Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo, Virtumonde And Winspy


  • This topic is locked This topic is locked
10 replies to this topic

#1 scstring

scstring

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 07 July 2008 - 08:43 PM

Problems started on 7/6, I got blue wallpaper with yellow and blue box stating..."Warning! Spyware detected on your computer! Install an antivirus or spywarre remover to clean your computer."

I restarted the computer in safe mode, deleted the browsing history through IE, ran CA Antivirus, CA Spyware, SpySweeper, and SpyBot S&D and cleaned all the things they found. During all the scans, I got several BSOD. After that, I rebooted in normal mode and still have blue wallpaper.

Found your website and ran ATF Cleaner. Then ran Kaspersky and DSS scans. Here are the reports. Please help!!


Deckard's System Scanner v20071014.68
Run by Sharon on 2008-07-07 21:06:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
84: 2008-07-08 01:06:24 UTC - RP119 - Deckard's System Scanner Restore Point
83: 2008-07-07 21:52:33 UTC - RP118 - System Checkpoint
82: 2008-07-06 21:20:13 UTC - RP117 - System Checkpoint
81: 2008-07-05 21:03:08 UTC - RP116 - System Checkpoint
80: 2008-07-04 20:12:37 UTC - RP115 - System Checkpoint


-- First Restore Point --
1: 2008-04-09 08:00:31 UTC - RP36 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Sharon.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:00 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lphcck7j0en0l.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Sharon\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sharon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BA3028F-FD37-46BF-AD27-733734684F06} - C:\WINDOWS\system32\ssqPiHYr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPHUPD06] "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cafwc] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" -cl
O4 - HKLM\..\Run: [capfasem] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe"
O4 - HKLM\..\Run: [capfupgrade] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [lphcck7j0en0l] C:\WINDOWS\system32\lphcck7j0en0l.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190984093671
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: ssqPiHYr - C:\WINDOWS\SYSTEM32\ssqPiHYr.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8664 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 spkrmon - c:\program files\analog devices\soundmax\spkrmon.exe <Not Verified; ; spkrmon Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-02 03:36:31 516 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Sharon at 11 50 AM.job
2008-07-01 13:00:07 516 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Sharon at 12 00 PM.job


