Tech Support Forum - View Single Post - [SOLVED] Trojan.vundo, Constant Popups and slowed system.

frantheonlyter · 12-04-2007, 02:57 PM

Hello, thank you very much for the help. Over the past few days since I first posted I tried a couple of different things to remove trojan.vundo eg Symantec tool, the VundoFix refered to on this site and Spybot search and Destroy. The tools seems to remove it but the next day trojan.vundo is back again when connected to the internet. I also removed Limewire

.Here is my new logs.

ComboFix

ComboFix 07-12-02.7 - Francois 2007-12-04 23:30:08.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT 2:00]
Running from: C:\Documents and Settings\Francois\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000002_.tmp.dll
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000014_.tmp.dll
C:\WINDOWS\system32\bvbvdpox.ini
C:\WINDOWS\system32\hytqthdj.dll
C:\WINDOWS\system32\jdhtqtyh.ini
C:\WINDOWS\system32\mkifttmc.dll
C:\WINDOWS\system32\mmtarnxs.dll
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\sxnratmm.ini
C:\WINDOWS\system32\ukdxjrei.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wjbwruie.dll
C:\WINDOWS\system32\xopdvbvb.dll
C:\WINDOWS\system32\xxyvvvv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 23:39 . 2007-12-04 23:39 6,495 --ahs---- C:\WINDOWS\system32\nqtwa.ini
2007-12-01 14:12 . 2007-12-01 14:12 324,192 --a------ C:\WINDOWS\system32\awtqn.dll
2007-11-30 15:56 . 2007-11-30 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-30 14:14 . 2007-11-30 14:15 <DIR> d-------- C:\VundoFix Backups
2007-11-30 13:12 . 2007-12-03 11:47 793,104 ---hs---- C:\WINDOWS\system32\sbfwqlhf.ini
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\RegistrySmart
2007-11-29 19:49 . 2007-11-29 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 19:47 . 2007-11-29 19:48 <DIR> d-------- C:\Deckard
2007-11-29 19:33 . 2007-11-29 19:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-29 19:32 . 2007-11-29 19:46 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-29 18:51 . 2007-11-29 18:51 164 --a------ C:\install.dat
2007-11-29 13:08 . 2007-11-29 13:08 31,900 --a------ C:\WINDOWS\system32\oxafrykn.dll
2007-11-28 21:24 . 2007-11-28 21:24 <DIR> d--hs---- C:\FOUND.000
2007-11-28 20:27 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 20:27 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-28 20:27 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2007-11-28 19:08 . 2007-11-28 21:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 13:07 . 2007-11-29 13:07 4,772 ---hs---- C:\WINDOWS\system32\gvphmpdh.ini
2007-11-27 23:04 . 2007-11-27 23:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-27 21:10 . 2007-11-27 21:11 38 --a------ C:\WINDOWS\avisplitter.INI
2007-11-27 21:00 . 2007-11-27 21:00 46,360 --a------ C:\WINDOWS\FontData.fdb
2007-11-27 20:58 . 2007-11-27 20:58 56 -r-hs---- C:\WINDOWS\system32\3557BE4C83.sys
2007-11-27 15:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-27 15:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Corel
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-27 15:07 . 2007-11-27 15:07 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Corel
2007-11-27 15:06 . 2007-11-27 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 14:53 . 2007-11-27 20:58 3,610 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-27 14:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-27 14:29 . 2007-11-27 14:41 376 --a------ C:\WINDOWS\ODBC.INI
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-11-27 14:14 . 2007-11-27 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-27 12:56 . 2007-11-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 12:48 . 2007-11-27 12:48 <DIR> d-------- C:\Program Files\Bonjour
2007-11-27 12:40 . 2007-11-27 12:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 21:59 . 2007-11-26 21:59 <DIR> d-------- C:\Program Files\EwisoftWeb
2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Shared
2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Incomplete
2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\LimeWire
2007-11-23 15:36 . 2007-11-23 15:36 <DIR> d-------- C:\Program Files\Atari
2007-11-22 22:31 . 2007-11-22 22:31 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Media Player Classic
2007-11-22 22:30 . 2007-11-22 22:30 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-22 18:56 . 2007-11-22 18:56 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-22 18:45 . 2007-11-22 18:45 <DIR> d-------- C:\Program Files\Codemasters
2007-11-22 18:44 . 2007-11-22 18:44 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\InstallShield
2007-11-22 18:33 . 2007-11-22 18:33 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\AdobeUM
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-11-21 10:10 . 2007-11-21 10:10 <DIR> d-------- C:\Program Files\The Witcher
2007-11-20 09:35 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-20 09:35 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-11-20 09:35 . 2007-11-21 10:20 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-20 09:35 . 2007-11-20 09:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-20 09:31 . 2007-11-20 09:31 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-20 09:27 . 2007-11-20 09:27 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\DAEMON Tools Pro
