Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Ms Juan, And Friends


  • This topic is locked This topic is locked
14 replies to this topic

#1 zeero3

zeero3

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 24 June 2008 - 10:27 PM

I've been working on cleaning up my computer for at least the past four days and Spyware Doctor and other scanners still see traces.

Background: Computer and especially IE was running very slowly and popups occured. Many steps have been taken until now and I'll try to summarize.

Frustrated with Norton Anti-Virus, which detected nothing, I uninstalled it and installed AVG Free 8.0. I also downloaded and ran both Ad-Aware and Spybot S&D. After multiple times scanning, cleaning, and rebooting, Spybot would still detect Virtumonde.dll. From there I downloaded HijackThis and RegCleaner. With those programs, and by using Windows's Add/Remove Programs, I trimmed down as many unnecessary programs and startup files as I could recognize. I googled HijackThis lines and removed missing files and lines that were found to be harmful by forums such as this one. After that all scanning methods were run again and the computer seemed to become considerably more stable. However, when I scan with AVG, it usually finds over 450 warnings (adware) and I have observed "MS Juan" in certain lines. I am pleased so far and now I am interested in really getting my computer to be as clean as possible and keeping it that way, ie fewer startup processes and regular system scans and spyware checks. I just looked over Buckeye Sam's response to someone else's MS Juan infection and will follow those same steps to finalize and clean the system, ie OTMoveIt, Disable/Enable System Restore, and installing Spyware Blaster.

I am currently running Kaspersky's Online Scanner and will shorty run the DSS. Thank you in advance to all those who have helped others with their obviously frustrating problems; they and I definitely appreciate all the knowledable advice, time, and dedication to being helpful computer dudes.....

BC AdBot (Login to Remove)

 


#2 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 24 June 2008 - 11:44 PM

Since last post:

Have run combofix two times (first time the computer restarted during the process).

Will now provide Kaspersky log results as well as both DSS logs. HijackThis log is available on request, as well as ComboFix log.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 25, 2008 02:06:06
Records in database: 881648
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 61271
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:11:45


File name / Threat name / Threats count
C:\Program Files\HijackThis\backups\backup-20080621-230425-319.dll Infected: Trojan.Win32.Monder.zi 1
C:\WINDOWS\system32\hxrmvxte.dll Infected: Trojan.Win32.Monder.zi 1
C:\WINDOWS\system32\lmvylije.dll Infected: Trojan.Win32.Monder.zb 1
C:\WINDOWS\system32\xsetfaqa.dll Infected: Trojan.Win32.Monder.zb 1
C:\WINDOWS\system32\yrahehiq.dll Infected: Trojan.Win32.Monder.zg 1

The selected area was scanned.







Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-24 21:33:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
127: 2008-06-25 04:33:48 UTC - RP1049 - Deckard's System Scanner Restore Point
126: 2008-06-25 02:37:51 UTC - RP1048 - Installed Java™ 6 Update 6
125: 2008-06-25 00:05:09 UTC - RP1047 - ComboFix created restore point
124: 2008-06-24 16:34:09 UTC - RP1046 - Spyware Doctor: Cleaning Threats
123: 2008-06-24 07:24:37 UTC - RP1045 - Configured Quicken 2003 New User Edition


-- First Restore Point --
1: 2008-06-17 01:44:06 UTC - RP923 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-24 21:35:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Documents and Settings\Owner\Local Settings\Temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: OpcEnum - Unknown owner - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe


