Vundo Trojan x 2, Slow start-up et. al.

jtpriddy · 04-10-2007, 09:49 PM

I have been infected for about a month now. Picked up these infections in Europe. I think I have multiple infections, or one infection that is allowing other infections to feed.

I know that I have 2 versions of Vundo Trojan Horse, and something else I can't put my finger on.

I am running Avast! for anti-virus, and/or have tried Windows Defender, AVG, Spyware Doctor, XoftSpySE, RegCure, now the three other programs recommended by this site, and am still getting buffer overruns. Virtual memory is VERY slowwww. It takes about 10-15 minutes for my computer to boot. Browser is hijacked regularly, but not constantly.

I hope I do this post correctly, and thank you for your service in this very frustrating matter!! THANK YOU.

1.

Deckard's System Scanner v20070328.36
Run by Tim Priddy on 2007-04-10 at 23:17:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
12: 2007-04-11 03:17:21 UTC - RP12 - Deckard's System Scanner Restore Point
11: 2007-04-10 15:58:34 UTC - RP11 - Installed Ad-Aware SE Personal
10: 2007-04-10 15:30:42 UTC - RP10 - Spyware Doctor: Cleaning Threats
9: 2007-04-10 01:29:21 UTC - RP9 - Installed HP Wireless Mouse
8: 2007-04-09 23:23:30 UTC - RP8 - System Restore

-- First Restore Point --
1: 2007-04-05 17:55:47 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Tim Priddy.exe) ------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:19:44 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Tim Priddy\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1.1\Tim Priddy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\ssqqomk.dll
O2 - BHO: (no name) - {1A9E5BDB-7129-4F41-97FD-2115F9C42DEC} - C:\WINDOWS\system32\byxuu.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\qamemyed.dll",setvm
O4 - HKLM\..\Run: [mMouse] MouPter.exe
O4 - HKLM\..\Run: [SetMou] SetMou.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170275904732
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.102:81/plugin/h263ctrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: byxuu - C:\WINDOWS\system32\byxuu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqqomk - C:\WINDOWS\SYSTEM32\ssqqomk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys
R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys
R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys
R1 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys
R1 pwd_2k - c:\windows\system32\drivers\pwd_2k.sys
R1 UDFReadr - c:\windows\system32\drivers\udfreadr.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - c:\windows\system32\drivers\nwlnkipx.sys
R2 NwlnkNb (NWLink NetBIOS) - c:\windows\system32\drivers\nwlnknb.sys
R2 NwlnkSpx (NWLink SPX/SPXII Protocol) - c:\windows\system32\drivers\nwlnkspx.sys
R3 BCM43XX (Broadcom 802.11 Network Adapter Driver) - c:\windows\system32\drivers\bcmwl5.sys
R3 CAMCAUD (Conexant AMC 3D Environmental Audio) - c:\windows\system32\drivers\camcaud.sys
R3 CAMCHALA - c:\windows\system32\drivers\camchal.sys
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
R3 HSFHWICH - c:\windows\system32\drivers\hsfhwich.sys
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys
R3 IKFileFlt (File Filter Driver) - c:\windows\system32\drivers\ikfileflt.sys
R3 IKFileSec (File Security Driver) - c:\windows\system32\drivers\ikfilesec.sys
R3 IkSysFlt (System Filter Driver) - c:\windows\system32\drivers\iksysflt.sys
R3 IKSysSec (System Security Driver) - c:\windows\system32\drivers\iksyssec.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys
R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys
R3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\windows\system32\drivers\rootmdm.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

S2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys
S2 vsdatant - c:\windows\system32\vsdatant.sys (file missing)
S3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} (AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011) - c:\windows\system32\drivers\wa301a.sys
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys
S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys
S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys
S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys
S3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys
S3 eabusb - c:\windows\system32\drivers\eabusb.sys
S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys (file missing)
S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 QV2KUX (Casio Digital Camera) - c:\windows\system32\drivers\qv2kux.sys
S3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
S3 Ser2pl (Prolific Serial port driver) - c:\windows\system32\drivers\ser2pl.sys
S3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys
S3 SMNDIS5 (SMNDIS5 NDIS Protocol Driver) - c:\program files\verizon wireless\vzaccess manager\smndis5.sys
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys
S3 V0070VID (Creative WebCam Notebook Ultra) - c:\windows\system32\drivers\v0070vid.sys
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe"
R2 Venturi2 (Venturi2 Client) - c:\program files\venturi2\client\ventc.exe

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe
S3 sdAuxService (Spyware Doctor Auxiliary Service) - c:\program files\spyware doctor\svcntaux.exe
S3 sdCoreService (Spyware Doctor Service) - c:\program files\spyware doctor\swdsvc.exe

-- Scheduled Tasks -------------------------------------------------------------

2007-04-10 23:20:00 432 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{7A2BD778-407B-48B9-905C-F3A45FF5B90A}.job<USER_F~1.JOB>
2007-04-10 17:57:19 448 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job<REGCUR~1.JOB>
2007-04-10 17:57:18 442 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job<XOFTSP~2.JOB>
2007-04-10 17:53:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
2007-04-10 07:51:52 372 --a------ C:\WINDOWS\Tasks\XoftSpySE.job<XOFTSP~1.JOB>
2007-04-10 06:29:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-04-05 03:37:55 382 --a------ C:\WINDOWS\Tasks\RegCure.job
2007-03-20 17:46:17 330 --a------ C:\WINDOWS\Tasks\RoxioUpdator.job<ROXIOU~1.JOB>

-- Files created between 2007-03-10 and 2007-04-10 -----------------------------

2007-04-10 22:26:58 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~3>
2007-04-10 22:14:24 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~2>
2007-04-10 16:47:40 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-10 12:00:19 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Lavasoft
2007-04-10 11:58:55 0 d-------- C:\Program Files\Lavasoft
2007-04-10 10:57:37 26064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-10 10:57:37 83536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-10 10:57:37 52304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys<IKFILE~2.SYS>
2007-04-10 10:57:37 39248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys<IKFILE~1.SYS>
2007-04-10 10:57:36 59984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-10 10:56:43 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1>
2007-04-10 10:53:56 626688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-09 21:29:38 147456 --a------ C:\WINDOWS\Uninstit.exe
2007-04-09 21:29:38 49152 --a------ C:\WINDOWS\HIDUSB.dll
2007-04-09 21:29:37 244736 --a------ C:\WINDOWS\SetMou.exe
2007-04-09 21:29:33 5720064 --a------ C:\WINDOWS\MouPter.exe
2007-04-09 21:29:32 24576 --a------ C:\WINDOWS\HKNTDLL.dll
2007-04-09 21:29:32 49152 --a------ C:\WINDOWS\CPQUSB.dll
2007-04-09 19:24:08 0 d-------- C:\Program Files\SP31140
2007-04-05 13:34:39 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-04-05 06:02:03 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer<APPLEC~1>
2007-04-05 03:37:38 0 d-------- C:\Program Files\RegCure
2007-04-04 14:29:47 617960 ---hs---- C:\WINDOWS\system32\uuxyb.ini2<UUXYB~1.INI>
2007-04-04 14:20:53 88340 --a------ C:\WINDOWS\system32\kceyhfil.exe
2007-04-04 14:20:41 123412 --a------ C:\WINDOWS\system32\fmfpgktr.dll
2007-04-03 12:56:18 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-04-03 12:50:21 29752 -----n--- C:\WINDOWS\system32\InstHelper.dll<INSTHE~1.DLL>
2007-04-03 12:48:58 8 --a------ C:\WINDOWS\system32\success
2007-04-03 12:42:13 110080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-04-03 12:42:13 94720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-04-03 12:41:43 5315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-04-03 12:41:27 193584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-03-30 02:08:36 280676 ---hs---- C:\WINDOWS\system32\jkhih.dll
2007-03-28 05:09:33 26730 --a------ C:\WINDOWS\system32\ssqqomk.dll
2007-03-28 05:09:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-21 03

37 88340 --a------ C:\WINDOWS\system32\qextwqnk.exe
2007-03-19 12:15:21 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware<PARETO~1>
2007-03-19 04:58:39 0 d-------- C:\Program Files\XoftSpySE<XOFTSP~1>
2007-03-16 14:07:08 0 d-------- C:\Program Files\QuickTime<QUICKT~3>
2007-03-16 14:00:30 0 d-------- C:\Program Files\Apple Software Update<APPLES~2>
2007-03-12 05:31:55 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