-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 21:09:02 0 d-------- C:\Program Files\Trend Micro
2008-07-07 11:10:28 60928 --a------ C:\WINDOWS\system32\blphcck7j0en0l.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-07 07:06:17 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-06 10:17:08 28800 --a------ C:\WINDOWS\system32\khfCuvtu.dll
2008-07-06 10:15:18 28800 --a------ C:\WINDOWS\system32\tuvTKCuS.dll
2008-07-06 10:15:06 0 d-------- C:\Program Files\VAV
2008-07-06 10:14:35 30720 --a------ C:\WINDOWS\Sys172.exe
2008-07-06 10:14:29 32256 --a------ C:\WINDOWS\Sys16F.exe
2008-07-06 10:14:28 30208 --a------ C:\WINDOWS\Sys171.exe
2008-07-06 10:14:20 31744 --a------ C:\WINDOWS\Sys170.exe
2008-07-06 10:14:16 28800 --a------ C:\WINDOWS\system32\yayyVoLE.dll
2008-07-06 10:13:38 28800 --a------ C:\WINDOWS\system32\qoMEvSiG.dll
2008-07-06 10:12:44 0 d-------- C:\Program Files\PCHealthCenter
2008-07-06 10:12:26 28800 --a------ C:\WINDOWS\system32\ssqNFXRL.dll
2008-07-06 10:11:06 28800 --a------ C:\WINDOWS\system32\ssqPiHYr.dll
2008-07-06 10:09:14 109056 --a------ C:\WINDOWS\system32\lphcck7j0en0l.exe
2008-06-09 21:14:45 107370 --a------ C:\WINDOWS\hpqins13.dat
2008-06-09 11:30:02 0 d-------- C:\Documents and Settings\Sharon\Application Data\HPAppData
2008-06-09 10:36:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-06-09 10:19:11 0 d-------- C:\Documents and Settings\Sharon\Application Data\HP
2008-06-09 10:08:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-09 09:51:09 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-06-09 09:51:09 0 d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-06-09 09:49:41 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-09 09:46:33 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-09 09:42:26 7262 -----n--- C:\WINDOWS\hpomdl21.dat
2008-06-09 09:42:26 164296 --a------ C:\WINDOWS\hpoins21.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-05 19:31:21 0 d-------- C:\Documents and Settings\Sharon\Application Data\Adobe
2008-07-01 02:10:32 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-09 09:51:06 0 d-------- C:\Program Files\HP
2008-06-09 09:49:41 0 d-------- C:\Program Files\Common Files
2008-06-09 09:49:01 0 d-------- C:\Program Files\Common Files\HP
2008-04-08 06:59:59 164 --a------ C:\install.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
11/06/2007 01:50 AM 322880 --a------ C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA3028F-FD37-46BF-AD27-733734684F06}]
07/06/2008 10:11 AM 28800 --a------ C:\WINDOWS\system32\ssqPiHYr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
11/06/2007 01:50 AM 542016 --a------ C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/16/2007 11:19 PM]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [03/03/2008 12:51 PM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [08/20/2007 02:36 PM]
"nwiz"="nwiz.exe" [07/28/2003 04:19 PM C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 12:56 AM C:\WINDOWS\system32\rundll32.exe]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [06/07/2004 12:53 AM]
"HPHmon06"="C:\WINDOWS\System32\hphmon06.exe" [06/07/2004 12:42 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" [04/06/2004 06:28 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"NvMediaCenter"="RUNDLL32.exe" [08/04/2004 12:56 AM C:\WINDOWS\system32\rundll32.exe]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [05/21/2008 10:44 PM]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [05/21/2008 10:44 PM]
"@"="" []
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [05/21/2008 10:44 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/20/2007 06:19 PM]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [03/13/2008 09:34 AM]
"lphcck7j0en0l"="C:\WINDOWS\system32\lphcck7j0en0l.exe" [07/06/2008 10:09 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 06:16 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [10/14/2007 8:38:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3BA3028F-FD37-46BF-AD27-733734684F06}"= C:\WINDOWS\system32\ssqPiHYr.dll [07/06/2008 10:11 AM 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 05/18/2007 02:30 PM 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPiHYr]
ssqPiHYr.dll 07/06/2008 10:11 AM 28800 C:\WINDOWS\system32\ssqPiHYr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"SymAppCore"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ISPwdSvc"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8781 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-07 21:18:15 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1535 MiB / 838.53 MiB
Pagefile Memory (total/avail): 2923.28 MiB / 2360.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.08 MiB

C: is Fixed (NTFS) - 74.47 GiB total, 50.7 GiB free.
D: is Removable (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75CAA0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:

\\.\PHYSICALDRIVE1 - HP Photosmart C7200 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FW: CA Personal Firewall v9.1.0.37 (CA)
AV: CA Anti-Virus v8.4.0.28 (CA, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sharon\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OFFICE-PC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sharon
LOGONSERVER=\\OFFICE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Sharon\LOCALS~1\Temp
TMP=C:\DOCUME~1\Sharon\LOCALS~1\Temp
USERDOMAIN=OFFICE-PC
USERNAME=Sharon
USERPROFILE=C:\Documents and Settings\Sharon
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sharon (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Yahoo!\Yahoo! Music Jukebox\oggcodecs\uninst.exe
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
32 Bit HP CIO Components Installer --> MsiExec.exe /I{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell AIO Printer A920 --> C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe"
DiscAPI --> MsiExec.exe /X{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}
Downloader for SHARP Electronic Organizer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EECAE5C0-F511-11D3-BC44-0040264306F5}\setup.exe"
Drivers Install For Linksys Easylink Advisor --> MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6}
eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\Setup.exe" -l0x9 ControlPanel
HP Customer Participation Program 10.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 10.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart All-In-One Driver Software 10.0 Rel .2 --> C:\Program Files\HP\Digital Imaging\{20B30DC1-E423-4939-B51D-05C58B0F9BBB}\setup\hpzscr01.exe -datfile hposcr21.dat -onestop
HP Photosmart Essential 3.0 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat -forcereboot
HP Smart Web Printing --> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
HP Solution Center 10.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Unload DLL Patch --> MsiExec.exe /X{595D0DE8-C38A-4432-B851-47DECC1A99BD}
HP Update --> MsiExec.exe /X{11B83AD3-7A46-4C2E-A568-9505981D4C6F}
Intel® PRO Network Connections Drivers --> Prounstl.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Linksys EasyLink Advisor 1.6 (0032) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OCR Software by I.R.I.S. 10.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OpenOffice.org 2.3 --> MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
PC Software for YO-520 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sharp\PC Software\Uninst.isu"
Photosmart 320,370,7400,8100,8400 Series --> C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe -datfile hphscr01.dat
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\6.0\uninstal.log
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0x9 UNINSTALL
proDAD Heroglyph 2.0 --> "C:\Program Files\proDAD\Heroglyph-2.0\uninstall.exe" uninstall spcp PATHVERSION 2.0 MAINNAME Heroglyph
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RAPID --> MsiExec.exe /X{EEECE229-49F6-4851-A73A-99B058221F8C}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shop for HP Supplies --> C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Studio 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup.exe" -l0x9 UNINSTALL
Studio 10 Bonus DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A012D9C-2E2E-405A-B87C-E909F5297C3F}\Setup.exe" -l0x9 UNINSTALL
The Digital Arts and Crafts Studio --> MsiExec.exe /I{983338D4-D972-4C58-AA6D-B81445070451}
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Music Jukebox --> MsiExec.exe /X{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7753 / Success
Event Submitted/Written: 07/07/2008 01:55:41 PM
Event ID/Source: 88 / UmxAgent
Event Description:
Sync client C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe registered successfully

Event Record #/Type7752 / Success
Event Submitted/Written: 07/07/2008 01:55:28 PM
Event ID/Source: 88 / UmxAgent
Event Description:
Shell is started at session 0

Event Record #/Type7751 / Success
Event Submitted/Written: 07/07/2008 01:55:28 PM
Event ID/Source: 88 / UmxAgent
Event Description:
explorer.exe started

Event Record #/Type7750 / Success
Event Submitted/Written: 07/07/2008 01:55:28 PM
Event ID/Source: 88 / UmxAgent
Event Description:
explorer.exe started

Event Record #/Type7748 / Success
Event Submitted/Written: 07/07/2008 01:54:24 PM
Event ID/Source: 88 / UmxAgent
Event Description:
Async Process Map: ReadProcessesFromKmxCfg: count=19



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2868 / Error
Event Submitted/Written: 07/07/2008 01:56:49 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Event Record #/Type2859 / Error
Event Submitted/Written: 07/07/2008 01:56:09 PM / 07/07/2008 01:56:10 PM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The HP CUE DeviceDiscovery Service service hung on starting.

Event Record #/Type2840 / Error
Event Submitted/Written: 07/07/2008 11:09:44 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Event Record #/Type2831 / Error
Event Submitted/Written: 07/07/2008 11:09:00 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The HP CUE DeviceDiscovery Service service hung on starting.

Event Record #/Type2826 / Error
Event Submitted/Written: 07/07/2008 11:06:10 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-07-07 21:18:15 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 7, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 07, 2008 22:25:24
Records in database: 923227
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 97301
Threat name: 13
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 01:15:20