2007-11-20 09:26 . 2007-11-20 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-20 09:24 . 2007-11-20 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2007-11-20 09:22 . 2007-11-20 09:22 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-20 09:18 . 2004-08-04 05:00 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-20 09:08 . 2007-11-20 09:08 <DIR> d--hs---- C:\Recycled
2007-11-20 08:57 . 2007-08-20 12:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-20 08:57 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-20 08:57 . 2007-03-08 07:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-20 08:57 . 2007-08-20 12:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-20 08:57 . 2007-08-20 12:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-20 08:57 . 2007-08-20 12:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-20 08:57 . 2007-08-20 12:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-20 08:57 . 2007-08-20 12:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-20 08:57 . 2007-08-17 12:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-20 05:53 . 2007-12-04 23:39 343 --a------ C:\WINDOWS\system32\eRLog.ini
2007-11-20 05:52 . 2007-11-20 05:52 92 --a------ C:\WINDOWS\GridV.UNI
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Acer
2007-11-20 05:46 . 2007-11-20 05:46 <DIR> d-------- C:\Program Files\WinPCap
2007-11-20 05:46 . 2006-01-23 12:41 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2007-11-20 05:46 . 2007-11-20 05:46 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-20 05:46 . 2006-01-23 12:41 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2007-11-20 05:45 . 2007-11-20 05:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Program Files\Launch Manager
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2007-11-20 05:45 . 2006-04-10 10:09 61,440 --a------ C:\WINDOWS\system32\acerGina.dll
2007-11-20 05:45 . 2002-12-19 15:58 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2007-11-20 05:45 . 2004-12-08 14:10 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2007-11-20 05:45 . 2004-12-09 12:04 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2007-11-20 05:45 . 2007-11-20 05:45 83 --a------ C:\WINDOWS\QtZgAcer.UNI
2007-11-20 05:45 . 2007-11-20 05:45 0 --a------ C:\WINDOWS\NT.INI
2007-11-20 05:43 . 2007-11-20 05:43 <DIR> d-------- C:\Documents and Settings\Francois\Bluetooth Software
2007-11-20 05:43 . 2006-01-20 15:56 225,350 --a------ C:\WINDOWS\system32\Epm-Po.dll
2007-11-20 05:43 . 2006-01-20 15:56 53,248 --a------ C:\WINDOWS\system32\acpimof.dll
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Program Files\WIDCOMM
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\ATI
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\WINDOWS\Acer
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\Program Files\ATI Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 20:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-19 20:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-28 15:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 15:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 15:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll
2007-09-04 15:56 164,352 ----a-w C:\WINDOWS\system32\unrar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A73C0A-8DF5-4444-BF95-DF237B76DA77}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DE0D0A9-1545-40EF-9733-7CD20092AE26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DDEB637-D486-4A89-A531-BD9D3854FF70}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5895BE39-EED2-4982-B660-A0FE213A03C0}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB58EA0-A933-43EE-A761-C40960F60E43}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACE2002-725D-4428-B7C0-8A389404A69B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8539543E-FBD0-4E09-964F-1E92AB75CEFB}]
2007-12-01 14:12 324192 --a------ C:\WINDOWS\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0242B32-27E4-4E13-84C1-9D1DCBD4F44B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D635D348-C0E5-4B49-8C42-F06781E62965}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED94524D-12F8-4350-A8E5-2ACCD2B0134B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2B4C1B1-2FB8-43FE-92A9-4D1106F93679}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4ea1405-b59d-4d76-b5e9-53e0fa1388bf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE274981-54DF-4F99-878D-4AC593CD26AD}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\SymProbe.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 02:44 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 23:21]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 11:54]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 18:41]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 17:03]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-03-31 10:47]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-03-31 10:24]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-03-31 10:32]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-27 14:47:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvvv]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqn.dll

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
R3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys
S3 AVerE506;AVerE506 service;C:\WINDOWS\system32\DRIVERS\AVerE506.sys
S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 16:57:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Francois.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-11-29 18:09:58 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:39:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 23:41:06 - machine was rebooted
.
