* C:\DECKARD\SYSTEM SCANNER\BACKUP\USERS\HP_ADM~1\APPDATA\LOCAL\TEMP\TMP00015EF0 (Submitted)
* C:\DECKARD\SYSTEM SCANNER\BACKUP\USERS\HP_ADM~1\APPDATA\LOCAL\TEMP\TMP00020B84 (Submitted)
* C:\DECKARD\SYSTEM SCANNER\BACKUP\USERS\HP_ADM~1\APPDATA\LOCAL\TEMP\TMP0002ADBB (Submitted)
* C:\DECKARD\SYSTEM SCANNER\BACKUP\USERS\HP_ADM~1\APPDATA\LOCAL\TEMP\TMP00044C4B (Submitted)
* C:\DECKARD\SYSTEM SCANNER\BACKUP\USERS\HP_ADM~1\APPDATA\LOCAL\TEMP\TMP001DD806 (Submitted)

W32/EMailWorm (virus)

* C:\PROGRAM FILES\PRODAD\VITASCENE-1.0\UNINSTALL.EXE (Submitted)
* C:\PROGRAM FILES\PRODAD\HEROGLYPH-2.5\UNINSTALL.EXE (Submitted)

Statistics
Scanned:

* Files: 528470
* System: 7043
* Not scanned: 30

Actions:

* Disinfected: 0
* Renamed: 4
* Deleted: 0
* None: 14
* Submitted: 17

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\USERS\HP_ADMINISTRATOR\APPDATA\LOCAL\TEMP\SQLITE_R9FT9OBXMDTKP7V
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FC1E3851F429EA606D6FF1E01A5229F1_7328777B-FB1B-4981-8F19-CE7F2D7B36CB
* C:\SYSTEM VOLUME INFORMATION\{1CC415CA-3892-11DD-A861-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B4E-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B60-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B66-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B6C-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B72-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B78-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{F80C4B7E-36A7-11DD-8402-0018F3CC2151}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FC1E3851F429EA606D6FF1E01A5229F1_7328777B-FB1B-4981-8F19-CE7F2D7B36CB
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
* C:\BOOT\BCD

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-06-13
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-06-13

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus samp

and i'm posting the otscanit log

as always, thanks!

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:43 PM

Posted 14 June 2008 - 12:21 PM

Hi Kyle7,

I received the log. Everything looks good. :thumbsup:

Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues.

Edited by SifuMike, 14 June 2008 - 12:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:43 PM

Posted 19 June 2008 - 02:02 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users