--
End of file - 8275 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080620-232433-240 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
backup-20080620-232433-270 O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
backup-20080620-232433-343 O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
backup-20080620-232433-564 O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
backup-20080620-232433-907 O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
backup-20080620-232929-105 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
backup-20080620-232929-113 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
backup-20080620-232929-121 O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
backup-20080620-232929-210 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
backup-20080620-232929-231 O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
backup-20080620-232929-245 O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
backup-20080620-232929-256 O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
backup-20080620-232929-312 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
backup-20080620-232929-349 O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
backup-20080620-232929-385 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20080620-232929-398 O2 - BHO: (no name) - {80523873-D41B-46FC-8C33-ED5565D910EA} - C:\WINDOWS\system32\rqRHywwu.dll (file missing)
backup-20080620-232929-419 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
backup-20080620-232929-466 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
backup-20080620-232929-526 O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
backup-20080620-232929-574 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20080620-232929-579 O2 - BHO: (no name) - {4B81B160-E76C-4C48-8F88-7C6342D833FC} - C:\WINDOWS\system32\wvUmljji.dll (file missing)
backup-20080620-232929-584 O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
backup-20080620-232929-626 O2 - BHO: (no name) - {70904518-1AE2-4B74-AB0A-6242CEEDC092} - (no file)
backup-20080620-232929-643 O2 - BHO: (no name) - {5001C5C3-F5E9-41DF-86BF-BBE20AFF8DA2} - C:\WINDOWS\system32\efcyATkJ.dll (file missing)
backup-20080620-232929-660 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
backup-20080620-232929-718 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20080620-232929-722 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\wvUopOhF.dll (file missing)
backup-20080620-232929-724 O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
backup-20080620-232929-729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080620-232929-857 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
backup-20080620-232929-877 O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
backup-20080620-232929-896 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
backup-20080620-232929-904 O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
backup-20080620-232929-914 O2 - BHO: (no name) - {4B94CAA0-3F74-4B73-934E-DEA84B5FA4A0} - C:\WINDOWS\system32\fccAtQhF.dll (file missing)
backup-20080620-232929-926 O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
backup-20080620-232929-936 O2 - BHO: (no name) - {2431144c-b1ad-408f-aeb5-15472a7abcdb} - (no file)
backup-20080620-232929-958 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080620-232929-959 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080620-232929-964 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080620-232929-971 O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe
backup-20080620-232929-974 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080620-232929-981 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
backup-20080620-232929-989 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080620-232930-153 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
backup-20080620-232930-994 O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
backup-20080620-232931-306 O20 - Winlogon Notify: wvUopOhF - wvUopOhF.dll (file missing)
backup-20080620-234831-242 O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
backup-20080620-234831-597 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
backup-20080620-234831-726 O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
backup-20080620-234831-732 O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
backup-20080620-234831-744 O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
backup-20080620-234831-775 O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
backup-20080620-234831-847 O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
backup-20080620-234831-864 O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
backup-20080621-032019-163 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080621-032019-182 O2 - BHO: (no name) - {4B94CAA0-3F74-4B73-934E-DEA84B5FA4A0} - (no file)
backup-20080621-032019-229 O2 - BHO: (no name) - {147749FC-C02E-4A84-AB1F-9CDB2CD81651} - C:\WINDOWS\system32\cbXQhfGY.dll (file missing)
backup-20080621-032019-310 O2 - BHO: (no name) - {80523873-D41B-46FC-8C33-ED5565D910EA} - (no file)
backup-20080621-032019-316 O2 - BHO: (no name) - {70904518-1AE2-4B74-AB0A-6242CEEDC092} - (no file)
backup-20080621-032019-359 O2 - BHO: (no name) - {4B81B160-E76C-4C48-8F88-7C6342D833FC} - (no file)
backup-20080621-032019-404 O2 - BHO: (no name) - {2431144c-b1ad-408f-aeb5-15472a7abcdb} - (no file)
backup-20080621-032019-449 O2 - BHO: (no name) - {5001C5C3-F5E9-41DF-86BF-BBE20AFF8DA2} - (no file)
backup-20080621-032019-505 O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
backup-20080621-032019-552 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
backup-20080621-032019-648 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - (no file)
backup-20080621-032019-665 O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
backup-20080621-032019-747 O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
backup-20080621-032019-810 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
backup-20080621-032019-815 O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
backup-20080621-145917-636 O23 - Service: OpcEnum - Unknown owner - C:\WINDOWS\system32\OpcEnum.exe (file missing)
backup-20080621-215542-923 O4 - HKLM\..\RunOnce: [DeleteMe] "C:\WINDOWS\system32\cmd.exe" /c "C:\WINDOWS\Temp\DeleteMe.bat"
backup-20080621-222337-346 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080621-225158-564 O4 - HKLM\..\Run: [540591f6] rundll32.exe "C:\WINDOWS\system32\pudavkud.dll",b
backup-20080621-225250-906 O4 - HKLM\..\Run: [BM5736a26a] Rundll32.exe "C:\WINDOWS\system32\lmvylije.dll",s
backup-20080621-230425-319 O2 - BHO: {4f968e79-06f3-97d8-f604-83722bba0fe1} - {1ef0abb2-2738-406f-8d79-3f6097e869f4} - C:\WINDOWS\system32\hxrmvxte.dll
backup-20080623-201003-724 O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
backup-20080623-204513-240 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
backup-20080623-204514-694 O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} -
backup-20080623-204515-171 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
backup-20080623-204515-596 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
backup-20080624-005452-719 O20 - Winlogon Notify: wvUopOhF - C:\WINDOWS\
backup-20080624-010353-104 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
backup-20080624-010354-382 O20 - Winlogon Notify: OPXPGina - C:\WINDOWS\

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 truecrypt - c:\windows\system32\drivers\truecrypt.sys <Not Verified; TrueCrypt Foundation; TrueCrypt>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>

S3 netrcacm (RCA USB Digital Cable Modem Driver) - c:\windows\system32\drivers\639563.sys <Not Verified; Thomson Inc.; RCA Digital Cable Modem>
S3 PCDRSRVC (PCDRSRVC - PCDR Kernel Mode Service Helper Driver) - c:\windows\system32\drivers\pcdrsrvc.sys (file missing)
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 omniserv (Softex OmniPass Service) - c:\program files\softex\omnipass\omniserv.exe (file missing)
S4 OpcEnum - c:\windows\system32\opcenum.exe (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {C671678C-82C1-43F3-D700-0049433E9A4B}
Description: WinDriver
Device ID: ROOT\JUNGO\0001
Manufacturer: Jungo
Name: WinDriver
PNP Device ID: ROOT\JUNGO\0001
Service: WinDriver6