-- Find3M Report ---------------------------------------------------------------

2007-04-10 23:19:28 0 d-------- C:\Program Files\HijackThis 1.99.1<HIJACK~1.1>
2007-04-10 19:00:37 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-04-10 18:48:36 0 d-------- C:\Program Files\iTunes
2007-04-10 18:41:27 0 d-------- C:\Program Files\Google
2007-04-10 18:41:24 0 d-------- C:\Program Files\Free Download Manager<FREEDO~1>
2007-04-10 18:40:28 0 d-------- C:\Program Files\DVD Region-Free<DVDREG~1>
2007-04-10 12:12:46 12 --a------ C:\WINDOWS\bthservsdp.dat<BTHSER~1.DAT>
2007-04-10 12:10:57 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Skype
2007-04-10 11:56:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-10 09:11:51 0 d-------- C:\Program Files\Quicken
2007-04-09 21:29:21 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-05 03:36:09 0 d-------- C:\Program Files\Install Provider<INSTAL~2>
2007-04-02 09:38:38 0 d-------- C:\Program Files\LimeWire
2007-03-28 05:01:57 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\AdobeUM
2007-03-23 15:35:47 0 d-------- C:\Program Files\DivX
2007-03-22 06:52:52 0 d-------- C:\Program Files\Finale 2006<FINALE~1>
2007-03-20 02:49:40 469766 ---hs---- C:\WINDOWS\system32\uuxyb.bak2<UUXYB~2.BAK>
2007-03-17 03:16:37 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Free Download Manager<FREEDO~1>
2007-03-16 14:17:17 0 d-------- C:\Program Files\iPod
2007-03-16 04:02:18 0 d-------- C:\Program Files\InterVideo<INTERV~1>
2007-03-16 03:19:58 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-03-16 02:02:48 0 d-------- C:\Program Files\HP
2007-03-13 07:16:33 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\DivX
2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 06:31:57 0 d-------- C:\Program Files\Pure Sudoku<PURESU~1>
2007-03-07 06:27:20 482966 ---hs---- C:\WINDOWS\system32\uuxyb.bak1<UUXYB~1.BAK>
2007-03-05 10:05:28 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Talkback
2007-03-02 19:05:38 282164 -----n--- C:\WINDOWS\system32\byxuu.dll
2007-03-02 18:59:06 26637 ---hs---- C:\WINDOWS\system32\wvuvvwu.dll
2007-02-28 03:23:07 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\CNN
2007-02-27 11:14:10 0 d-------- C:\Program Files\Microsoft WSE<MI6E20~1>
2007-02-27 08:00:22 0 d-------- C:\Program Files\Sports Illustrated 2007<SPORTS~1>
2007-02-27 07:58:54 0 d-------- C:\Program Files\The Awakened<THEAWA~1>
2007-02-25 09:05:46 63696 --a------ C:\Documents and Settings\Tim Priddy\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-02-23 00:29:58 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-02-23 00:29:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 00:29:49 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29:49 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25:24 196608 --a----c- C:\WINDOWS\system32\dtu100.dll
2007-02-23 00:25:24 73728 --a----c- C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25:23 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-02-23 00:25:22 57344 --a----c- C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25:22 344064 --a----c- C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25:22 593920 --a----c- C:\WINDOWS\system32\dpuGUI11.dll
2007-02-23 00:25:22 294912 --a----c- C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25:22 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25:19 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-23 00:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-23 00:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-23 00:25:19 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-02-15 21:40:35 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-02-13 14:43:33 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-12 06:43:14 0 d-------- C:\Program Files\MSBuild
2007-02-12 06:36:14 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-02-10 07:01:25 0 d-------- C:\Program Files\Java
2007-02-03 13:16:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-30 01:03:34 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 01:03:34 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 01:03:34 129784 -----n--- C:\WINDOWS\system32\pxafs.dll
2007-01-19 09:23:54 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll
2007-01-15 13:32:07 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-15 13:23:20 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Power2GoExpress"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\qamemyed.dll\",setvm"
"mMouse"="MouPter.exe"
"SetMou"="SetMou.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Spyware]
"item"="ParetoLogic Anti-Spyware"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{182B90A3-F372-438A-800C-6814B4DE417B}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqomk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09d50a72-8fc9-11da-87da-00c09f5b716a}]
Shell\AutoRun\command F:\JDSecure\Windows\JDSecure20.exe

-- Hosts -----------------------------------------------------------------------

127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new
127.0.0.1 new

9 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-04-10 at 23:20:55 ---------

jtpriddy · 04-10-2007, 10:22 PM

Screwed up already...here's the Panda log:

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqqomk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Tim Priddy\Local Settings\Temp\gxexbdmr.dll
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\Tim Priddy\Local Settings\Temporary Internet Files\Content.IE5\056J8TQN\wbkC3.tmp
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fmfpgktr.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\kceyhfil.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\qextwqnk.exe
Virus:Trj/BHO.A Disinfected C:\WINDOWS\system32\vmoywreo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvuvvwu.dll
Regards,

Tim Priddy

sUBs · 04-13-2007, 01:26 PM

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jtpriddy · 04-18-2007, 12:02 PM

Thank you for your prompt reply. At this time, it will be a bit more difficult for me to respond, for I work on a cruise ship in the mexican riviera, but here is your Combofix log:

"Tim Priddy" - 07-04-18 13:49:26 Service Pack 2
ComboFix 07-04-18.2V - Running from: C:\Documents and Settings\Tim Priddy\Desktop\

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\fmfpgktr.dll
C:\WINDOWS\system32\jkhih.dll
C:\WINDOWS\system32\hihkj.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))

2007-04-13 22:39 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-13 22:38 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-13 22:38 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 22:38 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-13 22:38 712,832 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-13 22:38 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-13 22:38 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-13 22:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Panda Software
2007-04-13 20:49 <DIR> d-------- C:\Program Files\Windows Defender
2007-04-13 00:34 <DIR> d-------- C:\Program Files\Panda Software
2007-04-13 00:04 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-04-11 22:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-04-11 17:20 7,864,320 --a------ C:\DOCUME~1\TIMPRI~1\ntuser.dat
2007-04-10 23:17 <DIR> d-------- C:\Deckard
2007-04-10 22:26 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-10 22:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-10 16:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-10 12:00 <DIR> d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\Lavasoft
2007-04-10 11:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-10 10:57 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-10 10:57 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-10 10:57 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-10 10:57 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-10 10:57 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-10 10:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-10 10:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-09 21:29 147,456 --a------ C:\WINDOWS\Uninstit.exe
2007-04-09 19:24 <DIR> d-------- C:\Program Files\SP31140
2007-04-05 13:34 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-05 06:02 786,432 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-04-05 03:37 <DIR> d-------- C:\Program Files\RegCure
2007-04-04 14:29 617,197 ---hs---- C:\WINDOWS\system32\uuxyb.ini2
2007-04-03 12:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-03 12:50 29,752 --------- C:\WINDOWS\system32\InstHelper.dll
2007-04-03 12:42 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-04-03 12:42 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-04-03 12:41 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-04-03 12:41 193,584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-03-28 05:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-19 12:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-03-19 04:58 <DIR> d-------- C:\Program Files\XoftSpySE

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-18 00:19 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-04-17 19:32 -------- d-------- C:\Program Files\quicken
2007-04-13 01:57 -------- d-------- C:\Program Files\quicktime
2007-04-13 01:48 -------- d-------- C:\Program Files\itunes
2007-04-13 01:41 -------- d-------- C:\Program Files\dvd region-free
2007-04-13 00:42 -------- d--h----- C:\Program Files\installshield installation information
2007-04-12 19:08 -------- d-------- C:\Program Files\sports illustrated 2007
2007-04-11 20:47 -------- d-------- C:\Program Files\google
2007-04-11 20:47 -------- d-------- C:\Program Files\free download manager
2007-04-11 18:13 -------- d-------- C:\Program Files\hijackthis 1.99.1
2007-04-10 12:10 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\skype
2007-04-10 11:56 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-05 03:36 -------- d-------- C:\Program Files\install provider
2007-04-02 09:38 -------- d-------- C:\Program Files\limewire
2007-03-23 15:35 -------- d-------- C:\Program Files\divx
2007-03-22 06:52 -------- d-------- C:\Program Files\finale 2006
2007-03-20 02:49 469766 ---hs---- C:\WINDOWS\system32\uuxyb.bak2
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-17 03:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\free download manager
2007-03-16 14:17 -------- d-------- C:\Program Files\ipod
2007-03-16 04:02 -------- d-------- C:\Program Files\intervideo
2007-03-16 03:19 -------- d-------- C:\Program Files\hewlett-packard
2007-03-16 02:02 -------- d-------- C:\Program Files\hp
2007-03-13 07:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\divx
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 06:31 -------- d-------- C:\Program Files\pure sudoku
2007-03-07 06:27 482966 ---hs---- C:\WINDOWS\system32\uuxyb.bak1
2007-03-05 10:05 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\talkback
2007-03-02 18:59 26637 ---hs---- C:\WINDOWS\system32\wvuvvwu.dll
2007-02-27 11:14 -------- d-------- C:\Program Files\microsoft wse
2007-02-27 07:58 -------- d-------- C:\Program Files\the awakened
2007-02-25 09:05 63696 --a------ C:\DOCUME~1\TIMPRI~1\APPLIC~1\gdipfontcachev1.dat
2007-02-23 00:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 00:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 00:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 00:25 73728 --a--c--- C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 00:25 593920 --a--c--- C:\WINDOWS\system32\dpugui11.dll
2007-02-23 00:25 57344 --a--c--- C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 00:25 344064 --a--c--- C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25 294912 --a--c--- C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25 196608 --a--c--- C:\WINDOWS\system32\dtu100.dll
2007-02-15 21:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-03 13:16 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-30 01:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-30 01:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 01:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-19 09:23 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{CC59E0F9-7E43-44FA-9FAA-8377850BF205} C:\Program Files\Free Download Manager\iefdmcks.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Power2GoExpress"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqomk

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"item"="IgfxTray"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\RoxioUpdator.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{7A2BD778-407B-48B9-905C-F3A45FF5B90A}.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????????????P???? ???B???????????????B? ??????

