Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Found?


  • This topic is locked This topic is locked
35 replies to this topic

#1 rflores88

rflores88

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 19 May 2007 - 12:29 PM

My issue is an IE pop up (or new tab in FireFox) which redirects to winantiviruspro.....

here is my HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:50 AM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\aifbdtps.dll",realset
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcup.dll,startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

Edited by rflores88, 19 May 2007 - 01:29 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 20 May 2007 - 05:49 PM

Hello rflores88,

I am SifuMike and I will be helping you. :thumbsup:


Go to Start > Control Panel > Add or Remove Programs and remove the following programs (if found):
WinAntiVirus Pro 2007 <-- or any version of WinAntiVirus

Reboot your computer.

******************

You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\system32\aifbdtps.dll to the upload and scan it.

Repeat the above with this file
C:\WINDOWS\retadpu1000272.exe

Let me know the results.
Copy and paste the outputs to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


If Jotti scan is busy, Go to http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next files (do one at time):
C:\WINDOWS\system32\aifbdtps.dll
C:\WINDOWS\retadpu1000272.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to an hour to reply.
You can copy/paste the results of scan results here.

******************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
******************
You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on AVG antispyware in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update".
If you are having problems with the updater, manually update with the AVG Antispyware Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.




When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.

Edited by SifuMike, 20 May 2007 - 05:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 21 May 2007 - 12:53 AM

Here is the first file from jotti.org resuts:

File: aifbdtps.dll
Status: INFECTED/MALWARE
MD5 40b6796ec7d566a1907c7c68a4cc92d0
Packers detected: VIRTUMONDE, PE_PATCH.UPX, UPX
Scanner results
Scan taken on 21 May 2007 05:41:31 (GMT)
A-Squared Found nothing
AntiVir Found TR/Spy.Agent.132660
ArcaVir Found Adware.Virtumonde.Ar
Avast Found nothing
AVG Antivirus Found Generic2.BTU
BitDefender Found GenPack:Adware.Virtumonde.KW
ClamAV Found Trojan.Packed-7
Dr.Web Found Trojan.Virtumod
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.ar (4, 1, 400)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.ar
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Virtumonde.ar

and here is the second file results:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


hope this helps...should i continue with the rest of your post before you assess these results?

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 21 May 2007 - 09:30 AM

Proceed with the rest of the fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 21 May 2007 - 10:45 PM

Proceed with the rest of the fix.


here is the BitDefender log:

BitDefender Online Scanner



Scan report generated at: Mon, May 21, 2007 - 02:30:02





Scan path: C:\;D:\;E:\;







Statistics

Time
01:25:44

Files
713527

Folders
9409

Boot Sectors
4

Archives
12947

Packed Files
69290




Results

Identified Viruses
25

Infected Files
51

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
46




Engines Info

Virus Definitions
507371

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Raymond Flores\Local Settings\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\Cache\F5FA3D32d01
Infected with: Trojan.FakeAlert.DT

C:\Documents and Settings\Raymond Flores\Local Settings\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\Cache\F5FA3D32d01
Disinfection failed

C:\Documents and Settings\Raymond Flores\Local Settings\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\Cache\F5FA3D32d01
Deleted

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\QD6BMZ74\xc36[1].exe
Infected with: Trojan.Agent.AIM

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\QD6BMZ74\xc36[1].exe
Disinfection failed

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\QD6BMZ74\xc36[1].exe
Deleted

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\Y4WU51DV\xc29[1].exe
Infected with: Trojan.Agent.QT

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\Y4WU51DV\xc29[1].exe
Disinfection failed

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\Y4WU51DV\xc29[1].exe
Deleted

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\ZU6PGXYA\antzom[1].exe
Infected with: Trojan.Agent.AUJ

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\ZU6PGXYA\antzom[1].exe
Disinfection failed

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\ZU6PGXYA\antzom[1].exe
Deleted

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\ZU6PGXYA\L2[1].exe
Infected with: Trojan.Downloader.Small.ZCE

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\ZU6PGXYA\L2[1].exe
Disinfection failed

C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\ZU6PGXYA\L2[1].exe
Deleted

C:\Program Files\Common Files\svchost.exe
Infected with: Trojan.Agent.AIM

C:\Program Files\Common Files\svchost.exe
Disinfection failed

C:\Program Files\Common Files\svchost.exe
Deleted

C:\rwswny.exe
Infected with: Trojan.Downloader.Porndials.A

C:\rwswny.exe
Deleted

C:\stmjv.exe
Infected with: Dropped:Trojan.Clicker.Agent.IS

C:\stmjv.exe
Disinfection failed

C:\stmjv.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014368.exe
Infected with: Trojan.Downloader.Agent.BEA

