Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pvmkpny.dll not a valid windows image


  • Please log in to reply
8 replies to this topic

#1 Torpedo01

Torpedo01

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 01 May 2009 - 10:45 PM

I have two issues that I don't think are related.
1) I am getting the message "pvmkpny.dll is not a valid windows image".
2) I am getting the message when replying to an email - "A program is try to access e-mail addresses you have stored in Outlook".

I have run Spybot in safe mode and it removed 7 problems. When I ran it again it congratulated me on being clean, but I am still getting these messages above.

Here is my log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:08 PM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Joanna Wright\My Documents\Safer Networking Tools\HiJackThis.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINNT\system32\iehelper.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {B5CA83B0-32FC-4A8A-A4F6-F8A99B7AACB4} - c:\winnt\system32\mjuoxdr.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CMSIEHlprObj Class - {F78FB3B6-93BF-4423-BE42-ED1D89D9F637} - C:\WINNT\system32\HawkWebFiller.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HawkSoft - {D65F44C8-2F77-4a61-94CC-5D04FB902B78} - C:\WINNT\system32\HawkWebFiller.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v3) - http://www.unigard.com/BZAgent/sglw2hcm.ocx
O16 - DPF: {03A89EFD-E023-9000-A22D-45F77558EB4C} (ILINCInstall9 Class) - https://content9.ilinc.com/download/AXCltInstall.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124126228484
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.quotit.net/viewer/activeXViewer...tivexviewer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: mgwdhipp - C:\WINNT\SYSTEM32\mjuoxdr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.unigard.com/UniGard/Images/Head.../ug_top_sky.jpg

--
End of file - 11482 bytes

BC AdBot (Login to Remove)

 


#2 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 03 May 2009 - 01:45 PM

Hello and welcome to BleepingComputer

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:
  • I f you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.
1 - Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
Posted Image
Posted Image

#3 Torpedo01

Torpedo01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 May 2009 - 01:09 AM

I tried to disable Norton but the service has an error and I am unable to get it to turn off. Here are the logs requested. Thanks for your help.


ComboFix 09-05-03.1 - Joanna Wright 05/03/2009 21:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.772 [GMT -7:00]
Running from: c:\documents and settings\Joanna Wright\My Documents\Safer Networking Tools\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\lowsec
c:\winnt\system32\lowsec\local.ds
c:\winnt\system32\lowsec\user.ds
c:\winnt\Tasks\At1.job
c:\winnt\Tasks\At2.job
c:\winnt\Tasks\At3.job
c:\winnt\system32\mjuoxdr.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_JUBNFXIV
-------\Service_Iprip
-------\Service_jubnfxiv