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\delink.log 288 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\info.bom 8192 bytes
C:\system.sav\INFO.US 4096 bytes
C:\system.sav\ISLOGCHK.LOG 4096 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\PREINCHK.log 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 4096 bytes
C:\system.sav\SYSINFO.LOG 106496 bytes
C:\system.sav\util
C:\system.sav\util\add5800devicePath.js 336 bytes
C:\system.sav\util\AOLBB.log 32 bytes
C:\system.sav\util\AOLbits.log 32 bytes
C:\system.sav\util\AppEvBk1.old 16384 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\brand.exe 57344 bytes
C:\system.sav\util\BrandIt.Log 4096 bytes
C:\system.sav\util\CHKIMAGE.exe 81920 bytes
C:\system.sav\util\CIA.CDC 24576 bytes
C:\system.sav\util\CIA.INI 32768 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\CMDSWSET.CMD 64 bytes
C:\system.sav\util\COMPMOD.bat 256 bytes
C:\system.sav\util\COMPMOD.exe 24576 bytes
C:\system.sav\util\COMPMOD.LOG 48 bytes
C:\system.sav\util\COMPMOD.TMP 168 bytes
C:\system.sav\util\cpqci.dll 73728 bytes
C:\system.sav\util\cpqsm.exe 53248 bytes
C:\system.sav\util\cvacompg.exe 77824 bytes
C:\system.sav\util\cvacompg.tmp 168 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\DelDir.exe 20480 bytes
C:\system.sav\util\delmodem.bat 128 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\dmiuia.cmd 136 bytes
C:\system.sav\util\EarthLinkall.log 32 bytes
C:\system.sav\util\EarthLinkDialup.log 32 bytes
C:\system.sav\util\FAQ.log 32 bytes
C:\system.sav\util\hpqnt.dll 61440 bytes
C:\system.sav\util\hsc.log 176 bytes
C:\system.sav\util\infobomg.exe 57344 bytes
C:\system.sav\util\INSTALL.LOG 155648 bytes
C:\system.sav\util\ISLOGCHK.EXE 73728 bytes
C:\system.sav\util\ISLOGCHK.INI 112 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\mobproc.flg 136 bytes
C:\system.sav\util\MSNPackage.log 32 bytes
C:\system.sav\util\MVEDV.LOG 208 bytes
C:\system.sav\util\NONISPCONTENTS.log 32 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 256 bytes
C:\system.sav\util\oobe.min 144 bytes
C:\system.sav\util\oobe.wpe 4096 bytes
C:\system.sav\util\osexclude.txt 184 bytes
C:\system.sav\util\PeoplePC.log 32 bytes
C:\system.sav\util\PININST.INI 192 bytes
C:\system.sav\util\PININST.LOG 352 bytes
C:\system.sav\util\POSTOOBE.CMD 4096 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 560 bytes
C:\system.sav\util\powerset.log 88 bytes
C:\system.sav\util\PREINCHK.BAT 184 bytes
C:\system.sav\util\quicken.log 32 bytes
C:\system.sav\util\random.ini 40 bytes
C:\system.sav\util\REGDEV.EXE 73728 bytes
C:\system.sav\util\REGDEV.INI 560 bytes
C:\system.sav\util\RMDEV.CMD 296 bytes
C:\system.sav\util\SecEvBk1.old 24576 bytes
C:\system.sav\util\sedinst.log 168 bytes
C:\system.sav\util\SWSETDIR.exe 77824 bytes
C:\system.sav\util\SWSETUP.BTO 424 bytes
C:\system.sav\util\SWSETUP.CMD 136 bytes
C:\system.sav\util\SWSET_B.INI 4096 bytes
C:\system.sav\util\SysEvBk1.old 12288 bytes
C:\system.sav\util\TMP.INI 12288 bytes
C:\system.sav\util\touchpad.log 192 bytes
C:\system.sav\util\uiadump32.exe 16384 bytes
C:\system.sav\util\uiautil.exe 32768 bytes
C:\system.sav\util\updie.bat 104 bytes
C:\system.sav\util\WINDVD.LOG 176 bytes
C:\system.sav\util\WMI.BAT 48 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 92

********************************************************************

Completion time: 07-04-18 13:56:36
C:\ComboFix-quarantined-files.txt ... 07-04-18 13:56

Deckard's System Scan:

Deckard's System Scanner v20070328.36
Run by Tim Priddy on 2007-04-18 at 14:00:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Tim Priddy.exe) ------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:01:01 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim Priddy\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1.1\TIMPRI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: ZonedOut.lnk = C:\Documents and Settings\Tim Priddy\Desktop\Misc\ZonedOut\ZonedOut.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170275904732
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.102:81/plugin/h263ctrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: byxuu - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqqomk - ssqqomk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

-- Files created between 2007-03-18 and 2007-04-18 -----------------------------

2007-04-13 22:39:03 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-13 22:38:58 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-13 22:38:53 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-13 22:38:45 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-13 22:38:45 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-13 22:38:30 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 22:38:30 712832 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-13 22:08:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Panda Software<PANDAS~1>
2007-04-13 20:49:51 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-04-13 00:34:00 0 d-------- C:\Program Files\Panda Software<PANDAS~1>
2007-04-13 00:04:32 0 d-------- C:\Program Files\Common Files\Panda Software<PANDAS~1>
2007-04-11 22:07:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2007-04-11 17:20:00 7864320 --a------ C:\Documents and Settings\Tim Priddy\ntuser.dat
2007-04-10 22:26:58 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~3>
2007-04-10 22:14:24 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~2>
2007-04-10 16:47:40 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-10 12:00:19 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Lavasoft
2007-04-10 11:58:55 0 d-------- C:\Program Files\Lavasoft
2007-04-10 10:57:37 26064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-10 10:57:37 83536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-10 10:57:37 52304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys<IKFILE~2.SYS>
2007-04-10 10:57:37 39248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys<IKFILE~1.SYS>
2007-04-10 10:57:36 59984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-10 10:56:43 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1>
2007-04-10 10:53:56 626688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-09 21:29:38 147456 --a------ C:\WINDOWS\Uninstit.exe
2007-04-09 19:24:08 0 d-------- C:\Program Files\SP31140
2007-04-05 13:34:39 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-04-05 06:02:03 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer<APPLEC~1>
2007-04-05 03:37:38 0 d-------- C:\Program Files\RegCure
2007-04-04 14:29:47 617197 ---hs---- C:\WINDOWS\system32\uuxyb.ini2<UUXYB~1.INI>
2007-04-03 12:56:18 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-04-03 12:50:21 29752 -----n--- C:\WINDOWS\system32\InstHelper.dll<INSTHE~1.DLL>
2007-04-03 12:48:58 8 --a------ C:\WINDOWS\system32\success
2007-04-03 12:42:13 110080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-04-03 12:42:13 94720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-04-03 12:41:43 5315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-04-03 12:41:27 193584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-03-28 05:09:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-19 12:15:21 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware<PARETO~1>
2007-03-19 04:58:39 0 d-------- C:\Program Files\XoftSpySE<XOFTSP~1>

-- Find3M Report ---------------------------------------------------------------

2007-04-18 14:00:42 0 d-------- C:\Program Files\HijackThis 1.99.1<HIJACK~1.1>
2007-04-18 00:19:51 12 --a------ C:\WINDOWS\bthservsdp.dat<BTHSER~1.DAT>
2007-04-17 19:32:28 0 d-------- C:\Program Files\Quicken
2007-04-13 22:37:59 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-04-13 01:57:50 0 d-------- C:\Program Files\QuickTime<QUICKT~3>
2007-04-13 01:48:39 0 d-------- C:\Program Files\iTunes
2007-04-13 01:41:18 0 d-------- C:\Program Files\DVD Region-Free<DVDREG~1>
2007-04-13 00:42:46 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-12 19:08:54 0 d-------- C:\Program Files\Sports Illustrated 2007<SPORTS~1>
2007-04-11 20:47:29 0 d-------- C:\Program Files\Google
2007-04-11 20:47:27 0 d-------- C:\Program Files\Free Download Manager<FREEDO~1>
2007-04-10 12:10:57 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Skype
2007-04-10 11:56:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-05 03:36:09 0 d-------- C:\Program Files\Install Provider<INSTAL~2>
2007-04-02 09:38:38 0 d-------- C:\Program Files\LimeWire
2007-03-28 05:01:57 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\AdobeUM
2007-03-23 15:35:47 0 d-------- C:\Program Files\DivX
2007-03-22 06:52:52 0 d-------- C:\Program Files\Finale 2006<FINALE~1>
2007-03-20 02:49:40 469766 ---hs---- C:\WINDOWS\system32\uuxyb.bak2<UUXYB~2.BAK>
2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-17 03:16:37 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Free Download Manager<FREEDO~1>
2007-03-16 14:17:17 0 d-------- C:\Program Files\iPod
2007-03-16 14:00:40 0 d-------- C:\Program Files\Apple Software Update<APPLES~2>
2007-03-16 04:02:18 0 d-------- C:\Program Files\InterVideo<INTERV~1>
2007-03-16 03:19:58 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-03-16 02:02:48 0 d-------- C:\Program Files\HP
2007-03-13 07:16:33 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\DivX
2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 06:31:57 0 d-------- C:\Program Files\Pure Sudoku<PURESU~1>
2007-03-07 06:27:20 482966 ---hs---- C:\WINDOWS\system32\uuxyb.bak1<UUXYB~1.BAK>
2007-03-05 10:05:28 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Talkback
2007-03-02 18:59:06 26637 ---hs---- C:\WINDOWS\system32\wvuvvwu.dll
2007-02-28 03:23:07 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\CNN
2007-02-27 11:14:10 0 d-------- C:\Program Files\Microsoft WSE<MI6E20~1>
2007-02-27 07:58:54 0 d-------- C:\Program Files\The Awakened<THEAWA~1>
2007-02-25 09:05:46 63696 --a------ C:\Documents and Settings\Tim Priddy\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-02-23 00:29:58 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-02-23 00:29:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 00:29:49 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29:49 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25:24 196608 --a----c- C:\WINDOWS\system32\dtu100.dll
2007-02-23 00:25:24 73728 --a----c- C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25:23 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-02-23 00:25:22 57344 --a----c- C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25:22 344064 --a----c- C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25:22 593920 --a----c- C:\WINDOWS\system32\dpuGUI11.dll
2007-02-23 00:25:22 294912 --a----c- C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25:22 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25:19 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-23 00:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-23 00:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-23 00:25:19 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-02-15 21:40:35 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-03 13:16:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-30 01:03:34 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 01:03:34 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 01:03:34 129784 -----n--- C:\WINDOWS\system32\pxafs.dll
2007-01-19 09:23:54 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Power2GoExpress"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"item"="IgfxTray"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqomk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-04-18 at 14:01:26 ---------

Again, thank you for all you do to help those of us that do not have the expertise to help ourselves!!