-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-24 20:03:25 0 d-------- C:\Program Files\SpywareBlaster
2008-06-24 19:40:56 0 d-------- C:\WINDOWS\Sun
2008-06-24 19:40:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-06-24 17:04:18 68096 --a------ C:\WINDOWS\zip.exe
2008-06-24 17:04:18 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-24 17:04:18 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-24 17:04:18 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-24 17:04:18 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-24 17:04:18 98816 --a------ C:\WINDOWS\sed.exe
2008-06-24 17:04:18 80412 --a------ C:\WINDOWS\grep.exe
2008-06-24 17:04:18 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 13:21:52 0 d-------- C:\Documents and Settings\Guest\Application Data\AVGTOOLBAR
2008-06-23 12:11:03 0 d-------- C:\Program Files\Spyware Doctor
2008-06-23 12:11:03 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-23 12:00:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 21:34:01 0 d-------- C:\Program Files\Common Files\Java
2008-06-22 21:33:43 11534336 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-06-22 21:33:42 253952 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-06-21 10:15:00 0 d-------- C:\Program Files\RegCleaner
2008-06-20 23:00:09 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 13:52:25 0 d--h----- C:\$AVG8.VAULT$
2008-06-20 13:47:08 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-20 13:47:06 0 d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-06-20 13:46:36 0 d-------- C:\Program Files\AVG
2008-06-20 13:46:34 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 13:36:36 99328 --a------ C:\WINDOWS\system32\hxrmvxte.dll
2008-06-20 13:33:36 79872 --a------ C:\WINDOWS\system32\pudavkud.dll
2008-06-20 13:30:42 90624 --a------ C:\WINDOWS\system32\yrahehiq.dll
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 00:50:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-20 00:50:20 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-20 00:50:20 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-20 00:50:20 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-20 00:50:20 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-20 00:50:20 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-20 00:50:20 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-20 00:50:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-20 00:50:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-20 00:50:20 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-20 00:50:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-06-20 00:50:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-06-20 00:50:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-20 00:50:19 2068480 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-06-20 00:21:00 0 d-------- C:\Program Files\Lavasoft
2008-06-20 00:20:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 18:52:31 90112 --a------ C:\WINDOWS\system32\xsetfaqa.dll
2008-06-19 13:14:05 90112 --a------ C:\WINDOWS\system32\lmvylije.dll
2008-06-18 22:27:47 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-18 22:27:47 2543 --a------ C:\WINDOWS\unins000.dat
2008-06-04 12:21:17 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-04 12:07:54 0 d-------- C:\NVIDIA
2008-06-04 12:00:48 0 d-------- C:\Program Files\SystemRequirementsLab


-- Find3M Report ---------------------------------------------------------------

2008-06-24 20:51:17 0 d-------- C:\Program Files\Poker Tracker V2
2008-06-24 19:39:57 0 d-------- C:\Program Files\Java
2008-06-24 09:26:53 0 d-------- C:\Program Files\Full Tilt Poker
2008-06-24 00:25:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 00:15:45 0 d-------- C:\Program Files\Symantec
2008-06-23 12:01:18 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-23 11:58:04 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-22 22:53:41 0 d-------- C:\Program Files\Common Files
2008-06-22 22:28:14 0 d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-06-20 23:00:05 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-20 00:49:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-06-19 17:35:57 0 d-------- C:\Program Files\Common Files\Nero
2008-06-16 18:37:02 0 d-------- C:\Program Files\palmOne
2008-05-24 04:11:04 0 d-------- C:\Program Files\PokerStars
2008-05-23 02:37:08 0 d-------- C:\Program Files\PokerEV
2008-05-21 18:07:32 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-21 18:05:08 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-29 21:01:20 96629 --a------ C:\WINDOWS\hpqins16.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/20/2008 01:47 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/20/2008 01:47 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 04:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 07:07 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 09:42 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/09/2003 12:27 PM]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [05/17/2007 02:45 PM]
"VX1000"="C:\WINDOWS\vVX1000.exe" [04/10/2007 02:46 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/20/2008 01:46 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/10/2008 09:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [06/07/2005 01:58 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 01:21 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [6/9/2004 2:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134098829\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea40caaf-082d-11dc-a803-0016b651a731}]
AutoRun\command- K:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-06-24 21:37:28 ------------








Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1535.29 MiB / 920.48 MiB
Pagefile Memory (total/avail): 2156.72 MiB / 1247.42 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.82 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 143.48 GiB total, 26 GiB free.
D: is Fixed (FAT32) - 5.55 GiB total, 0.95 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600BB-22DWA0 - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 5.56 GiB - D:
\PARTITION1 (bootable) - Installable File System - 143.48 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.