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014368.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014368.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014369.exe
Infected with: Trojan.Downloader.Agent.BEA

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014369.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014369.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014423.exe
Infected with: Trojan.Obfus.Gen

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014423.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014423.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014424.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014424.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014424.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014429.exe
Infected with: Trojan.Downloader.JIOX

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014429.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014429.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014430.exe
Infected with: Trojan.Downloader.PurityScan.DH

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014430.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014430.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014439.exe
Infected with: Trojan.Downloader.JIOX

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014439.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014439.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>keygen.exe
Infected with: MemScan:Trojan.Vundo.AJ

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>keygen.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>keygen.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)
Update failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>crack.exe
Infected with: Trojan.Inject.BW

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>crack.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>crack.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)
Update failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>install.exe
Infected with: Trojan.Downloader.JIOX

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>install.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)=>install.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe=>(RAR Sfx o)
Update failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014612.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014612.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014612.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014622.dll
Infected with: Trojan.Agent.QT

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014622.dll
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014622.dll
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014623.exe
Infected with: Trojan.Clicker.Agent.NI

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014623.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014623.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014625.dll
Infected with: Trojan.Agent.QT

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014625.dll
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014625.dll
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014626.dll
Infected with: MemScan:Trojan.Vundo.DLQ

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014626.dll
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014626.dll
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014630.dll
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014630.dll
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014642.exe
Infected with: Trojan.Downloader.JIPM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014642.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014642.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014643.exe
Infected with: Trojan.Downloader.JIPM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014643.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014643.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014654.dll
Infected with: Trojan.Virtumod.JQ

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014654.dll
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014654.dll
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014658.exe=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Purityad.O

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014658.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014658.exe=>(NSIS o)=>zlib_nsis0001
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014658.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014663.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014663.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014663.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015328.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015328.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015328.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015347.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015347.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015347.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015383.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015383.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015383.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015398.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015398.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015398.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015407.dll
Infected with: Trojan.Obfus.Gen

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015407.dll
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP70\A0015407.dll
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP71\A0015424.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP71\A0015424.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP71\A0015424.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP72\A0015561.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP72\A0015561.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP72\A0015561.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015577.exe
Infected with: Trojan.Agent.AIM

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015577.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015577.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015578.exe
Infected with: Trojan.Downloader.Porndials.A

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015578.exe
Deleted

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015579.exe
Infected with: Dropped:Trojan.Clicker.Agent.IS

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015579.exe
Disinfection failed