--- E O F ---

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:27 PM, on 2007/12/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\DOCUME~1\Francois\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\Francois.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.salestronics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = dsl-cache.saix.net:8080
O2 - BHO: (no name) - {05A73C0A-8DF5-4444-BF95-DF237B76DA77} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DE0D0A9-1545-40EF-9733-7CD20092AE26} - (no file)
O2 - BHO: (no name) - {1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2} - (no file)
O2 - BHO: (no name) - {4DDEB637-D486-4A89-A531-BD9D3854FF70} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5895BE39-EED2-4982-B660-A0FE213A03C0} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {6DB58EA0-A933-43EE-A761-C40960F60E43} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7ACE2002-725D-4428-B7C0-8A389404A69B} - (no file)
O2 - BHO: (no name) - {7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C} - (no file)
O2 - BHO: (no name) - {8539543E-FBD0-4E09-964F-1E92AB75CEFB} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D0242B32-27E4-4E13-84C1-9D1DCBD4F44B} - (no file)
O2 - BHO: (no name) - {D635D348-C0E5-4B49-8C42-F06781E62965} - (no file)
O2 - BHO: (no name) - {ED94524D-12F8-4350-A8E5-2ACCD2B0134B} - (no file)
O2 - BHO: (no name) - {F2B4C1B1-2FB8-43FE-92A9-4D1106F93679} - (no file)
O2 - BHO: (no name) - {f4ea1405-b59d-4d76-b5e9-53e0fa1388bf} - (no file)
O2 - BHO: (no name) - {FE274981-54DF-4F99-878D-4AC593CD26AD} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Acer\OrbiCam\CameraAssistant.exe"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Acer\OrbiCam\InstallHelper.exe" /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196164825156
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14735 bytes

Again thank you very much for your help!

12-04-2007, 02:57 PM	#5 (permalink)
frantheonlyter Registered User Join Date: Nov 2007 Posts: 12 OS: Windows XP Home Service Pack 2	Re: Trojan.vundo, Constant Popups and slowed system. Hello, thank you very much for the help. Over the past few days since I first posted I tried a couple of different things to remove trojan.vundo eg Symantec tool, the VundoFix refered to on this site and Spybot search and Destroy. The tools seems to remove it but the next day trojan.vundo is back again when connected to the internet. I also removed Limewire .Here is my new logs. ComboFix ComboFix 07-12-02.7 - Francois 2007-12-04 23:30:08.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT 2:00] Running from: C:\Documents and Settings\Francois\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\system32\_000002_.tmp.dll C:\WINDOWS\system32\_000003_.tmp.dll C:\WINDOWS\system32\_000004_.tmp.dll C:\WINDOWS\system32\_000005_.tmp.dll C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\_000007_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\_000010_.tmp.dll C:\WINDOWS\system32\_000011_.tmp.dll C:\WINDOWS\system32\_000012_.tmp.dll C:\WINDOWS\system32\_000013_.tmp.dll C:\WINDOWS\system32\_000014_.tmp.dll C:\WINDOWS\system32\bvbvdpox.ini C:\WINDOWS\system32\hytqthdj.dll C:\WINDOWS\system32\jdhtqtyh.ini C:\WINDOWS\system32\mkifttmc.dll C:\WINDOWS\system32\mmtarnxs.dll C:\WINDOWS\system32\nqtwa.ini C:\WINDOWS\system32\nqtwa.ini2 C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\qtstv.ini C:\WINDOWS\system32\qtstv.ini2 C:\WINDOWS\system32\sxnratmm.ini C:\WINDOWS\system32\ukdxjrei.dll C:\WINDOWS\system32\WanPacket.dll C:\WINDOWS\system32\wjbwruie.dll C:\WINDOWS\system32\xopdvbvb.dll C:\WINDOWS\system32\xxyvvvv.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\NPF ((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 ))))))))))))))))))))))))))))))) . 2007-12-04 23:39 . 2007-12-04 23:39 6,495 --ahs---- C:\WINDOWS\system32\nqtwa.ini 2007-12-01 14:12 . 2007-12-01 14:12 324,192 --a------ C:\WINDOWS\system32\awtqn.dll 2007-11-30 15:56 . 2007-11-30 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-30 14:14 . 2007-11-30 14:15 <DIR> d-------- C:\VundoFix Backups 2007-11-30 13:12 . 2007-12-03 11:47 793,104 ---hs---- C:\WINDOWS\system32\sbfwqlhf.ini 2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Program Files\RegistrySmart 2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\RegistrySmart 2007-11-29 19:49 . 2007-11-29 19:49 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-29 19:47 . 