FW: Norton AntiVirus v15.5.0.23 (Symantec Corporation)
AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent\\Cdacache\\B4538D2C-E5CB-4449-9FA5-BB2D8FA18FFF\\game.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent\\Cdacache\\B4538D2C-E5CB-4449-9FA5-BB2D8FA18FFF\\game.exe:*:Disabled:game"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
CLIENTNAME=Console
COLLECTIONID=COL5123
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PITTBOSS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
ITEMID=dj-17724-8
LANG=1033
LM_LICENSE_FILE=C:\Modeltech_xe_starter\win32xoem\license.dat
LOGONSERVER=\\PITTBOSS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
OSVER=winXPH
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\MATLAB_SV7\bin\win32;C:\Program Files\QuickTime\QTSystem;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
SESSIONID=1079069635106wuws05-l1a9d1b:fbb7b27655:-73b7
SESSIONNAME=Console
SWUTVER=1.0.16.20030613
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\Owner\LOCALS~1\Temp\radC1A95.tmp
USERDOMAIN=PITTBOSS
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
VERSION=3.0.1
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AutoHotkey 1.0.47.06 --> C:\Program Files\AutoHotkey\uninst.exe
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Documents To Go --> MsiExec.exe /X{7723A0B8-23A2-454B-8831-99965558AECD}
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
Full Tilt Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 6500 --> msiexec /x{3D50E33F-0DB8-4E3B-B75C-2B872A33D87B}
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iPod Updater 2004-08-06 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F8C106A-7DFC-45DE-8006-F9145AADF1D8} /l1033
iPod Updater 2004-11-15 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LTspice/SwCADIII --> C:\Program Files\LTC\SwCADIII\scad3.exe -uninstall
MATLAB Student 7.0 --> C:\MATLAB_SV7\uninstall\uninstall.exe C:\MATLAB_SV7\
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft LifeCam --> MsiExec.exe /X{63AFACBC-4795-4A1B-8037-5085DC03FC54}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E05895C5-FE97-4334-8D73-B0089FD07CE3}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA Gart Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA Gart Driver
palmOne --> MsiExec.exe /X{E434580A-2D4A-4433-A81E-4BCAE86AD148}
PartyPoker --> "C:\PartyGaming\PartyPoker\Uninstall.exe" "C:\PartyGaming\PartyPoker\install.log"
Poker Tracker Version 2.04.00 --> "C:\Program Files\Poker Tracker V2\unins000.exe"
PokerAce Hud (remove only) --> "C:\Program Files\PokerAce Hud\uninstall.exe"
PokerEV --> MsiExec.exe /I{B0BD2B91-E114-4FE1-8544-36A2EEE89341}
PokerStars --> "C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PokerStove version 1.21 --> "C:\Program Files\PokerStove\unins000.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
PSpice Student 9.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OrCAD_Demo\DeIsL1.isu"
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Spyware Doctor 6.0 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Tournament Director --> C:\Program Files\The Tournament Director\Uninstall.exe
toolkit --> c:\Windows\HPTK\unhptkit.exe
TrueCrypt --> C:\WINDOWS\TrueCrypt Setup.exe /u C:\Program Files\TrueCrypt
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Realtek Semiconductor Corp. MEDIA 12/12/2003 5.10.00.5410 --> C:\WINDOWS\System32\DRVSTORE\DFx.DriverAssembly.cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\DPInst.exe /u DFx.DriverAssembly.cfb7d3fc0ab7f7a3133a6c25509eaf3479108975
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type36817 / Error
Event Submitted/Written: 06/22/2008 11:09:29 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type36770 / Error
Event Submitted/Written: 06/21/2008 10:34:43 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type36768 / Error
Event Submitted/Written: 06/21/2008 10:29:41 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type36681 / Error
Event Submitted/Written: 06/20/2008 10:45:49 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application UNWISE.EXE, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type36659 / Warning
Event Submitted/Written: 06/20/2008 10:12:49 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type129107 / Warning
Event Submitted/Written: 06/24/2008 09:03:46 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type129106 / Error
Event Submitted/Written: 06/24/2008 08:50:42 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type129105 / Error
Event Submitted/Written: 06/24/2008 08:50:40 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type129104 / Error
Event Submitted/Written: 06/24/2008 08:50:38 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type129103 / Error
Event Submitted/Written: 06/24/2008 08:50:36 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-06-24 21:37:28 ------------

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:26 AM

Posted 25 June 2008 - 01:17 PM

Hello Zeero3 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Download ComboFix to your Desktop.

Please visit this webpage for instructions on running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 25 June 2008 - 03:15 PM

Thanks Thunder for taking my case. The order I did everything was MBAM, ComboFix, HijackThis and the logs are in that order.


Malwarebytes' Anti-Malware 1.18
Database version: 891

12:37:41 PM 6/25/2008
mbam-log-6-25-2008 (12-37-41).txt

Scan type: Quick Scan
Objects scanned: 43028
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lmvylije.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xsetfaqa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.