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Documents\My Documents\Financial\psm408se-stockdr.exe Infected: not-a-virus:AdWare.Win32.TimeSink 6
C:\Program Files\BTS Cleanup Utilities\HiJackThis\backups\backup-20070813-163820-405.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\BTS Cleanup Utilities\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\BTS Cleanup Utilities\SmitfraudFix\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\PCHealthCenter\0.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.z 1
C:\Program Files\PCHealthCenter\1.exe Infected: not-a-virus:FraudTool.Win32.Agent.p 1
C:\Program Files\PCHealthCenter\2.exe Infected: not-a-virus:FraudTool.Win32.Agent.o 1
C:\Program Files\PCHealthCenter\3.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.x 1
C:\Program Files\PCHealthCenter\4.exe Infected: Trojan.Win32.Agent.tep 1
C:\Program Files\PCHealthCenter\5.exe Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h 1
C:\Program Files\PCHealthCenter\5.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aa 1
C:\Program Files\virus rem tools\SDFix\backups\backups.zip Infected: not-a-virus:AdWare.Win32.Vapsup.la 1
C:\Program Files\virus rem tools\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Zlob.daf 1
C:\Program Files\virus rem tools\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Zlob.gen 1
C:\WINDOWS\Sys16F.exe Infected: not-a-virus:FraudTool.Win32.Agent.p 1
C:\WINDOWS\Sys170.exe Infected: not-a-virus:FraudTool.Win32.Agent.o 1
C:\WINDOWS\Sys171.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.x 1
C:\WINDOWS\Sys172.exe Infected: Trojan.Win32.Agent.tep 1
C:\WINDOWS\system32\vav.cpl Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 08 July 2008 - 07:07 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 scstring

scstring
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 July 2008 - 01:10 PM

Thanks for your help. I am posting the Combofix and HiJackthis logs. I still have blue wallpaper, but the yellow and blue "spyware" box is gone. Windows updates downloaded this morning, but have not installed yet. Should I be worried about them or is it ok to install after computer is clean? I've been getting many CA Anti-Virus Infection Alerts popping up, alway for win32/vundo.AAT. Also, Spy Sweeper pop up said it blocked access to antivirusxp2008.com.


ComboFix 08-07-07.3 - Sharon 2008-07-09 13:21:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.920 [GMT -4:00]
Running from: C:\Documents and Settings\Sharon\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\WINDOWS\system32\blphcck7j0en0l.scr
C:\WINDOWS\system32\lphcck7j0en0l.exe
C:\WINDOWS\system32\phcck7j0en0l.bmp