2007-11-29 19:48 <DIR> d-------- C:\Deckard 2007-11-29 19:33 . 2007-11-29 19:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-29 19:32 . 2007-11-29 19:46 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-29 18:51 . 2007-11-29 18:51 164 --a------ C:\install.dat 2007-11-29 13:08 . 2007-11-29 13:08 31,900 --a------ C:\WINDOWS\system32\oxafrykn.dll 2007-11-28 21:24 . 2007-11-28 21:24 <DIR> d--hs---- C:\FOUND.000 2007-11-28 20:27 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-11-28 20:27 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink 2007-11-28 20:27 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Acer 2007-11-28 19:08 . 2007-11-28 21:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-11-28 13:07 . 2007-11-29 13:07 4,772 ---hs---- C:\WINDOWS\system32\gvphmpdh.ini 2007-11-27 23:04 . 2007-11-27 23:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-11-27 21:10 . 2007-11-27 21:11 38 --a------ C:\WINDOWS\avisplitter.INI 2007-11-27 21:00 . 2007-11-27 21:00 46,360 --a------ C:\WINDOWS\FontData.fdb 2007-11-27 20:58 . 2007-11-27 20:58 56 -r-hs---- C:\WINDOWS\system32\3557BE4C83.sys 2007-11-27 15:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-11-27 15:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Corel 2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Common Files\Corel 2007-11-27 15:07 . 2007-11-27 15:07 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Corel 2007-11-27 15:06 . 2007-11-27 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2007-11-27 14:53 . 2007-11-27 20:58 3,610 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-11-27 14:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-11-27 14:29 . 2007-11-27 14:41 376 --a------ C:\WINDOWS\ODBC.INI 2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Common Files\L&H 2007-11-27 14:14 . 2007-11-27 14:14 <DIR> d-------- C:\Program Files\Microsoft Works 2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\WINDOWS\SHELLNEW 2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\Program Files\Microsoft.NET 2007-11-27 12:56 . 2007-11-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2007-11-27 12:48 . 2007-11-27 12:48 <DIR> d-------- C:\Program Files\Bonjour 2007-11-27 12:40 . 2007-11-27 12:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2007-11-26 21:59 . 2007-11-26 21:59 <DIR> d-------- C:\Program Files\EwisoftWeb 2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Shared 2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Incomplete 2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\LimeWire 2007-11-23 15:36 . 2007-11-23 15:36 <DIR> d-------- C:\Program Files\Atari 2007-11-22 22:31 . 2007-11-22 22:31 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Media Player Classic 2007-11-22 22:30 . 2007-11-22 22:30 <DIR> d-------- C:\Program Files\K-Lite Codec Pack 2007-11-22 18:56 . 2007-11-22 18:56 <DIR> d-------- C:\Program Files\Common Files\DirectX 2007-11-22 18:45 . 2007-11-22 18:45 <DIR> d-------- C:\Program Files\Codemasters 2007-11-22 18:44 . 2007-11-22 18:44 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\InstallShield 2007-11-22 18:33 . 2007-11-22 18:33 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\AdobeUM 2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys 2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys 2007-11-21 10:10 . 2007-11-21 10:10 <DIR> d-------- C:\Program Files\The Witcher 2007-11-20 09:35 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll 2007-11-20 09:35 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-11-20 09:35 . 2007-11-21 10:20 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys 2007-11-20 09:35 . 2007-11-20 09:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys 2007-11-20 09:31 . 2007-11-20 09:31 <DIR> d-------- C:\Program Files\Ubisoft 2007-11-20 09:27 . 2007-11-20 09:27 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\DAEMON Tools Pro 2007-11-20 09:26 . 2007-11-20 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro 2007-11-20 09:24 . 2007-11-20 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro 2007-11-20 09:22 . 2007-11-20 09:22 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-11-20 09:18 . 2004-08-04 05:00 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys 2007-11-20 09:08 . 2007-11-20 09:08 <DIR> d--hs---- C:\Recycled 2007-11-20 08:57 . 2007-08-20 12:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-11-20 08:57 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-11-20 08:57 . 