Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page [SOLVED] Trojan.vundo, Constant Popups and slowed system.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-30-2007, 03:39 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


[SOLVED] Trojan.vundo, Constant Popups and slowed system.
Hey guys, i've seen on the forum that many people has problems with the trojan.vundo. So hopefully you can help me too. I basically tried everything from Symantec to remove it but nothing successfull. Here is my Highjack this log:

Deckard's System Scanner v20071014.68
Run by Francois on 2007-11-30 13:32:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Francois.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:32:25 PM, on 2007/11/30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\DOCUME~1\Francois\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Francois\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Francois.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
O2 - BHO: {5cd6cf60-ea93-ecc9-9064-933f34863d00} - {00d36843-f339-4609-9cce-39ae06fc6dc5} - C:\WINDOWS\system32\wjbwruie.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\xxyvvvv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {76EF7DAF-F999-478B-8EC2-B793BC9158F3} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Acer\OrbiCam\CameraAssistant.exe"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Acer\OrbiCam\InstallHelper.exe" /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\fhlqwfbs.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196164825156
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E4952CD-4C1D-4E45-B3AF-613959D41D0C}: NameServer = 196.43.50.190 196.43.53.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O20 - Winlogon Notify: xxyvvvv - C:\WINDOWS\SYSTEM32\xxyvvvv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13275 bytes