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015579.exe
Deleted

C:\WINDOWS\svchost.exe
Infected with: Trojan.Agent.AIM

C:\WINDOWS\svchost.exe
Disinfection failed

C:\WINDOWS\svchost.exe
Delete failed

C:\WINDOWS\system32\cbxyyyx.dll
Infected with: MemScan:Trojan.Vundo.DLO

C:\WINDOWS\system32\cbxyyyx.dll
Disinfection failed

C:\WINDOWS\system32\cbxyyyx.dll
Delete failed

C:\WINDOWS\system32\drvcup.dll
Infected with: Trojan.Agent.QT

C:\WINDOWS\system32\drvcup.dll
Disinfection failed

C:\WINDOWS\system32\drvcup.dll
Delete failed

C:\WINDOWS\system32\flcmhenp.dll
Infected with: MemScan:Trojan.BHO.BG

C:\WINDOWS\system32\flcmhenp.dll
Disinfection failed

C:\WINDOWS\system32\flcmhenp.dll
Deleted

C:\WINDOWS\system32\hgbdnbii.dll
Infected with: MemScan:Trojan.BHO.BG

C:\WINDOWS\system32\hgbdnbii.dll
Disinfection failed

C:\WINDOWS\system32\hgbdnbii.dll
Delete failed

C:\WINDOWS\system32\max1d1641.exe
Infected with: Trojan.Porndialer.D

C:\WINDOWS\system32\max1d1641.exe
Disinfection failed

C:\WINDOWS\system32\max1d1641.exe
Deleted

C:\WINDOWS\system32\mljhiif.dll
Infected with: MemScan:Trojan.Vundo.DLO

C:\WINDOWS\system32\mljhiif.dll
Disinfection failed

C:\WINDOWS\system32\mljhiif.dll
Deleted

C:\WINDOWS\system32\pbipthag.dll
Infected with: Trojan.BHO.AR

C:\WINDOWS\system32\pbipthag.dll
Disinfection failed

C:\WINDOWS\system32\pbipthag.dll
Deleted

C:\WINDOWS\system32\pmnno.dll
Infected with: MemScan:Trojan.Vundo.DLR

C:\WINDOWS\system32\pmnno.dll
Disinfection failed

C:\WINDOWS\system32\pmnno.dll
Delete failed

C:\WINDOWS\system32\pnfehbhl.dll
Infected with: Trojan.Vundo.DLP

C:\WINDOWS\system32\pnfehbhl.dll
Disinfection failed

C:\WINDOWS\system32\pnfehbhl.dll
Deleted

C:\WINDOWS\system32\tuqjegg.dll
Infected with: Trojan.Obfus.Gen

C:\WINDOWS\system32\tuqjegg.dll
Disinfection failed

C:\WINDOWS\system32\tuqjegg.dll
Deleted

C:\WINDOWS\system32\yayxwxw.dll
Infected with: MemScan:Trojan.Vundo.DLO

C:\WINDOWS\system32\yayxwxw.dll
Disinfection failed

C:\WINDOWS\system32\yayxwxw.dll
Deleted


will continue to do the rest of the fix...

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 22 May 2007 - 12:04 AM

Looks good so far. Bitdefender is removing a lot of malware, but the Vundo infection will require a special tool.
After you post the AVG antispyware log and Hijackthis we will continue with the fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 22 May 2007 - 12:49 AM

Looks good so far. Bitdefender is removing a lot of malware, but the Vundo infection will require a special tool.
After you post the AVG antispyware log and Hijackthis we will continue with the fix.



Here is the AVG results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:45:08 PM 5/21/2007

+ Scan result:



C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015583.dll -> Adware.BHO : Ignored.
C:\Program Files\RegistryCleaner -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\Backup -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\RegistryCleaner.exe -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\config.ini -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\uninstall.exe -> Adware.Generic : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014593.dll -> Adware.PurityScan : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014647.dll -> Adware.PurityScan : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014658.exe -> Adware.PurityScan : Ignored.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP67\A0014440.exe/keygen.exe -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015582.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015586.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\cbxyyyx.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\hgghiff.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014641.exe -> Adware.WinAntiVirus : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015581.exe -> Dialer.GBDialer.i : Ignored.
C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\L8NJJU0K\xzc37[1].exe -> Downloader.Agent.bls : Ignored.
C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\Y9LMI2HV\xc23[1].exe -> Downloader.Alphabet : Ignored.
C:\Documents and Settings\Raymond Flores\Local Settings\Temp\temp.fr5B63 -> Downloader.PurityScan.eg : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014624.exe -> Downloader.PurityScan.eg : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014655.exe -> Downloader.PurityScan.eg : Ignored.
C:\Program Files\music_now\inetchk.exe -> Hijacker.Small : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015592.exe -> Logger.Agent.or : Ignored.
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Ignored.
:mozilla.10:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.11:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.123:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.12:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.13:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.14:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.15:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.165:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.16:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.17:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.186:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.18:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.19:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.20:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.21:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.22:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.23:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.24:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.25:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.26:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.27:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.28:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.299:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.29:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.30:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.31:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.32:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.33:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.341:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.34:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.35:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.36:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.37:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.38:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.39:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.40:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.41:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.42:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.43:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.44:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.45:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.46:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.47:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.508:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.526:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.544:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.551:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.573:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.600:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.647:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.6:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.7:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.8:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.9:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Ignored.
:mozilla.260:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.261:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.262:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.818:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.819:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.843:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.844:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.845:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.854:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adobe : Ignored.
:mozilla.265:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adtech : Ignored.
:mozilla.266:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Adtech : Ignored.
:mozilla.144:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.145:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.146:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.147:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.148:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@advertising[2].txt -> TrackingCookie.Advertising : Ignored.
:mozilla.100:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@bluestreak[1].txt -> TrackingCookie.Bluestreak : Ignored.
:mozilla.780:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Bridgetrack : Ignored.
:mozilla.860:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Burstbeacon : Ignored.
:mozilla.307:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.308:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Burstnet : Ignored.
:mozilla.355:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Clickzs : Ignored.
:mozilla.356:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Clickzs : Ignored.
:mozilla.751:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Cnn : Ignored.
:mozilla.234:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Com : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Ignored.
:mozilla.124:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
:mozilla.392:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Estat : Ignored.
:mozilla.209:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Fastclick : Ignored.
:mozilla.900:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored.
:mozilla.901:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Googleadservices : Ignored.
:mozilla.76:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.
:mozilla.77:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.
:mozilla.78:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@ehg-pcsecurityshield.hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
:mozilla.496:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hotlog : Ignored.
:mozilla.505:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Imrworldwide : Ignored.
:mozilla.506:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Imrworldwide : Ignored.
:mozilla.825:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Live : Ignored.
:mozilla.826:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Live : Ignored.
:mozilla.827:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Live : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@search.live[2].txt -> TrackingCookie.Live : Ignored.
:mozilla.828:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.829:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.830:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.831:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.832:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.833:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.834:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.798:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Masterstats : Ignored.
:mozilla.758:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Matchcraft : Ignored.
:mozilla.759:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Matchcraft : Ignored.
:mozilla.760:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Matchcraft : Ignored.
:mozilla.72:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@mediaplex[1].txt -> TrackingCookie.Mediaplex : Ignored.
:mozilla.236:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Netflame : Ignored.
:mozilla.237:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Netflame : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Ignored.
:mozilla.839:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Onestat : Ignored.
:mozilla.840:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Onestat : Ignored.
:mozilla.841:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Onestat : Ignored.
:mozilla.583:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Overture : Ignored.
:mozilla.584:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Overture : Ignored.
:mozilla.592:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@content.overture[1].txt -> TrackingCookie.Overture : Ignored.
:mozilla.922:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Paypal : Ignored.
:mozilla.156:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.158:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.160:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
:mozilla.161:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@pro-market[2].txt -> TrackingCookie.Pro-market : Ignored.
:mozilla.157:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
:mozilla.159:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
:mozilla.628:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.629:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.630:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.631:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.632:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.633:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.634:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.635:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realmedia : Ignored.
:mozilla.848:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Realtracker : Ignored.
:mozilla.53:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.54:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.55:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.56:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.58:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.59:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.60:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.61:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.62:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.68:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.69:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Reliablestats : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Ignored.
:mozilla.222:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.223:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.224:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.225:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.226:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.227:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.228:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.229:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.230:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.231:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.232:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.233:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
:mozilla.752:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@edge.ru4[1].txt -> TrackingCookie.Ru4 : Ignored.
:mozilla.102:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Skype : Ignored.
:mozilla.103:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Skype : Ignored.
:mozilla.104:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Skype : Ignored.
:mozilla.105:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Skype : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond flores@skype[1].txt -> TrackingCookie.Skype : Ignored.
:mozilla.936:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Smartadserver : Ignored.
:mozilla.166:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.167:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.168:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.169:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.170:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.171:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.172:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Specificclick : Ignored.
:mozilla.679:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.680:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.681:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.682:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.764:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tacoda : Ignored.
:mozilla.706:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Trafficmp : Ignored.
:mozilla.707:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Trafficmp : Ignored.
:mozilla.708:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Trafficmp : Ignored.
:mozilla.709:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
:mozilla.782:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
:mozilla.636:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Valuead : Ignored.
:mozilla.637:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Valuead : Ignored.
:mozilla.638:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Valuead : Ignored.
:mozilla.639:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Valuead : Ignored.
:mozilla.640:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Valuead : Ignored.
:mozilla.729:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.730:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.731:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.732:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Web-stat : Ignored.
:mozilla.130:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Webtrends : Ignored.
C:\Documents and Settings\Raymond Flores\Cookies\raymond_flores@m.webtrends[2].txt -> TrackingCookie.Webtrends : Ignored.
:mozilla.107:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Webtrendslive : Ignored.
:mozilla.743:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Yadro : Ignored.
:mozilla.136:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.137:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.138:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.139:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.
:mozilla.113:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Zedo : Ignored.
:mozilla.117:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Zedo : Ignored.
:mozilla.122:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Zedo : Ignored.
C:\Documents and Settings\Raymond Flores\Temporary Internet Files\Content.IE5\L8NJJU0K\xc60[1].exe -> Trojan.Agent.qt : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015591.dll -> Trojan.Agent.qt : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP66\A0014374.exe -> Trojan.Small : Ignored.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP68\A0014648.exe -> Trojan.Small : Ignored.
C:\WINDOWS\system32\wcpsvtr.exe -> Trojan.Small : Ignored.


::Report end



and the latest HJT:

LoLogfile of HijackThis v1.99.1
Scan saved at 10:45:32 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Vongo\Tray.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Raymond Flores\Desktop\HijackThis(2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\aifbdtps.dll",realset
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcup.dll,startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 22 May 2007 - 12:55 AM

\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015583.dll -> Adware.BHO : Ignored.
C:\Program Files\RegistryCleaner -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\Backup -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\RegistryCleaner.exe -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\config.ini -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\uninstall.exe -> Adware.Generic : Ignored.