Sincerely,

Tim Priddy

sUBs · 04-18-2007, 12:23 PM

Don't go away. I'll have something for you in a short while

sUBs · 04-18-2007, 12:28 PM

Before fixing anything,

C:\WINDOWS\system32\wvuvvwu.dll

Please submit the above file to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

--------------

HijackThis is located at C:\PROGRA~1\HIJACK~1.1\Hijackthis.exe. Do not mistake DSS.exe as Hijackthis.exe.

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O20 - Winlogon Notify: byxuu - C:\WINDOWS\
O20 - Winlogon Notify: ssqqomk - ssqqomk.dll (file missing)

------------------

Reboot your machine & then, if you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\WINDOWS\system32\uuxyb.ini2
C:\WINDOWS\system32\uuxyb.bak2
C:\WINDOWS\system32\uuxyb.bak1
C:\WINDOWS\system32\wvuvvwu.dll

------------------

Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. We only require a report from it.
It does not provide an option to clean/disinfect.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Fresh ComboFix log

Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

jtpriddy · 04-18-2007, 02:42 PM

Bleeping Computer notified.

All files deleted properly.

Kaspersky would not load after initialization of the ActiveX. I waited 10 minutes.

Computer running very fast.

HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:31 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170275904732
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.102:81/plugin/h263ctrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

ComboFix:

"Tim Priddy" - 07-04-18 16:28:16 Service Pack 2
ComboFix 07-04-18.2V - Running from: C:\Documents and Settings\Tim Priddy\Desktop\

((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))

2007-04-13 22:39 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-13 22:38 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-13 22:38 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 22:38 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-13 22:38 712,832 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-13 22:38 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-13 22:38 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-13 22:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Panda Software
2007-04-13 20:49 <DIR> d-------- C:\Program Files\Windows Defender
2007-04-13 00:34 <DIR> d-------- C:\Program Files\Panda Software
2007-04-13 00:04 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-04-11 22:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-04-11 17:20 7,864,320 --a------ C:\DOCUME~1\TIMPRI~1\ntuser.dat
2007-04-10 23:17 <DIR> d-------- C:\Deckard
2007-04-10 22:26 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-10 22:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-10 16:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-10 12:00 <DIR> d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\Lavasoft
2007-04-10 11:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-10 10:57 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-10 10:57 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-10 10:57 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-10 10:57 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-10 10:57 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-10 10:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-10 10:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-09 21:29 147,456 --a------ C:\WINDOWS\Uninstit.exe
2007-04-09 19:24 <DIR> d-------- C:\Program Files\SP31140
2007-04-05 13:34 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-05 06:02 786,432 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-04-05 03:37 <DIR> d-------- C:\Program Files\RegCure
2007-04-03 12:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-03 12:50 29,752 --------- C:\WINDOWS\system32\InstHelper.dll
2007-04-03 12:42 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-04-03 12:42 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-04-03 12:41 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-04-03 12:41 193,584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-03-28 05:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-19 12:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-03-19 04:58 <DIR> d-------- C:\Program Files\XoftSpySE

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-18 15:42 -------- d-------- C:\Program Files\hijackthis 1.99.1
2007-04-18 15:40 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-04-17 19:32 -------- d-------- C:\Program Files\quicken
2007-04-13 01:57 -------- d-------- C:\Program Files\quicktime
2007-04-13 01:48 -------- d-------- C:\Program Files\itunes
2007-04-13 01:41 -------- d-------- C:\Program Files\dvd region-free
2007-04-13 00:42 -------- d--h----- C:\Program Files\installshield installation information
2007-04-12 19:08 -------- d-------- C:\Program Files\sports illustrated 2007
2007-04-11 20:47 -------- d-------- C:\Program Files\google
2007-04-11 20:47 -------- d-------- C:\Program Files\free download manager
2007-04-10 12:10 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\skype
2007-04-10 11:56 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-05 03:36 -------- d-------- C:\Program Files\install provider
2007-04-02 09:38 -------- d-------- C:\Program Files\limewire
2007-03-23 15:35 -------- d-------- C:\Program Files\divx
2007-03-22 06:52 -------- d-------- C:\Program Files\finale 2006
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-17 03:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\free download manager
2007-03-16 14:17 -------- d-------- C:\Program Files\ipod
2007-03-16 04:02 -------- d-------- C:\Program Files\intervideo
2007-03-16 03:19 -------- d-------- C:\Program Files\hewlett-packard
2007-03-16 02:02 -------- d-------- C:\Program Files\hp
2007-03-13 07:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\divx
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 06:31 -------- d-------- C:\Program Files\pure sudoku
2007-03-07 06:27 482966 ---hs---- C:\WINDOWS\system32\uuxyb.bak1
2007-03-05 10:05 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\talkback
2007-02-27 11:14 -------- d-------- C:\Program Files\microsoft wse
2007-02-27 07:58 -------- d-------- C:\Program Files\the awakened
2007-02-25 09:05 63696 --a------ C:\DOCUME~1\TIMPRI~1\APPLIC~1\gdipfontcachev1.dat
2007-02-23 00:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 00:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 00:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 00:25 73728 --a--c--- C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 00:25 593920 --a--c--- C:\WINDOWS\system32\dpugui11.dll
2007-02-23 00:25 57344 --a--c--- C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 00:25 344064 --a--c--- C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25 294912 --a--c--- C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25 196608 --a--c--- C:\WINDOWS\system32\dtu100.dll
2007-02-15 21:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-03 13:16 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-30 01:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-30 01:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 01:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-19 09:23 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{CC59E0F9-7E43-44FA-9FAA-8377850BF205} C:\Program Files\Free Download Manager\iefdmcks.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Power2GoExpress"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"item"="IgfxTray"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\RoxioUpdator.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{7A2BD778-407B-48B9-905C-F3A45FF5B90A}.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????????????????? ???B???????????????B? ??????

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\delink.log 288 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\info.bom 8192 bytes
C:\system.sav\INFO.US 4096 bytes
C:\system.sav\ISLOGCHK.LOG 4096 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\PREINCHK.log 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 4096 bytes
C:\system.sav\SYSINFO.LOG 106496 bytes
C:\system.sav\util
C:\system.sav\util\add5800devicePath.js 336 bytes
C:\system.sav\util\AOLBB.log 32 bytes
C:\system.sav\util\AOLbits.log 32 bytes
C:\system.sav\util\AppEvBk1.old 16384 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\brand.exe 57344 bytes
C:\system.sav\util\BrandIt.Log 4096 bytes
C:\system.sav\util\CHKIMAGE.exe 81920 bytes
C:\system.sav\util\CIA.CDC 24576 bytes
C:\system.sav\util\CIA.INI 32768 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\CMDSWSET.CMD 64 bytes
C:\system.sav\util\COMPMOD.bat 256 bytes
C:\system.sav\util\COMPMOD.exe 24576 bytes
C:\system.sav\util\COMPMOD.LOG 48 bytes
C:\system.sav\util\COMPMOD.TMP 168 bytes
C:\system.sav\util\cpqci.dll 73728 bytes
C:\system.sav\util\cpqsm.exe 53248 bytes
C:\system.sav\util\cvacompg.exe 77824 bytes
C:\system.sav\util\cvacompg.tmp 168 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\DelDir.exe 20480 bytes
C:\system.sav\util\delmodem.bat 128 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\dmiuia.cmd 136 bytes
C:\system.sav\util\EarthLinkall.log 32 bytes
C:\system.sav\util\EarthLinkDialup.log 32 bytes
C:\system.sav\util\FAQ.log 32 bytes
C:\system.sav\util\hpqnt.dll 61440 bytes
C:\system.sav\util\hsc.log 176 bytes
C:\system.sav\util\infobomg.exe 57344 bytes
C:\system.sav\util\INSTALL.LOG 155648 bytes
C:\system.sav\util\ISLOGCHK.EXE 73728 bytes
C:\system.sav\util\ISLOGCHK.INI 112 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\mobproc.flg 136 bytes
C:\system.sav\util\MSNPackage.log 32 bytes
C:\system.sav\util\MVEDV.LOG 208 bytes
C:\system.sav\util\NONISPCONTENTS.log 32 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 256 bytes
C:\system.sav\util\oobe.min 144 bytes
C:\system.sav\util\oobe.wpe 4096 bytes
C:\system.sav\util\osexclude.txt 184 bytes
C:\system.sav\util\PeoplePC.log 32 bytes
C:\system.sav\util\PININST.INI 192 bytes
C:\system.sav\util\PININST.LOG 352 bytes
C:\system.sav\util\POSTOOBE.CMD 4096 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 560 bytes
C:\system.sav\util\powerset.log 88 bytes
C:\system.sav\util\PREINCHK.BAT 184 bytes
C:\system.sav\util\quicken.log 32 bytes
C:\system.sav\util\random.ini 40 bytes
C:\system.sav\util\REGDEV.EXE 73728 bytes
C:\system.sav\util\REGDEV.INI 560 bytes
C:\system.sav\util\RMDEV.CMD 296 bytes
C:\system.sav\util\SecEvBk1.old 24576 bytes
C:\system.sav\util\sedinst.log 168 bytes
C:\system.sav\util\SWSETDIR.exe 77824 bytes
C:\system.sav\util\SWSETUP.BTO 424 bytes
C:\system.sav\util\SWSETUP.CMD 136 bytes
C:\system.sav\util\SWSET_B.INI 4096 bytes
C:\system.sav\util\SysEvBk1.old 12288 bytes
C:\system.sav\util\TMP.INI 12288 bytes
C:\system.sav\util\touchpad.log 192 bytes
C:\system.sav\util\uiadump32.exe 16384 bytes
C:\system.sav\util\uiautil.exe 32768 bytes
C:\system.sav\util\updie.bat 104 bytes
C:\system.sav\util\WINDVD.LOG 176 bytes
C:\system.sav\util\WMI.BAT 48 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 92

********************************************************************

Completion time: 07-04-18 16:34:49
C:\ComboFix-quarantined-files.txt ... 07-04-18 16:34
C:\ComboFix2.txt ... 07-04-18 13:56

sUBs · 04-18-2007, 02:49 PM

There's a bug with Kaspersky & IE7. You need to click the lower right corner of the window & select zoom level to 75% to see Kaspersky's Accept/Decline buttons.

sUBs · 04-18-2007, 02:56 PM

Tim, you missed this file -> C:\WINDOWS\system32\uuxyb.bak1

http://tinyurl.com/2t3bdz

jtpriddy · 04-18-2007, 03:01 PM

Deleted the file...I thought I already did it, but it could be ANOTHER error on my part. Understood about Kaspersky, will redo.