2007-03-08 07:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-11-20 08:57 . 2007-08-20 12:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-11-20 08:57 . 2007-08-20 12:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-11-20 08:57 . 2007-08-20 12:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-11-20 08:57 . 2007-08-20 12:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll 2007-11-20 08:57 . 2007-08-20 12:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-11-20 08:57 . 2007-08-17 12:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-11-20 05:53 . 2007-12-04 23:39 343 --a------ C:\WINDOWS\system32\eRLog.ini 2007-11-20 05:52 . 2007-11-20 05:52 92 --a------ C:\WINDOWS\GridV.UNI 2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Logitech 2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Acer 2007-11-20 05:46 . 2007-11-20 05:46 <DIR> d-------- C:\Program Files\WinPCap 2007-11-20 05:46 . 2006-01-23 12:41 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys 2007-11-20 05:46 . 2007-11-20 05:46 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2007-11-20 05:46 . 2006-01-23 12:41 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys 2007-11-20 05:45 . 2007-11-20 05:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel 2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Program Files\Launch Manager 2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel 2007-11-20 05:45 . 2006-04-10 10:09 61,440 --a------ C:\WINDOWS\system32\acerGina.dll 2007-11-20 05:45 . 2002-12-19 15:58 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll 2007-11-20 05:45 . 2004-12-08 14:10 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS 2007-11-20 05:45 . 2004-12-09 12:04 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL 2007-11-20 05:45 . 2007-11-20 05:45 83 --a------ C:\WINDOWS\QtZgAcer.UNI 2007-11-20 05:45 . 2007-11-20 05:45 0 --a------ C:\WINDOWS\NT.INI 2007-11-20 05:43 . 2007-11-20 05:43 <DIR> d-------- C:\Documents and Settings\Francois\Bluetooth Software 2007-11-20 05:43 . 2006-01-20 15:56 225,350 --a------ C:\WINDOWS\system32\Epm-Po.dll 2007-11-20 05:43 . 2006-01-20 15:56 53,248 --a------ C:\WINDOWS\system32\acpimof.dll 2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Program Files\WIDCOMM 2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\ATI 2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\WINDOWS\Acer 2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\Program Files\ATI Technologies . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-19 20:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-11-19 20:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll 2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll 2007-09-28 15:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-09-28 15:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-09-28 15:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll 2007-09-04 15:56 164,352 ----a-w C:\WINDOWS\system32\unrar.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A73C0A-8DF5-4444-BF95-DF237B76DA77}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DE0D0A9-1545-40EF-9733-7CD20092AE26}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DDEB637-D486-4A89-A531-BD9D3854FF70}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5895BE39-EED2-4982-B660-A0FE213A03C0}] C:\WINDOWS\system32\vtstq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB58EA0-A933-43EE-A761-C40960F60E43}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACE2002-725D-4428-B7C0-8A389404A69B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8539543E-FBD0-4E09-964F-1E92AB75CEFB}] 2007-12-01 14:12 324192 --a------ C:\WINDOWS\system32\awtqn.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0242B32-27E4-4E13-84C1-9D1DCBD4F44B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D635D348-C0E5-4B49-8C42-F06781E62965}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED94524D-12F8-4350-A8E5-2ACCD2B0134B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2B4C1B1-2FB8-43FE-92A9-4D1106F93679}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4ea1405-b59d-4d76-b5e9-53e0fa1388bf}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE274981-54DF-4F99-878D-4AC593CD26AD}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24] "DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11] "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50] "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19] "NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\SymProbe.exe" [] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 