The AVG log shows the bad stuff and if you look at the end of each line you will see "Ignored".

This is because you did not set it up correctly, so all the bad stuff is still there. :thumbsup:
Please reread the instructions and run the scan again (in the Safe Mode).

You should have quarentined everthing it found.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 22 May 2007 - 01:59 AM

\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015583.dll -> Adware.BHO : Ignored.
C:\Program Files\RegistryCleaner -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\Backup -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\RegistryCleaner.exe -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\config.ini -> Adware.Generic : Ignored.
C:\Program Files\RegistryCleaner\uninstall.exe -> Adware.Generic : Ignored.



The AVG log shows the bad stuff and if you look at the end of each line you will see "Ignored".

This is because you did not set it up correctly, so all the bad stuff is still there. :thumbsup:
Please reread the instructions and run the scan again (in the Safe Mode).

You should have quarentined everthing it found.


Sorry - i messed that up...but the good news is that, that report "above" was done first, then i 're-read' the instructions and ran it again, BUT, i forgot to save the log...there were about thirty files that were "quarantined", and here is what was left after another SAFE MODE scan:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:41:40 PM 5/21/2007

+ Scan result:



C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015605.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015613.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015600.exe -> Hijacker.Small : Cleaned.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015606.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
:mozilla.17:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.18:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.19:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.12:C:\Documents and Settings\Raymond Flores\Application Data\Mozilla\Firefox\Profiles\7lzdjvr2.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0015601.exe -> Trojan.Small : Cleaned.


::Report end



and here is the HJT log after all was said and done:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:00 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Vongo\Tray.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raymond Flores\Desktop\HijackThis(2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\aifbdtps.dll",realset
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcup.dll,startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

what should i do about the "quarantined" files?

thanks again for all your help...

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 22 May 2007 - 10:13 AM

Hi rflores88,

Leave the AVG antispyware quarentined files there for now. They will not have anything in quarentine. We will get rid of them later, when we have your computer completely clean.

Let's get rid of the Vundo infection.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking    
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.    
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.    
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
 

Edited by SifuMike, 22 May 2007 - 11:53 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 24 May 2007 - 07:31 PM

Hi rflores88,

Leave the AVG antispyware quarentined files there for now. They will not have anything in quarentine. We will get rid of them later, when we have your computer completely clean.

Let's get rid of the Vundo infection.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking    
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.    
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.    
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
 

i can feel that we are close to ridding it all...here are the two logs...

"Raymond Flores" - 2007-05-24 15:39:15 Service Pack 2
ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\Raymond Flores\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aifbdtps.dll
C:\WINDOWS\system32\bfqvfvdu.dll
C:\WINDOWS\system32\hgbdnbii.dll
C:\WINDOWS\system32\ipsmevky.dll
C:\WINDOWS\system32\waxyyryt.dll
C:\WINDOWS\system32\whvbqkiu.dll
C:\WINDOWS\system32\winnyv32.dll
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\sptdbfia.ini
C:\WINDOWS\system32\uikqbvhw.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\iifebyw.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1162OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe"
"C:\WINDOWS\retadpu1000272.exe"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\svchost.exe"
"C:\Program Files\outerinfo"

Purity Folders:

C:\WINDOWS\system32\SCURIT~1
C:\WINDOWS\ICROSO~1
C:\Program Files\CROSOF~1
C:\DOCUME~1\RAYMON~1\APPLIC~1\PPATCH~1
C:\DOCUME~1\RAYMON~1\MYDOCU~1\FNTS~1



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))


2007-05-24 15:36 60,928 --a------ C:\WINDOWS\system32\rpsrenm.dll
2007-05-24 15:36 2 --a------ C:\WINDOWS\system32\wcpsvtr.exe
2007-05-24 15:35 93,696 --a------ C:\WINDOWS\system32\drvwuw.dll
2007-05-24 15:35 10,240 --a------ C:\WINDOWS\system32\klikalka.exe
2007-05-21 20:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-20 23:05 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-19 10:23 <DIR> d-------- C:\HiJackThis
2007-05-11 20:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-11 20:41 <DIR> d-------- C:\DOCUME~1\RAYMON~1\.housecall6.6
2007-05-11 18:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-11 18:33 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Lavasoft
2007-05-11 18:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-02 14:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-01 23:28 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\ImgBurn
2007-05-01 23:15 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\RipIt4Me
2007-05-01 15:32 <DIR> d-------- C:\Program Files\LightScribe
2007-05-01 14:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-05-01 13:11 614,191 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-05-01 08:05 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Ahead
2007-05-01 08:03 <DIR> d-------- C:\Program Files\Nero