-- Files created between 2007-10-30 and 2007-11-30 -----------------------------

2007-11-30 13:15:27 78912 --a------ C:\WINDOWS\system32\wjbwruie.dll
2007-11-30 13:12:23 84545 --a------ C:\WINDOWS\system32\fhlqwfbs.dll
2007-11-29 20:09:52 0 d-------- C:\Documents and Settings\Francois\Application Data\RegistrySmart
2007-11-29 20:09:45 0 d-------- C:\Program Files\RegistrySmart
2007-11-29 19:49:55 0 d-------- C:\Program Files\Trend Micro
2007-11-29 18:51:10 164 --a------ C:\install.dat
2007-11-29 18:02:28 0 d-------- C:\Program Files\NoAdware5.0
2007-11-29 13:18:29 84545 --a------ C:\WINDOWS\system32\xopdvbvb.dll
2007-11-29 13:17:47 77888 --a------ C:\WINDOWS\system32\mkifttmc.dll
2007-11-29 13:08:11 31900 --a------ C:\WINDOWS\system32\oxafrykn.dll
2007-11-28 21:24:06 0 d--hs---- C:\FOUND.000
2007-11-28 20:27:42 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-28 20:27:42 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-28 20:27:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-28 20:27:42 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-28 20:27:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-28 20:27:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-28 20:27:42 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-28 20:27:42 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 20:27:42 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-28 20:27:42 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-28 20:27:42 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-11-28 20:27:42 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-28 20:27:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 20:27:42 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-28 20:27:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-28 20:27:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-28 20:27:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2007-11-28 20:27:41 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-28 19:22:12 0 d-------- C:\WINDOWS\pss
2007-11-28 13:09:37 81984 --a------ C:\WINDOWS\system32\uocxxpws.dll
2007-11-27 23:04:52 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-27 20:58:28 56 -r-hs---- C:\WINDOWS\system32\3557BE4C83.sys
2007-11-27 15:18:24 0 d-------- C:\Program Files\Corel
2007-11-27 15:18:24 0 d-------- C:\Program Files\Common Files\Corel
2007-11-27 15:07:20 0 d-------- C:\Documents and Settings\Francois\Application Data\Corel
2007-11-27 1504 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 14:53:10 3610 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-27 14:15:32 0 d-------- C:\Program Files\Common Files\L&H
2007-11-27 14:15:04 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-11-27 14:14:18 0 d-------- C:\Program Files\Microsoft Works
2007-11-27 14:13:23 0 d-------- C:\WINDOWS\SHELLNEW
2007-11-27 14:13:15 0 d-------- C:\Program Files\Microsoft.NET
2007-11-27 12:56:09 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 12:51:08 104425 --ahs---- C:\WINDOWS\system32\qtstv.ini2
2007-11-27 12:50:45 333408 --a------ C:\WINDOWS\system32\vtstq.dll
2007-11-27 12:48:31 0 d-------- C:\Program Files\Bonjour
2007-11-27 12:45:38 36864 --a------ C:\WINDOWS\system32\xxyvvvv.dll
2007-11-27 12:40:28 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 21:59:27 0 d-------- C:\Program Files\EwisoftWeb
2007-11-26 18:54:54 0 d-------- C:\Documents and Settings\Francois\Shared
2007-11-26 18:54:52 0 d-------- C:\Documents and Settings\Francois\Incomplete
2007-11-26 18:54:27 0 d-------- C:\Documents and Settings\Francois\Application Data\LimeWire
2007-11-26 18:54:16 0 d-------- C:\Program Files\LimeWire
2007-11-23 15:36:19 0 d-------- C:\Program Files\Atari
2007-11-22 22:31:37 0 d-------- C:\Documents and Settings\Francois\Application Data\Media Player Classic
2007-11-22 22:30:43 164352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-22 22:30:40 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-11-22 22:30:40 282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-22 22:30:40 1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-22 22:30:39 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-22 22:30:39 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-22 22:30:39 739840 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-11-22 22:30:38 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-22 22:30:36 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-11-22 18:56:03 0 d-------- C:\Program Files\Common Files\DirectX
2007-11-22 18:45:19 0 d-------- C:\Program Files\Codemasters
2007-11-22 18:44:56 0 d-------- C:\Documents and Settings\Francois\Application Data\InstallShield
2007-11-22 18:33:41 0 d-------- C:\Documents and Settings\Francois\Application Data\AdobeUM
2007-11-22 18:32:55 0 d-------- C:\Documents and Settings\Francois\Application Data\Adobe
2007-11-21 10:10:34 0 d-------- C:\Program Files\The Witcher
2007-11-20 09:42:38 0 d-------- C:\Documents and Settings\Francois\Application Data\WinRAR
2007-11-20 09:31:55 0 d-------- C:\Program Files\Ubisoft
2007-11-20 09:27:37 0 d-------- C:\Documents and Settings\Francois\Application Data\DAEMON Tools Pro
2007-11-20 09:26:53 0 d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-20 09:24:46 0 d-------- C:\Program Files\DAEMON Tools Pro
2007-11-20 09:22:19 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-20 09:08:27 0 d--hs---- C:\Recycled
2007-11-20 05:48:49 245824 -ra------ C:\WINDOWS\Instexec.exe <Not Verified; Logitech; Logitech>
2007-11-20 05:48:48 245824 -ra------ C:\WINDOWS\system32\InstExec.exe <Not Verified; Logitech; Logitech>
2007-11-20 05:48:45 0 d-------- C:\Program Files\Common Files\Logitech
2007-11-20 05:48:42 0 d-------- C:\Program Files\Common Files\Acer
2007-11-20 05:48:39 262144 --a------ C:\WINDOWS\system32\ElkCtrl.exe <Not Verified; Logitech Inc.; Logitech Camera Software>