Thank you.

jtpriddy · 04-19-2007, 10:56 AM

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:32:58 AM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170275904732
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.102:81/plugin/h263ctrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

ComboFix:

"Tim Priddy" - 07-04-19 11:36:33 Service Pack 2
ComboFix 07-04-18.2V - Running from: C:\Documents and Settings\Tim Priddy\Desktop\

((((((((((((((((((((((((((((((( Files Created from 2007-03-19 to 2007-04-19 ))))))))))))))))))))))))))))))))))

2007-04-18 17:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-13 22:39 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-13 22:38 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-13 22:38 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 22:38 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-13 22:38 712,832 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-13 22:38 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-13 22:38 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-13 22:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Panda Software
2007-04-13 20:49 <DIR> d-------- C:\Program Files\Windows Defender
2007-04-13 00:34 <DIR> d-------- C:\Program Files\Panda Software
2007-04-13 00:04 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-04-11 22:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-04-11 17:20 7,864,320 --a------ C:\DOCUME~1\TIMPRI~1\ntuser.dat
2007-04-10 23:17 <DIR> d-------- C:\Deckard
2007-04-10 22:26 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-10 22:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-10 16:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-10 12:00 <DIR> d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\Lavasoft
2007-04-10 11:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-10 10:57 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-10 10:57 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-10 10:57 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-10 10:57 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-10 10:57 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-10 10:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-10 10:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-09 21:29 147,456 --a------ C:\WINDOWS\Uninstit.exe
2007-04-09 19:24 <DIR> d-------- C:\Program Files\SP31140
2007-04-05 13:34 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-05 06:02 786,432 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-04-05 03:37 <DIR> d-------- C:\Program Files\RegCure
2007-04-03 12:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-03 12:50 29,752 --------- C:\WINDOWS\system32\InstHelper.dll
2007-04-03 12:42 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-04-03 12:42 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-04-03 12:41 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys
2007-04-03 12:41 193,584 --a------ C:\WINDOWS\system32\CSGina.dll
2007-03-28 05:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-19 12:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-03-19 04:58 <DIR> d-------- C:\Program Files\XoftSpySE

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-19 11:31 -------- d-------- C:\Program Files\hijackthis 1.99.1
2007-04-19 11:20 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-04-17 19:32 -------- d-------- C:\Program Files\quicken
2007-04-13 01:57 -------- d-------- C:\Program Files\quicktime
2007-04-13 01:48 -------- d-------- C:\Program Files\itunes
2007-04-13 01:41 -------- d-------- C:\Program Files\dvd region-free
2007-04-13 00:42 -------- d--h----- C:\Program Files\installshield installation information
2007-04-12 19:08 -------- d-------- C:\Program Files\sports illustrated 2007
2007-04-11 20:47 -------- d-------- C:\Program Files\google
2007-04-11 20:47 -------- d-------- C:\Program Files\free download manager
2007-04-10 12:10 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\skype
2007-04-10 11:56 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-05 03:36 -------- d-------- C:\Program Files\install provider
2007-04-02 09:38 -------- d-------- C:\Program Files\limewire
2007-03-23 15:35 -------- d-------- C:\Program Files\divx
2007-03-22 06:52 -------- d-------- C:\Program Files\finale 2006
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-17 03:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\free download manager
2007-03-16 14:17 -------- d-------- C:\Program Files\ipod
2007-03-16 04:02 -------- d-------- C:\Program Files\intervideo
2007-03-16 03:19 -------- d-------- C:\Program Files\hewlett-packard
2007-03-16 02:02 -------- d-------- C:\Program Files\hp
2007-03-13 07:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\divx
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 06:31 -------- d-------- C:\Program Files\pure sudoku
2007-03-05 10:05 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\talkback
2007-02-27 11:14 -------- d-------- C:\Program Files\microsoft wse
2007-02-27 07:58 -------- d-------- C:\Program Files\the awakened
2007-02-25 09:05 63696 --a------ C:\DOCUME~1\TIMPRI~1\APPLIC~1\gdipfontcachev1.dat
2007-02-23 00:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 00:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 00:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 00:25 73728 --a--c--- C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 00:25 593920 --a--c--- C:\WINDOWS\system32\dpugui11.dll
2007-02-23 00:25 57344 --a--c--- C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 00:25 344064 --a--c--- C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25 294912 --a--c--- C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25 196608 --a--c--- C:\WINDOWS\system32\dtu100.dll
2007-02-15 21:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-03 13:16 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-30 01:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-30 01:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 01:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-19 09:23 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{CC59E0F9-7E43-44FA-9FAA-8377850BF205} C:\Program Files\Free Download Manager\iefdmcks.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Power2GoExpress"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"item"="IgfxTray"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\RoxioUpdator.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{7A2BD778-407B-48B9-905C-F3A45FF5B90A}.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????????????@???? ???B???????????????B? ??????

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\delink.log 288 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\info.bom 8192 bytes
C:\system.sav\INFO.US 4096 bytes
C:\system.sav\ISLOGCHK.LOG 4096 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\PREINCHK.log 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 4096 bytes
C:\system.sav\SYSINFO.LOG 106496 bytes
C:\system.sav\util
C:\system.sav\util\add5800devicePath.js 336 bytes
C:\system.sav\util\AOLBB.log 32 bytes
C:\system.sav\util\AOLbits.log 32 bytes
C:\system.sav\util\AppEvBk1.old 16384 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\brand.exe 57344 bytes
C:\system.sav\util\BrandIt.Log 4096 bytes
C:\system.sav\util\CHKIMAGE.exe 81920 bytes
C:\system.sav\util\CIA.CDC 24576 bytes
C:\system.sav\util\CIA.INI 32768 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\CMDSWSET.CMD 64 bytes
C:\system.sav\util\COMPMOD.bat 256 bytes
C:\system.sav\util\COMPMOD.exe 24576 bytes
C:\system.sav\util\COMPMOD.LOG 48 bytes
C:\system.sav\util\COMPMOD.TMP 168 bytes
C:\system.sav\util\cpqci.dll 73728 bytes
C:\system.sav\util\cpqsm.exe 53248 bytes
C:\system.sav\util\cvacompg.exe 77824 bytes
C:\system.sav\util\cvacompg.tmp 168 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\DelDir.exe 20480 bytes
C:\system.sav\util\delmodem.bat 128 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\dmiuia.cmd 136 bytes
C:\system.sav\util\EarthLinkall.log 32 bytes
C:\system.sav\util\EarthLinkDialup.log 32 bytes
C:\system.sav\util\FAQ.log 32 bytes
C:\system.sav\util\hpqnt.dll 61440 bytes
C:\system.sav\util\hsc.log 176 bytes
C:\system.sav\util\infobomg.exe 57344 bytes
C:\system.sav\util\INSTALL.LOG 155648 bytes
C:\system.sav\util\ISLOGCHK.EXE 73728 bytes
C:\system.sav\util\ISLOGCHK.INI 112 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\mobproc.flg 136 bytes
C:\system.sav\util\MSNPackage.log 32 bytes
C:\system.sav\util\MVEDV.LOG 208 bytes
C:\system.sav\util\NONISPCONTENTS.log 32 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 256 bytes
C:\system.sav\util\oobe.min 144 bytes
C:\system.sav\util\oobe.wpe 4096 bytes
C:\system.sav\util\osexclude.txt 184 bytes
C:\system.sav\util\PeoplePC.log 32 bytes
C:\system.sav\util\PININST.INI 192 bytes
C:\system.sav\util\PININST.LOG 352 bytes
C:\system.sav\util\POSTOOBE.CMD 4096 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 560 bytes
C:\system.sav\util\powerset.log 88 bytes
C:\system.sav\util\PREINCHK.BAT 184 bytes
C:\system.sav\util\quicken.log 32 bytes
C:\system.sav\util\random.ini 40 bytes
C:\system.sav\util\REGDEV.EXE 73728 bytes
C:\system.sav\util\REGDEV.INI 560 bytes
C:\system.sav\util\RMDEV.CMD 296 bytes
C:\system.sav\util\SecEvBk1.old 24576 bytes
C:\system.sav\util\sedinst.log 168 bytes
C:\system.sav\util\SWSETDIR.exe 77824 bytes
C:\system.sav\util\SWSETUP.BTO 424 bytes
C:\system.sav\util\SWSETUP.CMD 136 bytes
C:\system.sav\util\SWSET_B.INI 4096 bytes
C:\system.sav\util\SysEvBk1.old 12288 bytes
C:\system.sav\util\TMP.INI 12288 bytes
C:\system.sav\util\touchpad.log 192 bytes
C:\system.sav\util\uiadump32.exe 16384 bytes
C:\system.sav\util\uiautil.exe 32768 bytes
C:\system.sav\util\updie.bat 104 bytes
C:\system.sav\util\WINDVD.LOG 176 bytes
C:\system.sav\util\WMI.BAT 48 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 92

********************************************************************

Completion time: 07-04-19 11:59:45
C:\ComboFix-quarantined-files.txt ... 07-04-19 11:59
C:\ComboFix2.txt ... 07-04-18 16:34
C:\ComboFix3.txt ... 07-04-18 13:56

Kaspersky:

*KASPERSKY ONLINE SCANNER REPORT*
Wednesday, April 18, 2007 7:54:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2
(Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/04/2007
Kaspersky Anti-Virus database records: 299126