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-24 22:43:34 -------- d-----w C:\DOCUME~1\RAYMON~1\APPLIC~1\Skype
2007-05-22 05:24:08 -------- d-----w C:\Program Files\DIGStream
2007-05-12 15:43:03 -------- d-----w C:\Program Files\iVocalize Web Conference 4
2007-05-12 15:41:42 -------- d-----w C:\Program Files\A4 DVD Shrinker
2007-05-12 05:16:34 -------- d-----w C:\Program Files\RGB
2007-05-03 14:59:32 -------- d-----w C:\DOCUME~1\RAYMON~1\APPLIC~1\U3
2007-04-04 02:10:32 19 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 00:51:08 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 05:31:41 -------- d-----w C:\Program Files\iTunes
2007-03-07 05:31:36 -------- d-----w C:\Program Files\iPod
2007-03-07 05:28:13 -------- d-----w C:\Program Files\QuickTime
2007-03-07 05:25:04 -------- d-----w C:\Program Files\Apple Software Update
2007-03-01 04:52:34 1,779 ----a-w C:\WINDOWS\mozver.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-04-26 15:19]
{18AA4575-67E5-4807-92AF-A4923D98E974}=C:\WINDOWS\system32\cbxyyyx.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C1791915-D6AD-B854-DF7A-88ADABBE7499}=C:\WINDOWS\system32\rpsrenm.dll [2007-05-21 06:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 01:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 01:00]
"nwiz"="nwiz.exe" [2006-08-18 01:00 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 17:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 22:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 21:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"@"="" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 16:02]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 09:52]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 09:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 09:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2007-01-08 14:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"SManager"="smanager.7.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 21:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Scbu"="C:\WINDOWS\ICROSO~1\spool32.exe" []
"Gdb"="C:\Program Files\??crosoft\?vchost.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18AA4575-67E5-4807-92AF-A4923D98E974}"="C:\WINDOWS\system32\cbxyyyx.dll" []
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
"{A00ED310-6EE3-4764-883D-F0B833AEC645}"="C:\WINDOWS\system32\iifebyw.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyyx]
cbxyyyx.dll


Contents of the 'Scheduled Tasks' folder
2007-05-17 03:30:21 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 15:42:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????_??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-24 15:44:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-24 15:44

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 5:25:42 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Raymond Flores\Desktop\HijackThis(2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18AA4575-67E5-4807-92AF-A4923D98E974} - C:\WINDOWS\system32\cbxyyyx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C1791915-D6AD-B854-DF7A-88ADABBE7499} - C:\WINDOWS\system32\rpsrenm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\ICROSO~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Gdb] "C:\Program Files\??crosoft\?vchost.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbxyyyx - cbxyyyx.dll (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 25 May 2007 - 11:58 AM

Hi rflores88,

You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\wcpsvtr.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\drvwuw.dll
C:\WINDOWS\system32\klikalka.exe


Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {18AA4575-67E5-4807-92AF-A4923D98E974} - C:\WINDOWS\system32\cbxyyyx.dll (file missing)
O2 - BHO: (no name) - {C1791915-D6AD-B854-DF7A-88ADABBE7499} - C:\WINDOWS\system32\rpsrenm.dll
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [Gdb] "C:\Program Files\??crosoft\?vchost.exe"
O20 - Winlogon Notify: cbxyyyx - cbxyyyx.dll (file missing)



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\rpsrenm.dll <==file
C:\WINDOWS\system32\smanager.7.exe <==file
C:\Program Files\??crosoft\?vchost.exe <==file Take care with this it may appear without the question mark and look like a legit file.
If in doubt, right click the file and select 'Properties'. Check the copyright info under the 'Version' tab.
A legit file will have MicroSoft info here or similar reputable company name. The bad file will be no info at all. Do not delete the legit svchost.exe in system32



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode , post a new Hijackthis log, the resuls of the Virus Total scan and tell me how your computer is running.

Note: Please do not use the "Reply" button when posting here. I includes my post in with your reply and make the post very long. Use the "Add Reply" button when posting.