2007-11-20 05:48:39 57344 --a------ C:\WINDOWS\system32\ElkCtlPS.dll <Not Verified; Logitech Inc.; Logitech Camera Software>
2007-11-20 05:48:39 319488 --a------ C:\WINDOWS\system32\CamCplRes.dll <Not Verified; Acer; Acer OrbiCam>
2007-11-20 05:48:37 167936 --a------ C:\WINDOWS\system32\VxLib.dll <Not Verified; Acer; Acer OrbiCam>
2007-11-20 05:48:37 151552 --a------ C:\WINDOWS\system32\VLib.dll <Not Verified; Acer; Acer OrbiCam>
2007-11-20 05:48:35 39424 --a------ C:\WINDOWS\system32\VxLibRes.dll <Not Verified; Acer; Acer OrbiCam>
2007-11-20 05:48:01 258048 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe <Not Verified; Acer Inc.; Uninstall_eRecovery.exe>
2007-11-20 05:46:11 61440 --a------ C:\WINDOWS\system32\WanPacket.dll <Not Verified; CACE Technologies; WinPcap low level NetMon wrapper library>
2007-11-20 05:46:11 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2007-11-20 05:46:11 78208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
2007-11-20 05:46:11 4096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
2007-11-20 05:46:11 0 d-------- C:\Program Files\WinPCap
2007-11-20 05:46:01 21275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
2007-11-20 05:45:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2007-11-20 05:45:36 61440 --a------ C:\WINDOWS\system32\acerGina.dll <Not Verified; acer; acer eNet Management>
2007-11-20 05:45:09 0 d-------- C:\Program Files\Launch Manager
2007-11-20 05:45:07 49152 --a------ C:\WINDOWS\system32\QtBtLib.dll <Not Verified; Dritek System Inc.; Dritek System Inc. QtBtLib.DLL>
2007-11-20 05:43:55 225350 --a------ C:\WINDOWS\system32\Epm-Po.dll <Not Verified; Acer Labs USA; EPM-PO Dynamic Link Library>
2007-11-20 05:43:55 53248 --a------ C:\WINDOWS\system32\acpimof.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-20 05:43:14 0 d-------- C:\Documents and Settings\Francois\Bluetooth Software
2007-11-20 05:38:16 0 d-------- C:\Program Files\WIDCOMM
2007-11-20 05:38:03 0 d-------- C:\Documents and Settings\Francois\Application Data\ATI
2007-11-20 05:31:37 0 d-------- C:\Program Files\ATI Technologies
2007-11-20 05:31:21 0 d-------- C:\WINDOWS\Acer
2007-11-20 05:31:21 0 d-------- C:\Documents and Settings\Francois\Application Data\Macromedia
2007-11-20 05:30:55 0 d-------- C:\Documents and Settings\Francois\Application Data\Symantec
2007-11-20 05:30:55 0 d-------- C:\Documents and Settings\Francois\Application Data\CyberLink
2007-11-20 05:30:54 0 d--h----- C:\Documents and Settings\Francois\Templates
2007-11-20 05:30:54 0 dr------- C:\Documents and Settings\Francois\Start Menu
2007-11-20 05:30:54 0 dr-h----- C:\Documents and Settings\Francois\SendTo
2007-11-20 05:30:54 0 dr-h----- C:\Documents and Settings\Francois\Recent
2007-11-20 05:30:54 0 d--h----- C:\Documents and Settings\Francois\PrintHood
2007-11-20 05:30:54 0 d--h----- C:\Documents and Settings\Francois\NetHood
2007-11-20 05:30:54 0 dr------- C:\Documents and Settings\Francois\My Documents
2007-11-20 05:30:54 0 d--h----- C:\Documents and Settings\Francois\Local Settings
2007-11-20 05:30:54 0 dr------- C:\Documents and Settings\Francois\Favorites
2007-11-20 05:30:54 0 d-------- C:\Documents and Settings\Francois\Desktop
2007-11-20 05:30:54 0 d--hs---- C:\Documents and Settings\Francois\Cookies
2007-11-20 05:30:54 0 d--h----- C:\Documents and Settings\Francois\Application Data
2007-11-20 05:30:54 0 d-------- C:\Documents and Settings\Francois\Application Data\Identities
2007-11-20 05:30:54 0 d-------- C:\Documents and Settings\Francois\Application Data\Acer
2007-11-20 05:30:53 2883584 --ah----- C:\Documents and Settings\Francois\NTUSER.DAT
2007-11-20 05:29:58 0 d--hs---- C:\System Volume Information
2007-11-20 05:29:56 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2007-11-19 23:40:44 0 d-------- C:\99e9811aee5d7c19ce39
2007-11-19 23:40:13 0 d-------- C:\dd431b120bd64c79a82fe77c2854
2007-11-19 23:39:24 0 d-------- C:\WINDOWS\network diagnostic
2007-11-19 23:32:12 0 d-------- C:\Program Files\MSBuild
2007-11-19 23:28:46 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-11-19 23:28:11 0 d-------- C:\Program Files\Reference Assemblies
2007-11-19 23:26:55 0 d-------- C:\00c459a3d6372ad244
2007-11-19 23:24:01 0 d-------- C:\Program Files\MSXML 4.0
2007-11-19 23:21:40 0 d-------- C:\Program Files\MSXML 6.0
2007-11-19 23:20:33 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-19 23:20:04 0 d-------- C:\0855391250bcf20f7b
2007-11-19 23:19:23 0 d-------- C:\61e3285527d42833fdac
2007-11-19 23:19:21 0 d-------- C:\WINDOWS\system32\LogFiles
2007-11-19 23:19:21 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-19 23:13:57 0 d-------- C:\WINDOWS\RegisteredPackages
2007-11-19 21:42:16 0 d-------- C:\WINDOWS\Sun
2007-11-19 21:42:16 0 d-------- C:\Documents and Settings\Francois\Application Data\Sun
2007-11-19 21:41:14 0 d-------- C:\Program Files\Java
2007-11-19 21:33:23 0 d-------- C:\Program Files\Common Files\Java
2007-11-19 21:12:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-11-19 21:11:43 0 d-------- C:\WINDOWS\system32\PreInstall
2007-11-19 2133 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-11-19 2118 0 d--hs---- C:\Documents and Settings\Francois\UserData
2007-11-19 2112 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-11-19 20:23:15 159821 --a------ C:\WINDOWS\EMEAPAGE.EXE
2007-11-19 20:23:15 180224 --a------ C:\WINDOWS\ADDITEM.EXE <Not Verified; Acer Inc.; AddItem.exe>
2007-11-19 19:29:52 0 d-------- C:\Documents and Settings\Default User\Application Data\Symantec
2007-11-19 19:29:52 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2007-11-19 19:29:52 0 d-------- C:\Documents and Settings\Default User\Application Data\CyberLink
2007-11-19 19:29:52 0 d-------- C:\Documents and Settings\Default User\Application Data\Acer