*Scan Settings*
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
C:\
D:\
*Scan Statistics*
Total number of scanned objects 85313
Number of viruses found 7
Number of infected objects 10 / 0
Number of suspicious objects 0
Duration of the scan process 01:57:32

*Infected Object Name* *Virus Name* *Last Action*
C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee
Technologies\030410\0102\0102\values Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is
locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is
locked skipped
C:\Documents and Settings\Tim Priddy\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local
Settings\History\History.IE5\MSHist012007041820070419\index.dat Object
is locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Temp\Free Download
Manager\tic3A.tmp Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Temp\hpodvd09.log
Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Temp\~DF1077.tmp
Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Temp\~DF1748.tmp
Object is locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Temporary Internet
Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is
locked skipped
C:\Documents and Settings\Tim Priddy\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim Priddy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Tim Priddy\ntuser.dat.LOG Object is locked
skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is
locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is
locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is
locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fmfpgktr.dll.vir Infected:
not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhih.dll.vir Infected:
not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP11\A0001728.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP11\A0002731.dll
Infected: Trojan.Win32.BHO.g skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP13\A0002892.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.id skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP13\A0002912.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP3\A0000169.dll
Infected: Trojan.Win32.BHO.g skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP38\A0011502.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP38\A0011503.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP39\A0011567.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.ha skipped
C:\System Volume
Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP41\change.log
Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\vent2.log Object is locked skipped
C:\WINDOWS\system32\vent2_url.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped
C:\WINDOWS\Temp\Perflib_Perfdata_704.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
*Scan process completed.*

Thanks!! Hope this is correct...

sUBs · 04-19-2007, 11:15 AM

Tim, would it please you if I said you're clean?

C:\QooBox\ is ComboFix's quarantine folder. We dont need it anymore. Please delete it

C:\System Volume Information\ is System Restore's cache. We shall be clearing/reseting it in a minute

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start → Run → type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

jtpriddy · 04-19-2007, 11:42 AM

This is REALLY good news!! This has been a nightmare for me, and finally I am waking to a better day!

One last question before we close out this thread. When I run Spyware Doctor, it is telling me that I am infected with the Munro Trojan. Since all my logs now appear clean, should I disregard this information? My computer is behaving normally, and is significantly faster than before.

I promise that I will do EVERYTHING in my power to not be infected again, downloading and installing all the recommended software. I can't wait to make a donation to you guys. When I was at the end of my rope, you came through like a champ.

Cheers to all of you that take the time to make the computer world a safer place.

Sincerely,

Tim Priddy

sUBs · 04-19-2007, 11:50 AM

Please show me the exact messageas displayed by Spyware Doctor. I will be interested in the location of the file mentioned.

jtpriddy · 04-24-2007, 12:52 PM

Please accept my apologies that it has taken this long to respond, as I have been at sea on this cruise ship for a while with no connection to the internet.

Spyware Doctor actually reported this:

Trojan.PWS.Tanspy

It will not give me a complete address in the hard drive where it is supposedly located, but I will put in as much as I can.

HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\Current

It said it was repaired, and I haven't seen it since, so we may be good to go on that one.

Thank you for everything, I will be making a donation soon.

Sincerely,

Tim Priddy

sUBs · 04-24-2007, 01:30 PM

Quote:

HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\Current

Registry path appears incomplete. If it's Tanspy, it should either of these:

Quote:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load## High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##cmpid High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##faddress High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##forwas High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##ftass High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##fter High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##h High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##info_sze High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##ino High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##net_insll High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##pops High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##ptexcl High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##taloinata High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##tannumr High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##tantotl High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##tas High
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##worg High

Looks like an orphaned registry entry.It's an entry in your Registry that references a non existant file. It's perfectly harmless without the accompanying file.

jtpriddy · 05-01-2007, 12:56 PM

Thanks again for all your help. I think this closes out this thread. You guys are amazing, and I will be recommending this site to all my infected friends...

We are NOT worthy!!

Tim

04-10-2007, 10:22 PM	#2 (permalink)
jtpriddy Registered User Join Date: Apr 2007 Posts: 9 OS: XP	Re: Vundo Trojan x 2, Slow start-up et. al. Screwed up already...here's the Panda log: Incident Status Location Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqqomk.dll Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Tim Priddy\Local Settings\Temp\gxexbdmr.dll Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\Tim Priddy\Local Settings\Temporary Internet Files\Content.IE5\056J8TQN\wbkC3.tmp Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fmfpgktr.dll Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\kceyhfil.exe Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\qextwqnk.exe Virus:Trj/BHO.A Disinfected C:\WINDOWS\system32\vmoywreo.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvuvvwu.dll Regards, Tim Priddy

04-13-2007, 01:26 PM	#3 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. 1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?

