Trojan Horse - TR/Vundo.Gen

Bill Forshay · Oct 17, 2007

I did the five steps.
Step1 - Didn't have any programs to remove.
Step 2 - Active Scan - Could only see half of the screen. It also gave me an 'Error on Download'. It ran for about 2 hours.
Step 3 - Loaded Spyware Blaster and ran it.
Loaded IE-Spyad and unziped it, but I couldn't see how to run it. It said it unzip 8 files.
Step 4 - There were no updates for my system. I have auto scheduled daily.
Step 5 - Ran Deckard system scanner and have attached the list. I didn''
t get any other lists in the 5 step process.
http://www.techsupportforum.com/security-center/hijackthis-log-help/15968-
updated-important-read-before-posting-log.html
Deckard's System Scanner v20071014.68
Run by Bill Forshay on 2007-10-17 17:23:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-10-17 22:23:18 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-10-17 17:25:01
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetAccelerator\NetAccel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bill Forshay\Desktop\dss.exe
C:\Program Files\HP\hpcoretech\soln\HPOSM.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1fbd96ca-4d09-4f24-9b8e-a20efc1e8f60} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NetAccelerator] "C:\PROGRA~1\NETACC~1\netaccel.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - (no file)
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160598253796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151695293937
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} () - http://a19.g.akamai.net/7/19/7125/1444/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{72D3AAB0-EA79-4E6A-A792-A037205F17E5}: NameServer = 66.118.3.98 66.118.8.10
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - Winlogon Notify: inetcom - C:\WINDOWS\system32\inetcom.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8439 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RecAgent - c:\windows\system32\drivers\sldrv\recagent.sys <Not Verified; ; Modem>
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R3 Mtlmnt5 - c:\windows\system32\drivers\sldrv\mtlmnt5.sys <Not Verified; ; Modem>
R3 Mtlstrm - c:\windows\system32\drivers\sldrv\mtlstrm.sys <Not Verified; ; Modem>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 Slntamr (Conexant AMR_PCI Driver) - c:\windows\system32\drivers\sldrv\slntamr.sys <Not Verified; ; Modem>
R3 SlNtHal - c:\windows\system32\drivers\sldrv\slnthal.sys <Not Verified; ; Modem>
R3 SlWdmSup - c:\windows\system32\drivers\sldrv\slwdmsup.sys <Not Verified; ; Modem>

S3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\fetnd5.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Intel(R) 537EP Modem>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - c:\program files\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; Scheduler>
R2 SLService (SmartLinkService) - slmdmsr.exe <Not Verified; ; Modem>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-10-17 17:33:00 356 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2007-10-16 21:57:49 284 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-10-13 15:25:46 510 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2007-06-09 15:58:24 406 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

-- Files created between 2007-09-17 and 2007-10-17 -----------------------------

2007-10-17 16:59:43 0 d-------- C:\ie-spyad_zo
2007-10-17 16:44:29 0 d-------- C:\Program Files\SpywareBlaster
2007-10-17 14:27:52 0 d-------- C:\WINDOWS\LastGood
2007-10-16 21:20:05 0 dr-h----- C:\Documents and Settings\Bill Forshay\Recent
2007-10-16 19:05:43 0 d-------- C:\Program Files\Karen's Power Tools
2007-10-16 19:03:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
2007-10-15 17:44:41 0 d-------- C:\Program Files\Alwil Software
2007-10-15 14:13:36 0 d-------- C:\Program Files\PCPitstop
2007-10-14 16:50:52 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-14 15:42:32 0 d-------- C:\VundoFix Backups
2007-10-04 15:41:11 0 d-------- C:\Documents and Settings\Bill Forshay\Application Data\AdwareAlert
2007-10-03 12:28:28 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-01 22:44:04 20078624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-01 22:39:59 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

-- Find3M Report ---------------------------------------------------------------

2007-10-11 12:29:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-11 12:25:42 0 d-------- C:\Program Files\ItsDeductible2005
2007-10-09 20:16:11 0 d-------- C:\Documents and Settings\Bill Forshay\Application Data\AVG7
2007-10-01 22:41:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-11 20:09:42 0 d-------- C:\Documents and Settings\Bill Forshay\Application Data\Printer Info Cache
2007-09-11 20:09:42 0 d-------- C:\Documents and Settings\Bill Forshay\Application Data\Image Zone Express
2007-09-11 20:08:13 0 d-------- C:\Program Files\Common Files\HP
2007-09-03 13:53:21 0 d-------- C:\Program Files\Family Tree Maker 2005
2007-08-22 21:46:06 0 d-------- C:\Program Files\Google

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fbd96ca-4d09-4f24-9b8e-a20efc1e8f60}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [01/15/2004 07:33 AM C:\WINDOWS\system32\VTTimer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [02/23/2004 12:44 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/27/2005 11:13 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [07/25/2005 12:01 PM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [03/31/2004 11:34 PM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [05/04/2004 05:17 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/14/2007 02:52 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [05/04/2004 02:21 AM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 10:42 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [10/10/2007 12:19 PM]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [11/10/2003 04:06 PM]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 06:44 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 04:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetAccelerator"="C:\PROGRA~1\NETACC~1\netaccel.exe" [05/12/1999 08:06 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Uniblue SpeedUpMyPC"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [3/15/2004 7:45:34 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\inetcom]
C:\WINDOWS\system32\inetcom.dll 05/23/2006 01:11 PM 368660 C:\WINDOWS\system32\inetcom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smiley District]
C:\Program Files\SmileyDistrict\plugin.exe

-- End of Deckard's System Scanner: finished at 2007-10-17 17:46:45 ------------

Pancake · Oct 21, 2007

I dont see anything that points directly to Vundo..