Edited by SifuMike, 25 May 2007 - 11:59 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 25 May 2007 - 07:41 PM

Here is the result of the virustool for all three files:

Complete scanning result of "drvwuw.dll", received in VirusTotal at 05.25.2007, 21:37:12 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 Win-Trojan/Xema.variant
AntiVir 7.4.0.27 05.25.2007 TR/Agent.QT.76
Authentium 4.93.8 05.23.2007 W32/Trojan.ZIC
Avast 4.7.997.0 05.25.2007 Win32:Agent-FEW
AVG 7.5.0.467 05.25.2007 Generic3.SQ
BitDefender 7.2 05.25.2007 Trojan.Agent.QT
CAT-QuickHeal 9.00 05.25.2007 Trojan.Agent.qt
ClamAV devel-20070416 05.25.2007 Trojan.Agent-3399
DrWeb 4.33 05.25.2007 Trojan.Fakealert.249
eSafe 7.0.15.0 05.24.2007 Win32.Agent.qt
eTrust-Vet 30.7.3663 05.25.2007 Win32/Aflac.D
Ewido 4.0 05.25.2007 Trojan.Agent.qt
FileAdvisor 1 05.25.2007 High threat detected
Fortinet 2.85.0.0 05.25.2007 W32/Agent.QT!tr
F-Prot 4.3.2.48 05.25.2007 W32/Trojan.ZIC
F-Secure 6.70.13030.0 05.25.2007 Trojan.Win32.Agent.qt
Ikarus T3.1.1.8 05.25.2007 Trojan.Win32.Agent.qt
Kaspersky 4.0.2.24 05.25.2007 Trojan.Win32.Agent.qt
McAfee 5039 05.25.2007 Generic.dx
Microsoft 1.2503 05.25.2007 Trojan:Win32/Agent.PA
NOD32v2 2292 05.25.2007 a variant of Win32/Agent.QT
Norman 5.80.02 05.25.2007 W32/Agent.BAPF
Panda 9.0.0.4 05.25.2007 Adware/WinAntivirus2006
Prevx1 V2 05.25.2007 Malicious
Sophos 4.18.0 05.25.2007 Troj/Agent-FKY
Sunbelt 2.2.907.0 05.24.2007 Trojan.Win32.Agent.qt
Symantec 10 05.25.2007 Trojan Horse
TheHacker 6.1.6.123 05.25.2007 Trojan/Agent.qt
VBA32 3.12.0 05.25.2007 Trojan.Win32.Agent.qt
VirusBuster 4.3.23:9 05.25.2007 Trojan.Agent.SCS
Webwasher-Gateway6.0.1 05.25.2007 Trojan.Agent.QT.76

Aditional Information
File size: 93696 bytes
MD5: 73bb2cee8a6d4cae30c79d9a63861e33
SHA1: 99daeb65cea310d9dd9f3dd114f610a57874fd67
Bit9 info: http://fileadvisor.bit9.com/services/extin...0c79d9a63861e33
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=8fa476621688
Sunbelt info: Trojan.Win32.Agent.qt is a trojan that steals information from the infected machine and sends the data to a remote website.

Complete scanning result of "wcpsvtr.exe", received in VirusTotal at 05.25.2007, 22:45:27 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.25.2007 no virus found
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 Win32.Xorpix.al
eTrust-Vet 30.7.3663 05.25.2007 no virus found
Ewido 4.0 05.25.2007 Trojan.Small
FileAdvisor 1 05.25.2007 No threat detected
Fortinet 2.85.0.0 05.25.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.25.2007 no virus found
Ikarus T3.1.1.8 05.25.2007 no virus found
Kaspersky 4.0.2.24 05.25.2007 no virus found
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.25.2007 no virus found
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.25.2007 no virus found
Prevx1 V2 05.25.2007 Polymorphic Trojans
Sophos 4.18.0 05.25.2007 no virus found
Sunbelt 2.2.907.0 05.24.2007 no virus found
Symantec 10 05.25.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.25.2007 no virus found
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway6.0.1 05.25.2007 no virus found

Aditional Information
File size: 2 bytes
MD5: 4f3dd0ffb3e41c5f74b5b0d8c1f10bb5
SHA1: e688cf7414fb701c4495010d43a4eaaaeac71768
Bit9 info: http://fileadvisor.bit9.com/services/extin...4b5b0d8c1f10bb5
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=4f3d691635


Complete scanning result of "klikalka.exe", received in VirusTotal at 05.25.2007, 23:29:15 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.25.2007 Trojan.Clicker.Small.YA
CAT-QuickHeal 9.00 05.25.2007 TrojanClicker.Small.mv
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3663 05.25.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.25.2007 no virus found
Fortinet 2.85.0.0 05.25.2007 PossibleThreat
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.25.2007 Trojan-Clicker.Win32.Small.mv
Ikarus T3.1.1.8 05.25.2007 Trojan-Clicker.Win32.Small.mv
Kaspersky 4.0.2.24 05.25.2007 Trojan-Clicker.Win32.Small.mv
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.25.2007 no virus found
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.25.2007 no virus found
Sophos 4.18.0 05.25.2007 no virus found
Sunbelt 2.2.907.0 05.24.2007 VIPRE.Suspicious
Symantec 10 05.25.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.25.2007 no virus found
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway6.0.1 05.25.2007 Win32.Malware.gen#PECompact (suspicious)