02:44 C:\WINDOWS\RTHDCPL.exe] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 23:21] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 11:54] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 18:41] "LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 17:03] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-03-31 10:47] "LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-03-31 10:24] "LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-03-31 10:32] "LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-27 14:47:48] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvvv] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqn.dll R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys R3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys S3 AVerE506;AVerE506 service;C:\WINDOWS\system32\DRIVERS\AVerE506.sys S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys . Contents of the 'Scheduled Tasks' folder "2007-11-26 16:57:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Francois.job" - C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK: "2007-11-29 18:09:58 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job" - C:\Program Files\RegistrySmart\RegistrySmart.exe - C:\Program Files\RegistrySmart . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 23:39:11 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-04 23:41:06 - machine was rebooted . --- E O F --- HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:43:27 PM, on 2007/12/04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Acer\Empowering Technology\admServ.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Acer\Empowering Technology\admtray.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\WINDOWS\System32\svchost.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Acer\OrbiCam\CameraAssistant.exe C:\WINDOWS\system32\ElkCtrl.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\DAEMON Tools Pro\DTProAgent.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\DOCUME~1\Francois\LOCALS~1\Temp\RtkBtMnt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Symantec\LiveUpdate\AUpdate.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Trend Micro\HijackThis\Francois.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.salestronics.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = dsl-cache.saix.net:8080 O2 - BHO: (no name) - {05A73C0A-8DF5-4444-BF95-DF237B76DA77} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0DE0D0A9-1545-40EF-9733-7CD20092AE26} - (no file) O2 - BHO: (no name) - {1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2} - (no file) O2 - BHO: (no name) - {4DDEB637-D486-4A89-A531-BD9D3854FF70} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5895BE39-EED2-4982-B660-A0FE213A03C0} - C:\WINDOWS\system32\vtstq.dll (file missing) O2 - BHO: (no name) - {6DB58EA0-A933-43EE-A761-C40960F60E43} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7ACE2002-725D-4428-B7C0-8A389404A69B} - (no file) O2 - BHO: (no name) - {7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C} - (no file) O2 - BHO: (no name) - {8539543E-FBD0-4E09-964F-1E92AB75CEFB} - C:\WINDOWS\system32\awtqn.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {D0242B32-27E4-4E13-84C1-9D1DCBD4F44B} - (no file) O2 - BHO: (no name) - {D635D348-C0E5-4B49-8C42-F06781E62965} - (no file) O2 - BHO: (no name) - {ED94524D-12F8-4350-A8E5-2ACCD2B0134B} - (no file) O2 - BHO: (no name) - {F2B4C1B1-2FB8-43FE-92A9-4D1106F93679} - (no file) O2 - BHO: (no name) - {f4ea1405-b59d-4d76-b5e9-53e0fa1388bf} - (no file) O2 - BHO: (no name) - {FE274981-54DF-4F99-878D-4AC593CD26AD} - (no file) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" boot O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Acer\OrbiCam\InstallHelper.exe" /inspect O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196164825156 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11 O17 - HKLM\System\CS1\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11 O17 - HKLM\System\CS2\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 14735 bytes Again thank you very much for your help! Last edited by tetonbob; 12-04-2007 at 06:25 PM. Reason: removed quote tags; makes logs harder to read