ComboFix 08-06-20.4 - Owner 2008-06-25 12:51:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.922 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 12:29 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-25 12:29 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 22:29 . 2008-06-24 22:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-24 22:29 . 2008-06-24 22:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-24 21:32 . 2008-06-24 21:32 <DIR> d-------- C:\Deckard
2008-06-24 20:03 . 2008-06-24 20:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-24 19:40 . 2008-06-24 19:40 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 19:39 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-23 13:21 . 2008-06-23 13:30 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVGTOOLBAR
2008-06-23 12:11 . 2008-06-25 01:45 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-23 12:11 . 2008-06-23 12:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-23 12:11 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 12:11 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 12:11 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 12:11 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 12:00 . 2008-06-23 12:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 21:34 . 2008-06-22 21:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 10:15 . 2008-06-21 10:43 <DIR> d-------- C:\Program Files\RegCleaner
2008-06-20 23:00 . 2008-06-20 23:00 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 22:15 . 2003-08-23 05:53 0 --a------ C:\autoexec.bak
2008-06-20 13:52 . 2008-06-25 12:36 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-20 13:47 . 2008-06-25 09:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-20 13:47 . 2008-06-20 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-06-20 13:47 . 2008-06-20 13:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 13:47 . 2008-06-20 13:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 13:47 . 2008-06-20 13:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-20 13:46 . 2008-06-20 13:46 <DIR> d-------- C:\Program Files\AVG
2008-06-20 13:46 . 2008-06-20 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 13:36 . 2008-06-20 13:36 99,328 --a------ C:\WINDOWS\system32\hxrmvxte.dll
2008-06-20 13:30 . 2008-06-20 13:30 90,624 --a------ C:\WINDOWS\system32\yrahehiq.dll
2008-06-20 00:50 . 2003-08-23 07:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 00:50 . 2003-08-28 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-20 00:50 . 2003-08-23 07:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-20 00:50 . 2003-08-23 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 00:50 . 2003-08-28 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-06-20 00:50 . 2008-06-23 12:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-20 00:21 . 2008-06-20 00:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 00:20 . 2008-06-20 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 23:35 . 2008-06-20 13:29 543 --a------ C:\WINDOWS\wininit.ini
2008-06-18 22:27 . 2008-06-18 22:25 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-18 22:27 . 2008-06-18 22:27 2,543 --a------ C:\WINDOWS\unins000.dat
2008-06-04 12:21 . 2008-06-04 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-04 12:09 . 2008-06-25 12:14 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-04 12:08 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-04 12:08 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-04 12:08 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-04 12:07 . 2008-06-04 12:07 <DIR> d-------- C:\NVIDIA
2008-06-04 12:00 . 2008-06-04 12:00 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 19:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 10:20 --------- d-----w C:\Program Files\Poker Tracker V2
2008-06-25 10:05 --------- d-----w C:\Program Files\Full Tilt Poker
2008-06-25 02:39 --------- d-----w C:\Program Files\Java
2008-06-24 07:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 07:15 --------- d-----w C:\Program Files\Symantec
2008-06-23 19:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-23 18:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 05:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-06-21 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 06:13 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-21 06:13 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-21 06:13 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-21 06:13 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-21 06:00 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 07:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-06-20 00:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-20 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-19 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 05:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-17 01:37 --------- d-----w C:\Program Files\palmOne
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-24 11:11 --------- d-----w C:\Program Files\PokerStars
2008-05-23 09:37 --------- d-----w C:\Program Files\PokerEV
2008-05-22 01:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 01:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 07:55 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 13:58 1339392]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 13:21 50528]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 12:27 139264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 14:46 709992]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 13:46 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 07:11:14 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-11-02 20:01 50792 C:\Program Files\Common Files\AOL\1134098829\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-05-10 17:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-06-17 18:13 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 08:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aolsoftware.exe"=
"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent\\Cdacache\\B4538D2C-E5CB-4449-9FA5-BB2D8FA18FFF\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 13:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 13:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 13:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 13:47]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 14:46]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea40caaf-082d-11dc-a803-0016b651a731}]
\Shell\AutoRun\command - K:\LaunchU3.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 12:54:51
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-25 13:00:36
ComboFix-quarantined-files.txt 2008-06-25 19:59:32
ComboFix2.txt 2008-06-25 00:34:51
ComboFix3.txt 2008-06-25 00:29:27

Pre-Run: 27,737,075,712 bytes free
Post-Run: 27,724,300,288 bytes free

222 --- E O F --- 2008-06-24 01:47:16















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:11 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6423 bytes

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:26 AM

Posted 25 June 2008 - 04:38 PM

Excellent Zeero3 :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/154130/virtumonde-ms-juan-and-friends/
Collect::[9]
C:\WINDOWS\system32\hxrmvxte.dll
C:\WINDOWS\system32\yrahehiq.dll

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 25 June 2008 - 06:47 PM

Hey Thunder...

I followed those steps and submitted the file to bleepingcomputer.

Here are the new ComboFix and HJT logs. I feel like the computer is getting closer to being "clean" and I have you to thank for that :thumbsup: !!!

A few quick questions:

In the HJT log, the first four lines are new, and I distinctly remember actually letting Spybot S&D's TeaTimer add the top three "R1" lines to the registry (I don't remember adding the "R0" line, but do recognize it's very new). They were requested during this process and that's the reason why I allowed the change. Also, I see I've been trying to rid myself of dll files such as those w/ random letter/numbers that used to be a part of the O20 lines (remember seeing this earlier when trying to fix), and there was a file called "pudavkud.dll" along with the others. During this process AVG Anti-Virus detected that file and it was removed, just want you to be aware of that fact during this process.

And in the ComboFix log I'm seeing many lines of startup registry for programs that have been uninstalled in the past week. Should I be trying to go in the registry and clean those lines out, or is that unnecessary at this point and in general? Being that they're in the startup registry?