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-01 04:15 . 2009-05-01 04:15 63712 ----a-w c:\documents and settings\Joanna Wright\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 20:17 . 2009-04-17 20:17 -------- d-----w c:\documents and settings\Joanna Wright\Application Data\AdobeUM
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\Joanna Wright\Local Settings\Application Data\Apple Computer
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\Joanna Wright\Application Data\Apple Computer
2009-04-15 16:27 . 2009-04-15 16:27 -------- d-----w c:\documents and settings\Joanna Wright\Local Settings\Application Data\Adobe
2009-04-15 06:37 . 2002-09-03 13:00 103424 ----a-w c:\temp\pvmkpny.dll
2009-04-15 05:51 . 2009-04-15 05:51 -------- d-----w c:\documents and settings\Joanna Wright\Local Settings\Application Data\AIM Toolbar
2009-04-15 05:51 . 2009-04-30 17:49 -------- d-----w c:\documents and settings\Joanna Wright\Local Settings\Application Data\Google
2009-04-15 05:51 . 2009-04-15 05:51 -------- d-----w c:\documents and settings\Joanna Wright\Local Settings\Application Data\Viewpoint
2009-04-15 05:44 . 2009-03-06 14:22 284160 -c----w c:\winnt\system32\dllcache\pdh.dll
2009-04-15 05:44 . 2009-02-09 12:10 401408 -c----w c:\winnt\system32\dllcache\rpcss.dll
2009-04-15 05:44 . 2009-02-06 11:11 110592 -c----w c:\winnt\system32\dllcache\services.exe
2009-04-15 05:44 . 2009-02-09 12:10 473600 -c----w c:\winnt\system32\dllcache\fastprox.dll
2009-04-15 05:44 . 2009-02-06 10:10 227840 -c----w c:\winnt\system32\dllcache\wmiprvse.exe
2009-04-15 05:44 . 2009-02-09 12:10 453120 -c----w c:\winnt\system32\dllcache\wmiprvsd.dll
2009-04-15 05:44 . 2009-02-09 12:10 729088 -c----w c:\winnt\system32\dllcache\lsasrv.dll
2009-04-15 05:44 . 2009-02-09 12:10 617472 -c----w c:\winnt\system32\dllcache\advapi32.dll
2009-04-15 05:44 . 2009-02-09 12:10 714752 -c----w c:\winnt\system32\dllcache\ntdll.dll
2009-04-15 05:42 . 2008-05-03 11:55 2560 ------w c:\winnt\system32\xpsp4res.dll
2009-04-15 05:42 . 2008-04-21 12:08 215552 -c----w c:\winnt\system32\dllcache\wordpad.exe
2009-04-15 05:03 . 2009-04-15 05:03 -------- d-----w c:\documents and settings\Joanna Wright\Application Data\HawkSoft
2009-04-15 05:02 . 2009-04-15 05:02 -------- d-----w c:\documents and settings\Joanna Wright\Local Settings\Application Data\Musicmatch
2009-04-14 15:40 . 2009-04-14 15:40 63712 ----a-w c:\documents and settings\ptartre\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 05:54 . 2009-04-15 03:33 -------- d-----w c:\temp\JoannaDocs
2009-04-14 05:03 . 2009-04-14 05:03 -------- d-----w c:\program files\Safer Networking
2009-04-13 20:33 . 2009-04-30 22:48 0 ----a-w c:\winnt\Ygudofe.bin
2009-04-13 20:33 . 2009-04-16 20:22 408 ----a-w c:\winnt\Ydiyubemo.dat
2009-04-09 21:08 . 2008-07-31 00:42 23888 ----a-w c:\winnt\system32\drivers\COH_Mon.sys
2009-04-09 20:55 . 2009-04-09 20:55 -------- d-----w c:\program files\NortonInstaller
2009-04-09 20:55 . 2009-04-09 20:55 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 04:41 . 2003-05-12 15:32 6 ---ha-w c:\winnt\Tasks\SA.DAT
2009-05-04 04:37 . 2002-09-03 13:00 103424 ----a-w c:\winnt\system32\pvmkpny.dll
2009-05-01 19:04 . 2003-07-15 17:17 -------- d-----w c:\program files\Quicksilver
2009-04-28 16:12 . 2007-01-28 01:47 572 ----a-w c:\winnt\Tasks\Norton AntiVirus - Run Full System Scan - Joanna Wright.job
2009-04-20 22:47 . 2003-07-15 17:17 1003520 ----a-w c:\winnt\system32\Al3Export.dll
2009-04-20 22:47 . 2003-07-15 17:17 712704 ----a-w c:\winnt\system32\AL3IMP.dll
2009-04-20 22:47 . 2003-07-15 17:17 5943296 ----a-w c:\winnt\system32\sfsPrint.dll
2009-04-20 22:46 . 2003-07-15 17:17 667648 ----a-w c:\winnt\system32\sfsSave.dll
2009-04-20 22:44 . 2006-09-14 00:36 880640 ----a-w c:\winnt\system32\PolicyObj.dll