Aditional Information
File size: 10240 bytes
MD5: ecf87f281529e6a0bc64eda8dcb4efab
SHA1: 1e39ae448592603f8a43792079456185a3f2dc18
packers: PECOMPACT
packers: embedded, PecBundle, PECompact
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


And here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:33:54 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raymond Flores\Desktop\HijackThis(2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\ICROSO~1\spool32.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe


my computer seems to be running good now...the startup error did not show up, and the IE pop-ups have seemed to disappear...i will wait to hear from you to let me know if all is well and all looks clean...i definitely appreciate your help thus far...

Edited by rflores88, 25 May 2007 - 07:43 PM.


#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:23 PM

Posted 25 May 2007 - 09:03 PM

Hi rflores88,

Your log looks much better :thumbsup: , but we are not quite clean yet.


Using Windows Explorer, delete the following files in bold

C:\WINDOWS\system32\drvwuw.dll <==file
C:\WINDOWS\system32\wcpsvtr.exe <==file
C:\WINDOWS\system32\klikalka.exe <==file

Run ComboFix again a post the ComobFix log.

Edited by SifuMike, 25 May 2007 - 09:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 rflores88

rflores88
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 25 May 2007 - 09:12 PM

"Raymond Flores" - 2007-05-25 19:03:21 Service Pack 2
ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\Raymond Flores\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 ))))))))))))))))))))))))))))))))))


2007-05-25 16:11 <DIR> d-------- C:\Program Files\CCleaner
2007-05-24 15:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-21 20:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-20 23:05 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-19 10:23 <DIR> d-------- C:\HiJackThis
2007-05-11 20:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-11 20:41 <DIR> d-------- C:\DOCUME~1\RAYMON~1\.housecall6.6
2007-05-11 18:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-11 18:33 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Lavasoft
2007-05-11 18:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-02 14:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-01 23:28 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\ImgBurn
2007-05-01 23:15 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\RipIt4Me
2007-05-01 15:32 <DIR> d-------- C:\Program Files\LightScribe
2007-05-01 14:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-05-01 13:11 614,191 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-05-01 08:05 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Ahead
2007-05-01 08:03 <DIR> d-------- C:\Program Files\Nero


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 01:49:10 -------- d-----w C:\DOCUME~1\RAYMON~1\APPLIC~1\Skype
2007-05-22 05:24:08 -------- d-----w C:\Program Files\DIGStream
2007-05-12 15:43:03 -------- d-----w C:\Program Files\iVocalize Web Conference 4
2007-05-12 15:41:42 -------- d-----w C:\Program Files\A4 DVD Shrinker
2007-05-12 05:16:34 -------- d-----w C:\Program Files\RGB
2007-05-03 14:59:32 -------- d-----w C:\DOCUME~1\RAYMON~1\APPLIC~1\U3
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-04 02:10:32 19 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 00:51:08 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 05:31:41 -------- d-----w C:\Program Files\iTunes
2007-03-07 05:31:36 -------- d-----w C:\Program Files\iPod
2007-03-07 05:28:13 -------- d-----w C:\Program Files\QuickTime
2007-03-07 05:25:04 -------- d-----w C:\Program Files\Apple Software Update
2007-03-01 04:52:34 1,779 ----a-w C:\WINDOWS\mozver.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-04-26 15:19]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 01:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 01:00]
"nwiz"="nwiz.exe" [2006-08-18 01:00 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 17:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 22:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 21:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"@"="" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 16:02]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 09:52]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 09:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 09:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2007-01-08 14:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 21:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Scbu"="C:\WINDOWS\ICROSO~1\spool32.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
"{A00ED310-6EE3-4764-883D-F0B833AEC645}"="C:\WINDOWS\system32\iifebyw.dll" []


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
2007-05-17 03:30:21 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-25 19:05:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????_??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-25 19:05:56
C:\ComboFix-quarantined-files.txt ... 2007-05-25 19:05
C:\ComboFix2.txt ... 2007-05-24 15:44

--- E O F ---


i saw each file and deleted them from the system32 folder....then i went and "empty recycle bin" just in case...i hope that was a proper step to take?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users