Well here are the ComboFix and HJT logs. I can't thank you enough for your help: THANK YOU!!!







ComboFix 08-06-20.4 - Owner 2008-06-25 16:06:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.956 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hxrmvxte.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 12:29 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-25 12:29 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 22:29 . 2008-06-24 22:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-24 22:29 . 2008-06-24 22:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-24 21:32 . 2008-06-24 21:32 <DIR> d-------- C:\Deckard
2008-06-24 20:03 . 2008-06-24 20:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-24 19:40 . 2008-06-24 19:40 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 19:39 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-23 13:21 . 2008-06-23 13:30 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVGTOOLBAR
2008-06-23 12:11 . 2008-06-25 01:45 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-23 12:11 . 2008-06-23 12:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-23 12:11 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 12:11 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 12:11 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 12:11 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 12:00 . 2008-06-23 12:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 21:34 . 2008-06-22 21:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 10:15 . 2008-06-21 10:43 <DIR> d-------- C:\Program Files\RegCleaner
2008-06-20 23:00 . 2008-06-20 23:00 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 22:15 . 2003-08-23 05:53 0 --a------ C:\autoexec.bak
2008-06-20 13:52 . 2008-06-25 14:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-20 13:47 . 2008-06-25 09:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-20 13:47 . 2008-06-20 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-06-20 13:47 . 2008-06-20 13:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 13:47 . 2008-06-20 13:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 13:47 . 2008-06-20 13:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-20 13:46 . 2008-06-20 13:46 <DIR> d-------- C:\Program Files\AVG
2008-06-20 13:46 . 2008-06-20 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 00:50 . 2003-08-23 07:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 00:50 . 2003-08-28 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-20 00:50 . 2003-08-23 07:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-20 00:50 . 2003-08-23 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 00:50 . 2003-08-28 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-06-20 00:50 . 2008-06-23 12:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-20 00:21 . 2008-06-20 00:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 00:20 . 2008-06-20 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 23:35 . 2008-06-20 13:29 543 --a------ C:\WINDOWS\wininit.ini
2008-06-18 22:27 . 2008-06-18 22:25 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-18 22:27 . 2008-06-18 22:27 2,543 --a------ C:\WINDOWS\unins000.dat
2008-06-04 12:21 . 2008-06-04 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-04 12:09 . 2008-06-25 12:14 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-04 12:08 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-04 12:08 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-04 12:08 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-04 12:07 . 2008-06-04 12:07 <DIR> d-------- C:\NVIDIA
2008-06-04 12:00 . 2008-06-04 12:00 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 23:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 23:00 --------- d-----w C:\Program Files\Poker Tracker V2
2008-06-25 22:58 --------- d-----w C:\Program Files\Full Tilt Poker
2008-06-25 02:39 --------- d-----w C:\Program Files\Java
2008-06-24 07:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 07:15 --------- d-----w C:\Program Files\Symantec
2008-06-23 19:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-23 18:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 05:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-06-21 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 06:13 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-21 06:13 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-21 06:13 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-21 06:13 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-21 06:00 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 07:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-06-20 00:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-20 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-19 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 05:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-17 01:37 --------- d-----w C:\Program Files\palmOne
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-24 11:11 --------- d-----w C:\Program Files\PokerStars
2008-05-23 09:37 --------- d-----w C:\Program Files\PokerEV
2008-05-22 01:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 01:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 07:55 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 13:58 1339392]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 13:21 50528]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 12:27 139264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 14:46 709992]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 13:46 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 07:11:14 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-11-02 20:01 50792 C:\Program Files\Common Files\AOL\1134098829\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-05-10 17:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-06-17 18:13 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 08:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aolsoftware.exe"=
"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent\\Cdacache\\B4538D2C-E5CB-4449-9FA5-BB2D8FA18FFF\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 13:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 13:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 13:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 13:47]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 14:46]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea40caaf-082d-11dc-a803-0016b651a731}]
\Shell\AutoRun\command - K:\LaunchU3.exe

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 16:10:49
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-25 16:13:07
ComboFix-quarantined-files.txt 2008-06-25 23:12:50
ComboFix2.txt 2008-06-25 20:00:38
ComboFix3.txt 2008-06-25 00:34:51
ComboFix4.txt 2008-06-25 00:29:27

Pre-Run: 27,843,493,888 bytes free
Post-Run: 27,830,284,288 bytes free

228 --- E O F --- 2008-06-24 01:47:16















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:08 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\vVX1000.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6456 bytes

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:26 AM

Posted 26 June 2008 - 04:20 AM

Hello Zeero3,

Your logs look fine now,
no more active malware to be seen. :thumbsup:

In the HJT log, the first four lines are new, and I distinctly remember actually letting Spybot S&D's TeaTimer add the top three "R1" lines to the registry (I don't remember adding the "R0" line, but do recognize it's very new). They were requested during this process and that's the reason why I allowed the change.

ComboFix resets some settings to standard installation values.
You can change those settings any time you want.