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of the Java Runtime Environment - (JRE) 6 Update 3.
Scroll down to where it says "Java Runtime Environment (JRE) 6u3 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

==========================

Please download Combofix from HERE or HERE

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

================================

Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives[*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Bill Forshay · Oct 21, 2007

Pancake: I was able to do all the steps except the 'kaspersky.com' It said I needed administrative rights, I don't know how to get that. Also where do I attach the 'Logs' you want?

Pancake · Oct 21, 2007

Just copy and paste the logs here...

If you own the computer you should have admin rights.

Bill Forshay · Oct 21, 2007

Pancake: Here are the logs. 'kaspersky.com' would not load it gave me an error.
ComboFix 07-10-21.1** - Bill Forshay 2007-10-21 14:09:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.619 [GMT -5:00]
Running from: C:\Documents and Settings\Bill Forshay\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 14:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 13:48 <DIR> d-------- C:\Program Files\Java
2007-10-21 13:15 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-17 17:22 <DIR> d-------- C:\Deckard
2007-10-17 16:59 <DIR> d-------- C:\ie-spyad_zo
2007-10-17 16:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-16 19:05 <DIR> d-------- C:\Program Files\Karen's Power Tools
2007-10-16 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
2007-10-15 17:44 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-15 17:44 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-15 17:44 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-15 14:13 <DIR> d-------- C:\Program Files\PCPitstop
2007-10-14 16:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-14 15:42 <DIR> d-------- C:\VundoFix Backups
2007-10-04 15:41 <DIR> d-------- C:\Documents and Settings\Bill Forshay\Application Data\AdwareAlert
2007-10-01 22:44 20,078,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-01 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 19:21 200,132 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-17 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 17:25 --------- d-----w C:\Program Files\ItsDeductible2005
2007-10-10 01:16 --------- d-----w C:\Documents and Settings\Bill Forshay\Application Data\AVG7
2007-10-06 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-09-12 01:09 --------- d-----w C:\Documents and Settings\Bill Forshay\Application Data\Printer Info Cache
2007-09-12 01:09 --------- d-----w C:\Documents and Settings\Bill Forshay\Application Data\Image Zone Express
2007-09-12 01:08 --------- d-----w C:\Program Files\Common Files\HP
2007-09-06 21:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 21:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-06 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-09-03 18:53 --------- d-----w C:\Program Files\Family Tree Maker 2005
2007-08-23 02:46 --------- d-----w C:\Program Files\Google
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2005-05-20 17:41 58,368 ----a-w C:\Program Files\MFInstall.exe
2005-05-17 00:20 56,463 ----a-w C:\Program Files\gedvw105.zip
2005-05-17 00:06 36,653 ----a-w C:\Program Files\GedView107.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fbd96ca-4d09-4f24-9b8e-a20efc1e8f60}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 07:33 C:\WINDOWS\system32\VTTimer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-27 23:13]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 12:01]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 23:34]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-05-04 17:17]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 14:52]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 02:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 12:19]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 16:06]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetAccelerator"="C:\PROGRA~1\NETACC~1\netaccel.exe" [1999-05-12 20:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Uniblue SpeedUpMyPC"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-03-15 19:45:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\inetcom]
C:\WINDOWS\system32\inetcom.dll 2006-05-23 13:11 368660 C:\WINDOWS\system32\inetcom.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-13 20:25:46 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-10-21 18:33:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
"2007-10-17 02:57:49 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
"2007-06-09 20:58:24 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 14:24:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 14:26:08 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:52 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\NETACC~1\netaccel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1fbd96ca-4d09-4f24-9b8e-a20efc1e8f60} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NetAccelerator] "C:\PROGRA~1\NETACC~1\netaccel.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160598253796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151695293937
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1444/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72D3AAB0-EA79-4E6A-A792-A037205F17E5}: NameServer = 66.118.3.98 66.118.8.10
O20 - Winlogon Notify: inetcom - C:\WINDOWS\system32\inetcom.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8025 bytes

Pancake · Oct 22, 2007

Ok.Just need to tidy these up and you are all done

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\system32\shdocvw.dll

Remove this folder..

C:\Program Files\SmileyDistrict

Reboot and post a new HJT log..

Bill Forshay · Oct 22, 2007

Pancake: I could not find Program SmileyDistrict. I did a search of my 'C' disk and also looked in the add/remove programs. I have attached the hijackthis log. I did remove the items you mentioned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:40 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\NETACC~1\netaccel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1fbd96ca-4d09-4f24-9b8e-a20efc1e8f60} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NetAccelerator] "C:\PROGRA~1\NETACC~1\netaccel.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160598253796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151695293937
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1444/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: inetcom - C:\WINDOWS\system32\inetcom.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7652 bytes

Trojan Horse - TR/Vundo.Gen

Top Contributors this Month

Recommended Communities