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-07 21:09 . 2008-07-07 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 21:05 . 2008-07-07 21:05 <DIR> d-------- C:\Deckard
2008-07-07 07:06 . 2008-07-07 07:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-06 10:17 . 2008-07-06 10:17 28,800 --a------ C:\WINDOWS\system32\khfCuvtu.dll
2008-07-06 10:16 . 2008-07-03 17:09 117,760 --a------ C:\WINDOWS\system32\vav.cpl
2008-07-06 10:15 . 2008-07-06 10:15 28,800 --a------ C:\WINDOWS\system32\tuvTKCuS.dll
2008-07-06 10:14 . 2008-07-03 20:14 32,256 --a------ C:\WINDOWS\Sys16F.exe
2008-07-06 10:14 . 2008-07-03 20:14 31,744 --a------ C:\WINDOWS\Sys170.exe
2008-07-06 10:14 . 2008-07-03 20:14 30,720 --a------ C:\WINDOWS\Sys172.exe
2008-07-06 10:14 . 2008-07-03 20:14 30,208 --a------ C:\WINDOWS\Sys171.exe
2008-07-06 10:14 . 2008-07-06 10:14 28,800 --a------ C:\WINDOWS\system32\yayyVoLE.dll
2008-07-06 10:13 . 2008-07-06 10:13 28,800 --a------ C:\WINDOWS\system32\qoMEvSiG.dll
2008-07-06 10:12 . 2008-07-06 10:12 28,800 --a------ C:\WINDOWS\system32\ssqNFXRL.dll
2008-07-06 10:11 . 2008-07-06 10:11 28,800 --a------ C:\WINDOWS\system32\ssqPiHYr.dll
2008-06-19 16:53 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-18 09:26 . 2008-07-01 07:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-18 09:26 . 2008-06-18 09:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-09 21:14 . 2008-06-09 21:27 107,370 --a------ C:\WINDOWS\hpqins13.dat
2008-06-09 11:30 . 2008-07-09 13:05 <DIR> d-------- C:\Documents and Settings\Sharon\Application Data\HPAppData
2008-06-09 11:11 . 2008-06-09 10:35 165,049 --------- C:\WINDOWS\hpoins21.dat.temp
2008-06-09 11:11 . 2008-02-13 05:18 7,262 --------- C:\WINDOWS\hpomdl21.dat.temp
2008-06-09 10:36 . 2008-06-09 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-06-09 10:19 . 2008-06-24 12:48 <DIR> d-------- C:\Documents and Settings\Sharon\Application Data\HP
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-09 10:07 . 2007-12-06 19:55 271,704 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-06-09 10:07 . 2007-03-15 15:32 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-06-09 10:06 . 2007-11-01 07:28 970,752 -ra------ C:\WINDOWS\system32\hpotiop5.dll
2008-06-09 10:06 . 2007-11-01 07:28 729,088 -ra------ C:\WINDOWS\system32\hpowiax5.dll
2008-06-09 10:06 . 2007-11-01 07:28 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-06-09 10:06 . 2007-11-01 07:28 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-06-09 10:06 . 2007-11-01 07:28 303,104 -ra------ C:\WINDOWS\system32\hpovst12.dll
2008-06-09 09:51 . 2008-06-09 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-06-09 09:51 . 2008-06-24 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-06-09 09:49 . 2008-06-09 09:49 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-09 09:46 . 2008-06-09 09:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-09 09:42 . 2008-06-09 11:11 164,296 --a------ C:\WINDOWS\hpoins21.dat
2008-06-09 09:42 . 2008-02-13 05:18 7,262 --------- C:\WINDOWS\hpomdl21.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 17:33 80,970 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-07-09 17:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-07-01 06:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 13:51 --------- d-----w C:\Program Files\HP
2008-06-09 13:49 --------- d-----w C:\Program Files\Common Files\HP
2008-06-04 11:01 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 11:01 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-22 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA3028F-FD37-46BF-AD27-733734684F06}]
2008-07-06 10:11 28800 --a------ C:\WINDOWS\system32\ssqPiHYr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:19 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-03-03 12:51 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:36 230664]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 00:53 49152]
"HPHmon06"="C:\WINDOWS\System32\hphmon06.exe" [2004-06-07 00:42 659456]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 06:28 172032]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-05-21 22:44 1193224]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-05-21 22:44 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-05-21 22:44 259336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-20 18:19 98304]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 09:34 81920]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"nwiz"="nwiz.exe" [2003-07-28 16:19 323584 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2007-10-14 20:38:52 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3BA3028F-FD37-46BF-AD27-733734684F06}"= "C:\WINDOWS\system32\ssqPiHYr.dll" [2008-07-06 10:11 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPiHYr]
2008-07-06 10:11 28800 C:\WINDOWS\system32\ssqPiHYr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"SymAppCore"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ISPwdSvc"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 11:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 15:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 11:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 13:09]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 11:24]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 11:24]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 16:15]
R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 22:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 07:36:31 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Sharon at 11 50 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-07-01 17:00:07 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Sharon at 12 00 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcck7j0en0l - C:\WINDOWS\system32\lphcck7j0en0l.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 13:40:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqPiHYr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\HP\digital imaging\bin\hpqste08.exe
C:\Program Files\HP\digital imaging\bin\hpqbam08.exe
C:\Program Files\HP\digital imaging\bin\hpqgpc01.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-07-09 13:58:16 - machine was rebooted [Sharon]
ComboFix-quarantined-files.txt 2008-07-09 17:56:18

Pre-Run: 54,422,085,632 bytes free
Post-Run: 54,395,666,432 bytes free

226 --- E O F --- 2008-06-20 21:28:57


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:28 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BA3028F-FD37-46BF-AD27-733734684F06} - C:\WINDOWS\system32\ssqPiHYr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPHUPD06] "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cafwc] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" -cl
O4 - HKLM\..\Run: [capfasem] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe"
O4 - HKLM\..\Run: [capfupgrade] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190984093671
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: ssqPiHYr - C:\WINDOWS\SYSTEM32\ssqPiHYr.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8739 bytes

#4 scstring

scstring
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 July 2008 - 01:18 PM

I noticed when I posted the log that it says Windows XP recovery console was not installed. I followed the instructions for downloading if from MS website, put the file on the desktop and dragged it on top of hte combofix icon. Combofix launched, but I never got a message that the Recovery Console was installed. If I need it, please tell me what to do!

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 09 July 2008 - 01:22 PM

Hi,

Should I be worried about them or is it ok to install after computer is clean?

Install them afterwards, once your computer is clean.