04-18-2007, 12:02 PM	#4 (permalink)
jtpriddy Registered User Join Date: Apr 2007 Posts: 9 OS: XP	Re: Vundo Trojan x 2, Slow start-up et. al. Thank you for your prompt reply. At this time, it will be a bit more difficult for me to respond, for I work on a cruise ship in the mexican riviera, but here is your Combofix log: "Tim Priddy" - 07-04-18 13:49:26 Service Pack 2 ComboFix 07-04-18.2V - Running from: C:\Documents and Settings\Tim Priddy\Desktop\ (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\fmfpgktr.dll C:\WINDOWS\system32\jkhih.dll C:\WINDOWS\system32\hihkj.ini * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 )))))))))))))))))))))))))))))))))) 2007-04-13 22:39 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-13 22:38 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-13 22:38 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-04-13 22:38 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-13 22:38 712,832 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-04-13 22:38 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-13 22:38 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-13 22:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Panda Software 2007-04-13 20:49 <DIR> d-------- C:\Program Files\Windows Defender 2007-04-13 00:34 <DIR> d-------- C:\Program Files\Panda Software 2007-04-13 00:04 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2007-04-11 22:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback 2007-04-11 17:20 7,864,320 --a------ C:\DOCUME~1\TIMPRI~1\ntuser.dat 2007-04-10 23:17 <DIR> d-------- C:\Deckard 2007-04-10 22:26 <DIR> d-------- C:\Program Files\SpywareGuard 2007-04-10 22:14 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-04-10 16:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-04-10 12:00 <DIR> d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\Lavasoft 2007-04-10 11:58 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-10 10:57 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-04-10 10:57 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-04-10 10:57 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-04-10 10:57 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-04-10 10:57 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-04-10 10:56 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-04-10 10:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-09 21:29 147,456 --a------ C:\WINDOWS\Uninstit.exe 2007-04-09 19:24 <DIR> d-------- C:\Program Files\SP31140 2007-04-05 13:34 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-04-05 06:02 786,432 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat 2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec 2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun 2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic 2007-04-05 06:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer 2007-04-05 03:37 <DIR> d-------- C:\Program Files\RegCure 2007-04-04 14:29 617,197 ---hs---- C:\WINDOWS\system32\uuxyb.ini2 2007-04-03 12:56 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-04-03 12:50 29,752 --------- C:\WINDOWS\system32\InstHelper.dll 2007-04-03 12:42 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll 2007-04-03 12:42 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys 2007-04-03 12:41 5,315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys 2007-04-03 12:41 193,584 --a------ C:\WINDOWS\system32\CSGina.dll 2007-03-28 05:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe 2007-03-19 12:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware 2007-03-19 04:58 <DIR> d-------- C:\Program Files\XoftSpySE (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-18 00:19 12 --a------ C:\WINDOWS\bthservsdp.dat 2007-04-17 19:32 -------- d-------- C:\Program Files\quicken 2007-04-13 01:57 -------- d-------- C:\Program Files\quicktime 2007-04-13 01:48 -------- d-------- C:\Program Files\itunes 2007-04-13 01:41 -------- d-------- C:\Program Files\dvd region-free 2007-04-13 00:42 -------- d--h----- C:\Program Files\installshield installation information 2007-04-12 19:08 -------- d-------- C:\Program Files\sports illustrated 2007 2007-04-11 20:47 -------- d-------- C:\Program Files\google 2007-04-11 20:47 -------- d-------- C:\Program Files\free download manager 2007-04-11 18:13 -------- d-------- C:\Program Files\hijackthis 1.99.1 2007-04-10 12:10 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\skype 2007-04-10 11:56 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-04-05 03:36 -------- d-------- C:\Program Files\install provider 2007-04-02 09:38 -------- d-------- C:\Program Files\limewire 2007-03-23 15:35 -------- d-------- C:\Program Files\divx 2007-03-22 06:52 -------- d-------- C:\Program Files\finale 2006 2007-03-20 02:49 469766 ---hs---- C:\WINDOWS\system32\uuxyb.bak2 2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-17 03:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\free download manager 2007-03-16 14:17 -------- d-------- C:\Program Files\ipod 2007-03-16 04:02 -------- d-------- C:\Program Files\intervideo 2007-03-16 03:19 -------- d-------- C:\Program Files\hewlett-packard 2007-03-16 02:02 -------- d-------- C:\Program Files\hp 2007-03-13 07:16 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\divx 2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-07 06:31 -------- d-------- C:\Program Files\pure sudoku 2007-03-07 06:27 482966 ---hs---- C:\WINDOWS\system32\uuxyb.bak1 2007-03-05 10:05 -------- d-------- C:\DOCUME~1\TIMPRI~1\APPLIC~1\talkback 2007-03-02 18:59 26637 ---hs---- C:\WINDOWS\system32\wvuvvwu.dll 2007-02-27 11:14 -------- d-------- C:\Program Files\microsoft wse 2007-02-27 07:58 -------- d-------- C:\Program Files\the awakened 2007-02-25 09:05 63696 --a------ C:\DOCUME~1\TIMPRI~1\APPLIC~1\gdipfontcachev1.dat 2007-02-23 00:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe 2007-02-23 00:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 00:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 00:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-02-23 00:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-02-23 00:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-02-23 00:25 73728 --a--c--- C:\WINDOWS\system32\dpl100.dll 2007-02-23 00:25 639066 --a------ C:\WINDOWS\system32\divx.dll 2007-02-23 00:25 593920 --a--c--- C:\WINDOWS\system32\dpugui11.dll 2007-02-23 00:25 57344 --a--c--- C:\WINDOWS\system32\dpv11.dll 2007-02-23 00:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll 2007-02-23 00:25 344064 --a--c--- C:\WINDOWS\system32\dpus11.dll 2007-02-23 00:25 294912 --a--c--- C:\WINDOWS\system32\dpu11.dll 2007-02-23 00:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 00:25 196608 --a--c--- C:\WINDOWS\system32\dtu100.dll 2007-02-15 21:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll 2007-02-03 13:16 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-01-30 01:03 129784 --------- C:\WINDOWS\system32\pxafs.dll 2007-01-30 01:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-01-30 01:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-01-19 09:23 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL {4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205} C:\Program Files\Free Download Manager\iefdmcks.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\"" "SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\"" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe" "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe" "eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" "WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe" "BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent" "VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513" "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "RecordNow!"="" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Power2GoExpress"="" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ClearRecentDocsOnExit"=dword:00000001 "NoRecentDocsMenu"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{93994DE8-8239-4655-B1D1-5F4E91300429}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuu HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqomk HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] "item"="IgfxTray" "command"="C:\\WINDOWS\\system32\\igfxtray.exe" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\RoxioUpdator.job C:\WINDOWS\tasks\User_Feed_Synchronization-{7A2BD778-407B-48B9-905C-F3A45FF5B90A}.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????????????P???? ???B???????????????B? ?????? scanning hidden files ... C:\system.sav\CTO.TXT 4096 bytes C:\system.sav\CTOHW.TXT 16 bytes C:\system.sav\DAYLGSAV.reg 320 bytes C:\system.sav\delink.log 288 bytes C:\system.sav\highgost.flg 32 bytes C:\system.sav\info.bom 8192 bytes C:\system.sav\INFO.US 4096 bytes C:\system.sav\ISLOGCHK.LOG 4096 bytes C:\system.sav\logoff.bat 112 bytes C:\system.sav\logoff.reg 288 bytes C:\system.sav\PREINCHK.log 4096 bytes C:\system.sav\REBOOT.ME 48 bytes C:\system.sav\REGDEV.LOG 40 bytes C:\system.sav\REGFLUSH.LOG 4096 bytes C:\system.sav\RegionCF C:\system.sav\RegionCF\euro.reg 216 bytes C:\system.sav\RegionCF\SFr.reg 232 bytes C:\system.sav\RmDev.log 4096 bytes C:\system.sav\SYSINFO.LOG 106496 bytes C:\system.sav\util C:\system.sav\util\add5800devicePath.js 336 bytes C:\system.sav\util\AOLBB.log 32 bytes C:\system.sav\util\AOLbits.log 32 bytes C:\system.sav\util\AppEvBk1.old 16384 bytes C:\system.sav\util\bootldr.flg 0 bytes C:\system.sav\util\BOOTSEC.NT4 512 bytes C:\system.sav\util\brand.exe 57344 bytes C:\system.sav\util\BrandIt.Log 4096 bytes C:\system.sav\util\CHKIMAGE.exe 81920 bytes C:\system.sav\util\CIA.CDC 24576 bytes C:\system.sav\util\CIA.INI 32768 bytes C:\system.sav\util\CMDOOBE.CMD 72 bytes C:\system.sav\util\CMDSWSET.CMD 64 bytes C:\system.sav\util\COMPMOD.bat 256 bytes C:\system.sav\util\COMPMOD.exe 24576 bytes C:\system.sav\util\COMPMOD.LOG 48 bytes C:\system.sav\util\COMPMOD.TMP 168 bytes C:\system.sav\util\cpqci.dll 73728 bytes C:\system.sav\util\cpqsm.exe 53248 bytes C:\system.sav\util\cvacompg.exe 77824 bytes C:\system.sav\util\cvacompg.tmp 168 bytes C:\system.sav\util\delcia.flg 32 bytes C:\system.sav\util\DelDir.exe 20480 bytes C:\system.sav\util\delmodem.bat 128 bytes C:\system.sav\util\delmodem.ini 184 bytes C:\system.sav\util\dmiuia.cmd 136 bytes C:\system.sav\util\EarthLinkall.log 32 bytes C:\system.sav\util\EarthLinkDialup.log 32 bytes C:\system.sav\util\FAQ.log 32 bytes C:\system.sav\util\hpqnt.dll 61440 bytes C:\system.sav\util\hsc.log 176 bytes C:\system.sav\util\infobomg.exe 57344 bytes C:\system.sav\util\INSTALL.LOG 155648 bytes C:\system.sav\util\ISLOGCHK.EXE 73728 bytes C:\system.sav\util\ISLOGCHK.INI 112 bytes C:\system.sav\util\make_rtr.flg 136 bytes C:\system.sav\util\mobproc.flg 136 bytes C:\system.sav\util\MSNPackage.log 32 bytes C:\system.sav\util\MVEDV.LOG 208 bytes C:\system.sav\util\NONISPCONTENTS.log 32 bytes C:\system.sav\util\oca.reg 352 bytes C:\system.sav\util\oca_mrk.bat 256 bytes C:\system.sav\util\oobe.min 144 bytes C:\system.sav\util\oobe.wpe 4096 bytes C:\system.sav\util\osexclude.txt 184 bytes C:\system.sav\util\PeoplePC.log 32 bytes C:\system.sav\util\PININST.INI 192 bytes C:\system.sav\util\PININST.LOG 352 bytes C:\system.sav\util\POSTOOBE.CMD 4096 bytes C:\system.sav\util\POSTOOBE.LOG 24 bytes C:\system.sav\util\postproc.ini 560 bytes C:\system.sav\util\powerset.log 88 bytes C:\system.sav\util\PREINCHK.BAT 184 bytes C:\system.sav\util\quicken.log 32 bytes C:\system.sav\util\random.ini 40 bytes C:\system.sav\util\REGDEV.EXE 73728 bytes C:\system.sav\util\REGDEV.INI 560 bytes C:\system.sav\util\RMDEV.CMD 296 bytes C:\system.sav\util\SecEvBk1.old 24576 bytes C:\system.sav\util\sedinst.log 168 bytes C:\system.sav\util\SWSETDIR.exe 77824 bytes C:\system.sav\util\SWSETUP.BTO 424 bytes C:\system.sav\util\SWSETUP.CMD 136 bytes C:\system.sav\util\SWSET_B.INI 4096 bytes C:\system.sav\util\SysEvBk1.old 12288 bytes C:\system.sav\util\TMP.INI 12288 bytes C:\system.sav\util\touchpad.log 192 bytes C:\system.sav\util\uiadump32.exe 16384 bytes C:\system.sav\util\uiautil.exe 32768 bytes C:\system.sav\util\updie.bat 104 bytes C:\system.sav\util\WINDVD.LOG 176 bytes C:\system.sav\util\WMI.BAT 48 bytes scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 92 ****************************************************************** Completion time: 07-04-18 13:56:36 C:\ComboFix-quarantined-files.txt ... 07-04-18 13:56 Deckard's System Scan: Deckard's System Scanner v20070328.36 Run by Tim Priddy on 2007-04-18 at 14:00:41 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Tim Priddy.exe) ------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 2:01:01 PM, on 4/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Venturi2\Client\ventc.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Outlook Express\msimn.exe C:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Tim Priddy\Desktop\dss.exe C:\PROGRA~1\HIJACK~1.1\TIMPRI~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.cnn.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file) O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: ZonedOut.lnk = C:\Documents and Settings\Tim Priddy\Desktop\Misc\ZonedOut\ZonedOut.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/126p/html/gtdownlr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170275904732 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.102:81/plugin/h263ctrl.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: byxuu - C:\WINDOWS\ O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: ssqqomk - ssqqomk.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe -- Files created between 2007-03-18 and 2007-04-18 ----------------------------- 2007-04-13 22:39:03 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-13 22:38:58 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-13 22:38:53 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-13 22:38:45 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-13 22:38:45 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-13 22:38:30 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-04-13 22:38:30 712832 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-04-13 22:08:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Panda Software<PANDAS~1> 2007-04-13 20:49:51 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1> 2007-04-13 00:34:00 0 d-------- C:\Program Files\Panda Software<PANDAS~1> 2007-04-13 00:04:32 0 d-------- C:\Program Files\Common Files\Panda Software<PANDAS~1> 2007-04-11 22:07:15 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback 2007-04-11 17:20:00 7864320 --a------ C:\Documents and Settings\Tim Priddy\ntuser.dat 2007-04-10 22:26:58 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~3> 2007-04-10 22:14:24 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~2> 2007-04-10 16:47:40 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-10 12:00:19 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Lavasoft 2007-04-10 11:58:55 0 d-------- C:\Program Files\Lavasoft 2007-04-10 10:57:37 26064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-04-10 10:57:37 83536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-04-10 10:57:37 52304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys<IKFILE~2.SYS> 2007-04-10 10:57:37 39248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys<IKFILE~1.SYS> 2007-04-10 10:57:36 59984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-04-10 10:56:43 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1> 2007-04-10 10:53:56 626688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-09 21:29:38 147456 --a------ C:\WINDOWS\Uninstit.exe 2007-04-09 19:24:08 0 d-------- C:\Program Files\SP31140 2007-04-05 13:34:39 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-04-05 06:02:03 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat 2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun 2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2007-04-05 06:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer<APPLEC~1> 2007-04-05 03:37:38 0 d-------- C:\Program Files\RegCure 2007-04-04 14:29:47 617197 ---hs---- C:\WINDOWS\system32\uuxyb.ini2<UUXYB~1.INI> 2007-04-03 12:56:18 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1> 2007-04-03 12:50:21 29752 -----n--- C:\WINDOWS\system32\InstHelper.dll<INSTHE~1.DLL> 2007-04-03 12:48:58 8 --a------ C:\WINDOWS\system32\success 2007-04-03 12:42:13 110080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys 2007-04-03 12:42:13 94720 --a------ C:\WINDOWS\system32\dneinobj.dll 2007-04-03 12:41:43 5315 --a------ C:\WINDOWS\system32\drivers\CVirtA.sys 2007-04-03 12:41:27 193584 --a------ C:\WINDOWS\system32\CSGina.dll 2007-03-28 05:09:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2007-03-19 12:15:21 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware<PARETO~1> 2007-03-19 04:58:39 0 d-------- C:\Program Files\XoftSpySE<XOFTSP~1> -- Find3M Report --------------------------------------------------------------- 2007-04-18 14:00:42 0 d-------- C:\Program Files\HijackThis 1.99.1<HIJACK~1.1> 2007-04-18 00:19:51 12 --a------ C:\WINDOWS\bthservsdp.dat<BTHSER~1.DAT> 2007-04-17 19:32:28 0 d-------- C:\Program Files\Quicken 2007-04-13 22:37:59 0 d-------- C:\Program Files\Alwil Software<ALWILS~1> 2007-04-13 01:57:50 0 d-------- C:\Program Files\QuickTime<QUICKT~3> 2007-04-13 01:48:39 0 d-------- C:\Program Files\iTunes 2007-04-13 01:41:18 0 d-------- C:\Program Files\DVD Region-Free<DVDREG~1> 2007-04-13 00:42:46 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-04-12 19:08:54 0 d-------- C:\Program Files\Sports Illustrated 2007<SPORTS~1> 2007-04-11 20:47:29 0 d-------- C:\Program Files\Google 2007-04-11 20:47:27 0 d-------- C:\Program Files\Free Download Manager<FREEDO~1> 2007-04-10 12:10:57 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Skype 2007-04-10 11:56:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-04-05 03:36:09 0 d-------- C:\Program Files\Install Provider<INSTAL~2> 2007-04-02 09:38:38 0 d-------- C:\Program Files\LimeWire 2007-03-28 05:01:57 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\AdobeUM 2007-03-23 15:35:47 0 d-------- C:\Program Files\DivX 2007-03-22 06:52:52 0 d-------- C:\Program Files\Finale 2006<FINALE~1> 2007-03-20 02:49:40 469766 ---hs---- C:\WINDOWS\system32\uuxyb.bak2<UUXYB~2.BAK> 2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-17 03:16:37 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Free Download Manager<FREEDO~1> 2007-03-16 14:17:17 0 d-------- C:\Program Files\iPod 2007-03-16 14:00:40 0 d-------- C:\Program Files\Apple Software Update<APPLES~2> 2007-03-16 04:02:18 0 d-------- C:\Program Files\InterVideo<INTERV~1> 2007-03-16 03:19:58 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1> 2007-03-16 02:02:48 0 d-------- C:\Program Files\HP 2007-03-13 07:16:33 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\DivX 2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-07 06:31:57 0 d-------- C:\Program Files\Pure Sudoku<PURESU~1> 2007-03-07 06:27:20 482966 ---hs---- C:\WINDOWS\system32\uuxyb.bak1<UUXYB~1.BAK> 2007-03-05 10:05:28 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\Talkback 2007-03-02 18:59:06 26637 ---hs---- C:\WINDOWS\system32\wvuvvwu.dll 2007-02-28 03:23:07 0 d-------- C:\Documents and Settings\Tim Priddy\Application Data\CNN 2007-02-27 11:14:10 0 d-------- C:\Program Files\Microsoft WSE<MI6E20~1> 2007-02-27 07:58:54 0 d-------- C:\Program Files\The Awakened<THEAWA~1> 2007-02-25 09:05:46 63696 --a------ C:\Documents and Settings\Tim Priddy\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT> 2007-02-23 00:29:58 524288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-02-23 00:29:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 00:29:49 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 00:29:49 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 00:25:24 196608 --a----c- C:\WINDOWS\system32\dtu100.dll 2007-02-23 00:25:24 73728 --a----c- C:\WINDOWS\system32\dpl100.dll 2007-02-23 00:25:23 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2007-02-23 00:25:22 57344 --a----c- C:\WINDOWS\system32\dpv11.dll 2007-02-23 00:25:22 344064 --a----c- C:\WINDOWS\system32\dpus11.dll 2007-02-23 00:25:22 593920 --a----c- C:\WINDOWS\system32\dpuGUI11.dll 2007-02-23 00:25:22 294912 --a----c- C:\WINDOWS\system32\dpu11.dll 2007-02-23 00:25:22 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 00:25:19 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL> 2007-02-23 00:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL> 2007-02-23 00:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL> 2007-02-23 00:25:19 639066 --a------ C:\WINDOWS\system32\DivX.dll 2007-02-15 21:40:35 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE> 2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll 2007-02-03 13:16:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-01-30 01:03:34 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe 2007-01-30 01:03:34 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe 2007-01-30 01:03:34 129784 -----n--- C:\WINDOWS\system32\pxafs.dll 2007-01-19 09:23:54 1721976 --a------ C:\WINDOWS\system32\inetclnt.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "RecordNow!"="" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Power2GoExpress"="" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\"" "SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\"" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe" "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe" "eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" "WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe" "BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent" "VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513" "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] "item"="IgfxTray" "command"="C:\\WINDOWS\\system32\\igfxtray.exe" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{93994DE8-8239-4655-B1D1-5F4E91300429}"="" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ClearRecentDocsOnExit"=dword:00000001 "NoRecentDocsMenu"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuu HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqomk [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-04-18 at 14:01:26 --------- Again, thank you for all you do to help those of us that do not have the expertise to help ourselves!! Sincerely, Tim Priddy