2009-04-14 03:33 . 2003-06-24 21:28 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-14 03:31 . 2007-01-28 05:06 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-09 21:07 . 2007-01-27 22:20 -------- d-----w c:\program files\Norton AntiVirus
2009-04-09 21:05 . 2007-01-27 22:19 -------- d-----w c:\program files\Symantec
2009-04-09 21:05 . 2007-01-27 22:20 60808 ----a-w c:\winnt\system32\S32EVNT1.DLL
2009-04-09 21:05 . 2007-01-27 22:20 806 ----a-w c:\winnt\system32\drivers\SYMEVENT.INF
2009-04-09 21:05 . 2007-01-27 22:20 124464 ----a-w c:\winnt\system32\drivers\SYMEVENT.SYS
2009-04-09 21:05 . 2007-01-27 22:20 10635 ----a-w c:\winnt\system32\drivers\SYMEVENT.CAT
2009-04-07 16:52 . 2003-06-24 21:26 -------- d-----w c:\program files\Common Files\Adobe
2009-03-06 14:22 . 2002-09-03 13:00 284160 ----a-w c:\winnt\system32\pdh.dll
2009-03-03 00:18 . 2005-02-18 23:19 826368 ----a-w c:\winnt\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\winnt\system32\ieencode.dll
2009-02-09 12:10 . 2002-09-03 13:00 729088 ----a-w c:\winnt\system32\lsasrv.dll
2009-02-09 12:10 . 2005-04-24 21:13 401408 ----a-w c:\winnt\system32\rpcss.dll
2009-02-09 12:10 . 2002-09-03 13:00 714752 ----a-w c:\winnt\system32\ntdll.dll
2009-02-09 12:10 . 2002-09-03 13:00 617472 ----a-w c:\winnt\system32\advapi32.dll
2009-02-09 11:13 . 2002-09-03 13:00 1846784 ----a-w c:\winnt\system32\win32k.sys
2009-02-08 02:02 . 2002-08-29 01:04 2066048 ----a-w c:\winnt\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-09-03 13:00 110592 ----a-w c:\winnt\system32\services.exe
2009-02-06 11:08 . 2002-09-03 13:00 2189056 ----a-w c:\winnt\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-09-03 13:00 35328 ----a-w c:\winnt\system32\sc.exe
2009-02-03 19:59 . 2002-09-03 13:00 56832 ----a-w c:\winnt\system32\secur32.dll
2005-11-02 16:44 . 2005-11-02 16:44 1951432 ----a-w c:\program files\Power Point Viewer.exe
2004-03-04 21:11 . 2003-07-11 18:53 2317765 ----a-w c:\program files\UnigardAuto.exe
2004-03-04 21:09 . 2003-07-11 19:01 2239763 ----a-w c:\program files\UnigardHome.exe
2003-11-25 00:25 . 2003-11-18 02:00 1803848 ----a-w c:\program files\WINZIP ZIP FILES.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5CA83B0-32FC-4A8A-A4F6-F8A99B7AACB4}]
2002-09-03 13:00 103424 ----a-w c:\winnt\system32\mjuoxdr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-03-11 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 684032]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-30 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-01-14 771704]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2007-11-13 8523776]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2007-11-13 81920]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CANON DR2580C SVC"="DR25SVC.dll" - c:\winnt\system32\DR25SVC.dll [2007-01-12 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2008-3-22 1820]
Kodak EasyShare software.lnk.disabled [2004-9-22 1803]
Kodak software updater.lnk.disabled [2004-9-22 1950]
WinZip Quick Pick.lnk.disabled [2003-11-24 1518]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Vsajugesavade"=rundll32.exe "c:\winnt\azixogapoga.dll",e
"nwiz"=nwiz.exe /install
"CANON DR2580C SVC"=rundll32.exe DR25SVC.dll,EntryPointUserMessage
"DR-2580CJobReader"="c:\program files\Canon Electronics\DR2580C\JobReader.exe" DR2580C.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\PROG\\BESD.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"49995:TCP"= 49995:TCP:Ives Remote Desktop Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 PCDRDRV;Pcdr Helper Driver; [x]
S0 zfqpnlrv;zfqpnlrv;c:\winnt\system32\drivers\zfqpnlrv.sys [2002-09-03 23424]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-08 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]