Also, I see I've been trying to rid myself of dll files such as those w/ random letter/numbers that used to be a part of the O20 lines (remember seeing this earlier when trying to fix), and there was a file called "pudavkud.dll" along with the others. During this process AVG Anti-Virus detected that file and it was removed, just want you to be aware of that fact during this process.

AVG should have been disabled. At that moment ComboFix would have taken out that file as well.
Now it's probably in the Quarantine folder of AVG, where you can delete it, no harm done.

And in the ComboFix log I'm seeing many lines of startup registry for programs that have been uninstalled in the past week. Should I be trying to go in the registry and clean those lines out, or is that unnecessary at this point and in general? Being that they're in the startup registry?

Some info in the ComboFix log is merely indicative !
fi. all HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ lines refer to applications you've disabled through Msconfig.
If you want to remove aspects of removed programs, I'd advise you to limit this to a file/folder search in Windows Explorer,
but leave the registry as it is, unless you are really skilled in registry manipulation.

Any other problems left ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 26 June 2008 - 03:27 PM

The computer is DEFINITELY more stable now, and keeping it that way and running smoothly is now a higher priority.

The only problems I see is when I run AVG. I'm getting hundreds of "warnings" of adware. All warnings are found in the "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{random hexadecimals}" folder. I ran Spyware Doctor and no threats were found. So other than those warnings and a few scarce "trojan" infections found by AVG while computer is running overnight, I don't see much else...

THANK YOU Thunder.

#9 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 26 June 2008 - 07:27 PM

I let the computer sit for a few hours and ran Ad-Aware. Ad-Aware found "Tracking Cookies" in c:\documents&settings\owner\cookies\index.dat. It also found "MRU Object" in c:\documents&settings\owner\recent. The only reason I bring this up is because these same two warnings have come up the past week every time I run Ad-Aware. Also, while letting the computer sit, AVG's background detected 7 incidents of "Trojan Horse Generic10.ASDY" inside of c:\system volume information\_restore and one incident of "Trojan Horse Generic10.ASRA" inside c:\programfiles\hjt\backups\backup.

So, all in all, these are the only things I'm seeing. Spybot S&D no longer detects the original "Virtumonde.dll" that was always reoccuring.

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:26 AM

Posted 27 June 2008 - 03:29 AM

Hello Zeero3,

I let the computer sit for a few hours and ran Ad-Aware. Ad-Aware found "Tracking Cookies" in c:\documents&settings\owner\cookies\index.dat. It also found "MRU Object" in c:\documents&settings\owner\recent. The only reason I bring this up is because these same two warnings have come up the past week every time I run Ad-Aware.

Tracking cookies are not really a threat, and are often necessary to ensure you can open certain sites without errors.
You can clean them out from time to time in IE through Control Panel > Internet Options > General

Also, while letting the computer sit, AVG's background detected 7 incidents of "Trojan Horse Generic10.ASDY" inside of c:\system volume information\_restore and one incident of "Trojan Horse Generic10.ASRA" inside c:\programfiles\hjt\backups\backup.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
This will take care of those leftovers.

I'm getting hundreds of "warnings" of adware. All warnings are found in the "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{random hexadecimals}" folder.

Please have AVG delete these reg keys, and make sure you empty the Quarantaine folder of AVG afterwards.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 27 June 2008 - 05:40 PM

Here is one last ComboFix and HJT log.

After I post this, I will "ComboFix /u" like you said.

You've been a great help Thunder. My computer and I thank you. If anything weird happens I'll post it up, or if you see something out of the ordinary in one of these logs give me a holler. THANK YOU!!!

:) :thumbup2: :spacer: :spacer: :thumbsup:









ComboFix 08-06-20.4 - Owner 2008-06-27 15:13:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1100 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-25 12:29 . 2008-06-25 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 12:29 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-25 12:29 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 22:29 . 2008-06-24 22:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-24 22:29 . 2008-06-24 22:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-24 21:32 . 2008-06-24 21:32 <DIR> d-------- C:\Deckard
2008-06-24 20:03 . 2008-06-26 13:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-24 19:40 . 2008-06-24 19:40 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 19:39 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-23 13:21 . 2008-06-23 13:30 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVGTOOLBAR
2008-06-23 12:11 . 2008-06-26 05:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-23 12:11 . 2008-06-23 12:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-23 12:11 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 12:11 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 12:11 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 12:11 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 12:00 . 2008-06-23 12:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 21:34 . 2008-06-22 21:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 10:15 . 2008-06-21 10:43 <DIR> d-------- C:\Program Files\RegCleaner
2008-06-20 23:00 . 2008-06-20 23:00 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 22:15 . 2003-08-23 05:53 0 --a------ C:\autoexec.bak
2008-06-20 13:52 . 2008-06-27 14:30 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-20 13:47 . 2008-06-27 08:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-20 13:47 . 2008-06-20 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-06-20 13:47 . 2008-06-20 13:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 13:47 . 2008-06-20 13:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 13:47 . 2008-06-20 13:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-20 13:46 . 2008-06-20 13:46 <DIR> d-------- C:\Program Files\AVG
2008-06-20 13:46 . 2008-06-20 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 00:50 . 2003-08-23 07:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 00:50 . 2003-08-28 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-20 00:50 . 2003-08-23 07:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-20 00:50 . 2003-08-23 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 00:50 . 2003-08-28 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-06-20 00:50 . 2008-06-23 12:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-20 00:21 . 2008-06-20 00:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 00:20 . 2008-06-20 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 23:35 . 2008-06-20 13:29 543 --a------ C:\WINDOWS\wininit.ini
2008-06-18 22:27 . 2008-06-18 22:25 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-18 22:27 . 2008-06-18 22:27 2,543 --a------ C:\WINDOWS\unins000.dat
2008-06-04 12:21 . 2008-06-04 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-04 12:09 . 2008-06-27 15:08 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-04 12:08 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-04 12:08 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-04 12:08 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-04 12:07 . 2008-06-04 12:07 <DIR> d-------- C:\NVIDIA
2008-06-04 12:00 . 2008-06-04 12:00 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 22:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 12:44 --------- d-----w C:\Program Files\Poker Tracker V2
2008-06-27 12:19 --------- d-----w C:\Program Files\Full Tilt Poker
2008-06-26 21:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
2008-06-26 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-06-26 05:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-06-25 02:39 --------- d-----w C:\Program Files\Java
2008-06-24 07:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 07:15 --------- d-----w C:\Program Files\Symantec
2008-06-23 19:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-23 18:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-21 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 06:13 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-21 06:13 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-21 06:13 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-21 06:13 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-21 06:00 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 07:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-06-20 00:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-20 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-19 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 05:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-17 01:37 --------- d-----w C:\Program Files\palmOne
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-24 11:11 --------- d-----w C:\Program Files\PokerStars
2008-05-23 09:37 --------- d-----w C:\Program Files\PokerEV
2008-05-22 01:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 01:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 07:55 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 13:58 1339392]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 13:21 50528]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 12:27 139264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 14:46 709992]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 13:46 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 07:11:14 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-11-02 20:01 50792 C:\Program Files\Common Files\AOL\1134098829\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-05-10 17:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-06-17 18:13 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 08:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aolsoftware.exe"=
"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent\\Cdacache\\B4538D2C-E5CB-4449-9FA5-BB2D8FA18FFF\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134098829\\ee\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 13:47]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 13:47]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 14:46]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 13:46]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 13:46]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea40caaf-082d-11dc-a803-0016b651a731}]
\Shell\AutoRun\command - K:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 15:18:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 15:26:34
ComboFix-quarantined-files.txt 2008-06-27 22:25:54
ComboFix2.txt 2008-06-25 23:13:09
ComboFix3.txt 2008-06-25 20:00:38
ComboFix4.txt 2008-06-25 00:34:51
ComboFix5.txt 2008-06-25 00:29:27

Pre-Run: 27,609,870,336 bytes free
Post-Run: 27,595,796,480 bytes free

224 --- E O F --- 2008-06-24 01:47:16













Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:16 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5918 bytes

#12 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 27 June 2008 - 10:26 PM

Hey Thunder, everything is smooth except for AVG's scan. I made sure to close AVG, and I ran ComboFix for the last time (as seen above) and uninstalled it. But what AVG finds everytime I scan it, even after uninstalling ComboFix, is troubling me. I find over 400 warnings every time. "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{random hexadecimals}" folder

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:26 AM

Posted 28 June 2008 - 05:24 AM

Hello Zeero3,

Well, your logs look fine now. :thumbsup:

Doesn't AVG present an option to remove those ActiveX reg keys ?

If they still return, that's probably due to a bug in AVG which is flagging as "warnings" the files/objects that Spybot S&D has immunised.

I'm not sure if AVG fixed the bug yet.

In the interim, the way to go is to unimmunise in Spybot before you scan with AVG.
AVG will then not give you these warnings, and the above protections can be switched on again after the scan.

Not ideal, and it must be fixed by AVG, but short of uninstalling Spybot., it is probably the best way to go.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#14 zeero3

zeero3
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 30 June 2008 - 05:40 PM

Hello Zeero3,

Well, your logs look fine now. :thumbsup:

Doesn't AVG present an option to remove those ActiveX reg keys ?

If they still return, that's probably due to a bug in AVG which is flagging as "warnings" the files/objects that Spybot S&D has immunised.

I'm not sure if AVG fixed the bug yet.

In the interim, the way to go is to unimmunise in Spybot before you scan with AVG.
AVG will then not give you these warnings, and the above protections can be switched on again after the scan.

Not ideal, and it must be fixed by AVG, but short of uninstalling Spybot., it is probably the best way to go.

Greetings,
Thunder



AVG does present an option to remove the ActiveX reg keys, but everytime I do, they just reappear the next time I scan my computer.

I have unimmunized Spybot, yet the warnings keep coming back.

Is there anything else I can do to rid myself of these warnings? If not, I guess it's no big deal as the computer is running fine.

#15 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:26 AM

Posted 01 July 2008 - 03:20 AM

Hello Zeero3,

I notice you're running Ad-Aware and Spyware Doctor as well ?? :thumbsup:

It's possible the settings of one of them is creating this odd behaviour in AVG as well.
On the other hand, running more than one antispyware program with active protection is not advisable,
but does bring PC performance down.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users