04-18-2007, 12:23 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. Don't go away. I'll have something for you in a short while __________________ Question - what have you done for the community today?

04-18-2007, 12:28 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. Before fixing anything, C:\WINDOWS\system32\wvuvvwu.dll Please submit the above file to this site → http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. -------------- HijackThis is located at C:\PROGRA~1\HIJACK~1.1\Hijackthis.exe. Do not mistake DSS.exe as Hijackthis.exe. Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file) O20 - Winlogon Notify: byxuu - C:\WINDOWS\ O20 - Winlogon Notify: ssqqomk - ssqqomk.dll (file missing) ------------------ Reboot your machine & then, if you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools → Folder Options → View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\WINDOWS\system32\uuxyb.ini2 C:\WINDOWS\system32\uuxyb.bak2 C:\WINDOWS\system32\uuxyb.bak1 C:\WINDOWS\system32\wvuvvwu.dll ------------------ Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. We only require a report from it. It does not provide an option to clean/disinfect. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Fresh ComboFix log Online scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 04-18-2007 at 12:29 PM.

04-18-2007, 02:49 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. There's a bug with Kaspersky & IE7. You need to click the lower right corner of the window & select zoom level to 75% to see Kaspersky's Accept/Decline buttons. __________________ Question - what have you done for the community today?

04-18-2007, 02:56 PM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. Tim, you missed this file -> C:\WINDOWS\system32\uuxyb.bak1 http://tinyurl.com/2t3bdz __________________ Question - what have you done for the community today?

04-18-2007, 03:01 PM	#10 (permalink)
jtpriddy Registered User Join Date: Apr 2007 Posts: 9 OS: XP	Re: Vundo Trojan x 2, Slow start-up et. al. Deleted the file...I thought I already did it, but it could be ANOTHER error on my part. Understood about Kaspersky, will redo. Thank you.

04-19-2007, 11:15 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. Tim, would it please you if I said you're clean? C:\QooBox\ is ComboFix's quarantine folder. We dont need it anymore. Please delete it C:\System Volume Information\ is System Restore's cache. We shall be clearing/reseting it in a minute Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start → Run → type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows. http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: http://www.winpatrol.com/features.html To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

04-19-2007, 11:42 AM	#13 (permalink)
jtpriddy Registered User Join Date: Apr 2007 Posts: 9 OS: XP	Re: Vundo Trojan x 2, Slow start-up et. al. This is REALLY good news!! This has been a nightmare for me, and finally I am waking to a better day! One last question before we close out this thread. When I run Spyware Doctor, it is telling me that I am infected with the Munro Trojan. Since all my logs now appear clean, should I disregard this information? My computer is behaving normally, and is significantly faster than before. I promise that I will do EVERYTHING in my power to not be infected again, downloading and installing all the recommended software. I can't wait to make a donation to you guys. When I was at the end of my rope, you came through like a champ. Cheers to all of you that take the time to make the computer world a safer place. Sincerely, Tim Priddy

04-19-2007, 11:50 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,452 OS: N/A	Re: Vundo Trojan x 2, Slow start-up et. al. Please show me the exact messageas displayed by Spyware Doctor. I will be interested in the location of the file mentioned. __________________ Question - what have you done for the community today?

04-24-2007, 12:52 PM	#15 (permalink)
jtpriddy Registered User Join Date: Apr 2007 Posts: 9 OS: XP	Re: Vundo Trojan x 2, Slow start-up et. al. Please accept my apologies that it has taken this long to respond, as I have been at sea on this cruise ship for a while with no connection to the internet. Spyware Doctor actually reported this: Trojan.PWS.Tanspy It will not give me a complete address in the hard drive where it is supposedly located, but I will put in as much as I can. HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\Current It said it was repaired, and I haven't seen it since, so we may be good to go on that one. Thank you for everything, I will be making a donation soon. Sincerely, Tim Priddy

05-01-2007, 12:56 PM	#17 (permalink)
jtpriddy Registered User Join Date: Apr 2007 Posts: 9 OS: XP	Re: Vundo Trojan x 2, Slow start-up et. al. Thanks again for all your help. I think this closes out this thread. You guys are amazing, and I will be recommending this site to all my infected friends... We are NOT worthy!! Tim