First of all... the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Once you've installed the Recovery Console and Combofix has run for a second time, then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\khfCuvtu.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\tuvTKCuS.dll
C:\WINDOWS\Sys16F.exe
C:\WINDOWS\Sys170.exe
C:\WINDOWS\Sys172.exe
C:\WINDOWS\Sys171.exe
C:\WINDOWS\system32\yayyVoLE.dll
C:\WINDOWS\system32\qoMEvSiG.dll
C:\WINDOWS\system32\ssqNFXRL.dll
C:\WINDOWS\system32\ssqPiHYr.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA3028F-FD37-46BF-AD27-733734684F06}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3BA3028F-FD37-46BF-AD27-733734684F06}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPiHYr]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

You can restore your wallpaper by selecting another wallpaper again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 09 July 2008 - 01:23 PM

file on the desktop and dragged it on top of hte combofix icon. Combofix launched, but I never got a message that the Recovery Console was installed. If I need it, please tell me what to do!

Strange. Did you use the correct file? For XP Home edition? Can you try again? If it still doesn't install the Recovery Console, skip that part and proceed with the CFScript.

Edited by miekiemoes, 09 July 2008 - 01:24 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 scstring

scstring
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 July 2008 - 03:33 PM

I was able to install the Recovery Console the second time. I thought it had already installed and closed ComboFix before scanning to shut down the firewall and antivirus programs. I was also able to change my wallpaper back!

I ran the CFScript and here are the ComboFix and the HijackThis log reports...

ComboFix 08-07-07.3 - Sharon 2008-07-09 15:38:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.988 [GMT -4:00]
Running from: C:\Documents and Settings\Sharon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sharon\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Sys16F.exe
C:\WINDOWS\Sys170.exe
C:\WINDOWS\Sys171.exe
C:\WINDOWS\Sys172.exe
C:\WINDOWS\system32\khfCuvtu.dll
C:\WINDOWS\system32\qoMEvSiG.dll
C:\WINDOWS\system32\ssqNFXRL.dll
C:\WINDOWS\system32\ssqPiHYr.dll
C:\WINDOWS\system32\tuvTKCuS.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\yayyVoLE.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Sys16F.exe
C:\WINDOWS\Sys170.exe
C:\WINDOWS\Sys171.exe
C:\WINDOWS\Sys172.exe
C:\WINDOWS\system32\khfCuvtu.dll
C:\WINDOWS\system32\qoMEvSiG.dll
C:\WINDOWS\system32\rqRlKayX.dll
C:\WINDOWS\system32\ssqNFXRL.dll
C:\WINDOWS\system32\ssqPiHYr.dll
C:\WINDOWS\system32\tuvTKCuS.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\XyaKlRqr.ini
C:\WINDOWS\system32\XyaKlRqr.ini2
C:\WINDOWS\system32\yayyVoLE.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-07 21:09 . 2008-07-07 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 21:05 . 2008-07-07 21:05 <DIR> d-------- C:\Deckard
2008-07-07 07:06 . 2008-07-07 07:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-19 16:53 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-18 09:26 . 2008-07-01 07:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-18 09:26 . 2008-06-18 09:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-09 21:14 . 2008-06-09 21:27 107,370 --a------ C:\WINDOWS\hpqins13.dat
2008-06-09 11:30 . 2008-07-09 15:28 <DIR> d-------- C:\Documents and Settings\Sharon\Application Data\HPAppData
2008-06-09 11:11 . 2008-06-09 10:35 165,049 --------- C:\WINDOWS\hpoins21.dat.temp
2008-06-09 11:11 . 2008-02-13 05:18 7,262 --------- C:\WINDOWS\hpomdl21.dat.temp
2008-06-09 10:36 . 2008-06-09 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-06-09 10:19 . 2008-06-24 12:48 <DIR> d-------- C:\Documents and Settings\Sharon\Application Data\HP
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-09 10:07 . 2007-12-06 19:55 271,704 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-06-09 10:07 . 2007-03-15 15:32 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-06-09 10:06 . 2007-11-01 07:28 970,752 -ra------ C:\WINDOWS\system32\hpotiop5.dll
2008-06-09 10:06 . 2007-11-01 07:28 729,088 -ra------ C:\WINDOWS\system32\hpowiax5.dll
2008-06-09 10:06 . 2007-11-01 07:28 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-06-09 10:06 . 2007-11-01 07:28 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-06-09 10:06 . 2007-11-01 07:28 303,104 -ra------ C:\WINDOWS\system32\hpovst12.dll
2008-06-09 09:51 . 2008-06-09 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-06-09 09:51 . 2008-06-24 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-06-09 09:49 . 2008-06-09 09:49 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-09 09:46 . 2008-06-09 09:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-09 09:42 . 2008-06-09 11:11 164,296 --a------ C:\WINDOWS\hpoins21.dat
2008-06-09 09:42 . 2008-02-13 05:18 7,262 --------- C:\WINDOWS\hpomdl21.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 19:53 80,970 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-07-09 19:53 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-07-01 06:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 13:51 --------- d-----w C:\Program Files\HP
2008-06-09 13:49 --------- d-----w C:\Program Files\Common Files\HP
2008-06-04 11:01 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 11:01 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-22 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-09_13.49.05.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-09 17:33:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 19:54:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-07-09 12:44:55 71,308 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-09 17:40:04 71,308 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-09 12:44:55 441,624 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 17:40:04 441,624 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:19 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-03-03 12:51 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:36 230664]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 00:53 49152]
"HPHmon06"="C:\WINDOWS\System32\hphmon06.exe" [2004-06-07 00:42 659456]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 06:28 172032]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-05-21 22:44 1193224]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-05-21 22:44 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-05-21 22:44 259336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-20 18:19 98304]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 09:34 81920]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"nwiz"="nwiz.exe" [2003-07-28 16:19 323584 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2007-10-14 20:38:52 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"SymAppCore"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ISPwdSvc"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe"=
"C:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 11:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 15:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 11:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 13:09]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 11:24]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 11:24]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 16:15]
R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 22:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 07:36:31 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Sharon at 11 50 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-07-01 17:00:07 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Sharon at 12 00 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 15:57:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Program Files\HP\digital imaging\bin\hpqste08.exe
C:\Program Files\HP\digital imaging\bin\hpqbam08.exe
C:\Program Files\HP\digital imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2008-07-09 16:09:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 20:07:21
ComboFix2.txt 2008-07-09 19:20:55
ComboFix3.txt 2008-07-09 17:58:30