--- Other Services/Drivers In Memory ---

*Deregistered* - SimpTcp
*Deregistered* - SNMP
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - SymAppCore
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Viewpoint Manager Service
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\winnt\Tasks\Norton AntiVirus - Run Full System Scan - Joanna Wright.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://www.unigard.com/BZAgent/sglw2hcm.ocx
DPF: {03A89EFD-E023-9000-A22D-45F77558EB4C} - hxxps://content9.ilinc.com/download/AXCltInstall.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3620)
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\winnt\system32\drivers\KodakCCS.exe
c:\winnt\system32\nvsvc32.exe
c:\winnt\system32\tcpsvcs.exe
c:\winnt\system32\snmp.exe
c:\winnt\system32\rundll32.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 21:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 04:48

Pre-Run: 8,936,513,536 bytes free
Post-Run: 15,006,117,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

243 --- E O F --- 2009-04-29 17:48


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:28 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\ComputerCleaningTools-PROD\Spyware Info\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {B5CA83B0-32FC-4A8A-A4F6-F8A99B7AACB4} - c:\winnt\system32\mjuoxdr.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CMSIEHlprObj Class - {F78FB3B6-93BF-4423-BE42-ED1D89D9F637} - C:\WINNT\system32\HawkWebFiller.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HawkSoft - {D65F44C8-2F77-4a61-94CC-5D04FB902B78} - C:\WINNT\system32\HawkWebFiller.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v3) - http://www.unigard.com/BZAgent/sglw2hcm.ocx
O16 - DPF: {03A89EFD-E023-9000-A22D-45F77558EB4C} (ILINCInstall9 Class) - https://content9.ilinc.com/download/AXCltInstall.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124126228484
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.quotit.net/viewer/activeXViewer...tivexviewer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.unigard.com/UniGard/Images/Head.../ug_top_sky.jpg

--
End of file - 11040 bytes

#4 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 04 May 2009 - 02:24 AM

Hi Torpedo01

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
zfqpnlrv

File::
c:\winnt\Ygudofe.bin
c:\winnt\Ydiyubemo.dat
c:\winnt\system32\pvmkpny.dll
c:\winnt\system32\mjuoxdr.dll
c:\winnt\azixogapoga.dll
c:\winnt\system32\drivers\zfqpnlrv.sys

Folder::
c:\temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5CA83B0-32FC-4A8A-A4F6-F8A99B7AACB4}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Vsajugesavade"=-


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
    • Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

    Posted Image
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006
Posted Image
Posted Image

#5 Torpedo01

Torpedo01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 06 May 2009 - 09:20 AM

Here you go with the replies. I have them as attachments since they are too long to go inline. Thanks again for your help.

Paul

Attached Files



#6 Torpedo01

Torpedo01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 06 May 2009 - 09:28 AM

One other thing is that I am still getting the message from Outlook when I create a new e-mail -

"A program is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this? If this is unexpected, it may be a virus and you should choose No".

This doesn't happen on other computers we have when we try and send and email.

Paul

#7 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 06 May 2009 - 12:41 PM

Hi Torpedo01

A program is trying to access e-mail addresses you have stored in Outlook

which program ?
Posted Image
Posted Image

#8 Torpedo01

Torpedo01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 06 May 2009 - 08:16 PM

I don't know what program is causing the message (I suspect a virus?), but it happens when I am in MS Outlook and I hit <New> to create a new email message. I don't get that message when I create a new email on a different machine only this one. Obviously the message worries me - if there is another program trying to access my address book.

Paul

#9 peku006

peku006

    Malware Fighter


  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 May 2009 - 11:38 AM

Hi Paul
I do not think that the malware causes message, many others have the same problem, read here

but let us take a deeper look.

Please download OTScanIt2 from Geeks to Go by OldTimer. Alternate download site.
Save it to your desktop.
  • Double click on OTScanIt2.exe to run it.
  • Click on Extract. Once done, when prompted. Click OK and click Close.
    This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
  • Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
  • Under Rookit Search, select Yes.
  • Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
  • When done, Notepad will open with the log file "OTScanIt.Txt" contents.
Please post the contents of the OTScanIt.Txt Notepad file in your next reply.

Thanks peku006

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users