Pre-Run: 56,407,289,856 bytes free
Post-Run: 56,269,885,440 bytes free

225 --- E O F --- 2008-06-20 21:28:57


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:50 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPHUPD06] "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cafwc] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" -cl
O4 - HKLM\..\Run: [capfasem] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe"
O4 - HKLM\..\Run: [capfupgrade] "C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190984093671
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8448 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 09 July 2008 - 03:40 PM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 scstring

scstring
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 July 2008 - 07:40 PM

Everything is looking good again. No more pop up warnings. I rebooted and ran a spysweeper scan. It found 2 spy cookies (2o7.net and trafficmp) and CA spyware found 3 (KaZaA, Bifrost, and quantserve.com).

I have a couple of more questions...should I keep the ATF Cleaner? Is it for cleaning out your temp files, cookies, etc? I usually use the IE "delete browsing history", but that didn't seem to get everything.

Also, should I keep the Windows XP boot disk file that's now on my desktop? Can I copy it to a disk and have a bootable disk in case I need one?

Lastly, the windows update was for Windows Malicious Software Removal Tool, July 2008. (good timing!!) I have to accept a license agreement to install it. Is it any good? Will it help or should I not install this update?

Thanks so much for all your help. This is the first time I've used BleepingComputer, but I've been very happy with your help!! I hope I don't needhelp with this type of problem again, but if I do, I know where to go!!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 10 July 2008 - 12:05 AM

Hi,

Yes, you can keep ATFCleaner to clean temp/cookies.
You can delete the Windows XP boot disk file from your desktop since you installed the Recovery console already.

Yes, agree for the "Windows Malicious Software Removal Tool, July 2008".

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:44 AM

Posted 11 July 2008 - 02:53 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users