-- Find3M Report ---------------------------------------------------------------

2007-11-19 20:23:16 1123 --a------ C:\WINDOWS\HotFix.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00d36843-f339-4609-9cce-39ae06fc6dc5}]
2007/11/30 01:15 PM 78912 --a------ C:\WINDOWS\system32\wjbwruie.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
2007/11/27 12:45 PM 36864 --a------ C:\WINDOWS\system32\xxyvvvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76EF7DAF-F999-478B-8EC2-B793BC9158F3}]
2007/11/27 12:51 PM 333408 --a------ C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005/11/02 12:11 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005/11/02 12:11 AM]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005/12/13 09:31 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 05:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/04 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 05:00 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005/11/03 12:25 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005/11/03 12:22 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005/11/03 12:26 AM]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005/10/24 04:45 PM]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005/12/27 03:50 PM]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005/05/11 05:15 PM]
"@"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007/01/22 10:19 PM]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\SymProbe.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2006/04/04 02:44 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005/05/03 03:43 AM C:\WINDOWS\Alcmtr.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005/08/24 11:21 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006/01/02 05:41 PM]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006/05/09 11:54 AM]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006/05/08 06:41 PM]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006/04/03 05:03 PM]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006/01/24 06:00 PM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006/03/31 10:47 AM]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006/03/31 10:24 AM]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006/03/31 10:32 AM]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004/11/01 05:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007/09/25 01:11 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007/03/12 06:30 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005/08/11 04:30 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005/08/11 04:30 PM]
"320d18a1"="C:\WINDOWS\system32\fhlqwfbs.dll" [2007/11/30 01:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004/10/13 06:24 PM]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007/09/06 03:08 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 05:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004/12/14 04:44:06 AM]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006/01/17 10:45:32 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007/11/27 02:47:48 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}"= C:\WINDOWS\system32\xxyvvvv.dll [2007/11/27 12:45 PM 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvvv]
xxyvvvv.dll 2007/11/27 12:45 PM 36864 C:\WINDOWS\system32\xxyvvvv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtstq.dll

*Newly Created Service* - INT15.SYS



-- End of Deckard's System Scanner: finished at 2007-11-30 13:33:44 ------------
Attached Files
File Type: txt extra.txt (19.1 KB, 2 views)
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 12-03-2007, 02:06 PM   #2 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
bump!
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-04-2007, 12:43 AM   #3 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: Trojan.vundo, Constant Popups and slowed system.
Hello and welcome to TSF .

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.



Please be patient with me during this time.
__________________
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-04-2007, 01:35 AM   #4 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: Trojan.vundo, Constant Popups and slowed system.
Please read these instructions very carefully, and follow them in the exact order I have listed. If you don’t understand any part of the fix please ask before proceeding.

You may want to print out these instructions, or copy them into Notepad.

Please note: Just because you have lack of symptoms it doesn’t mean the problem is gone. Please stay with me until I declare your log’s clean. Thank you.

=====================

P2P - I see you have P2P software <Limewire>) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

=====================

ComboFix

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

----------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

----------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

**Please Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall**

=====================

Please go here:

C:\Program Files\Trend Micro\HijackThis, and double click on Francois.exe. (This is Hijackthis just renamed.)

---------------------------

Click on Do a system scan and save a logfile.

Post the hijackthis.log Back in this thread (Make sure you post everything in the log including the System Information at the top).

=======================

Required Logs

In your next reply please include:
  • Combofix.txt
  • Hijackthis log
Also how is your system behaving now?
__________________
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-04-2007, 01:57 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Hello, thank you very much for the help. Over the past few days since I first posted I tried a couple of different things to remove trojan.vundo eg Symantec tool, the VundoFix refered to on this site and Spybot search and Destroy. The tools seems to remove it but the next day trojan.vundo is back again when connected to the internet. I also removed Limewire .Here is my new logs.

ComboFix

ComboFix 07-12-02.7 - Francois 2007-12-04 23:30:08.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT 2:00]
Running from: C:\Documents and Settings\Francois\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000002_.tmp.dll
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000014_.tmp.dll
C:\WINDOWS\system32\bvbvdpox.ini
C:\WINDOWS\system32\hytqthdj.dll
C:\WINDOWS\system32\jdhtqtyh.ini
C:\WINDOWS\system32\mkifttmc.dll
C:\WINDOWS\system32\mmtarnxs.dll
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\sxnratmm.ini
C:\WINDOWS\system32\ukdxjrei.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wjbwruie.dll
C:\WINDOWS\system32\xopdvbvb.dll
C:\WINDOWS\system32\xxyvvvv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 23:39 . 2007-12-04 23:39 6,495 --ahs---- C:\WINDOWS\system32\nqtwa.ini
2007-12-01 14:12 . 2007-12-01 14:12 324,192 --a------ C:\WINDOWS\system32\awtqn.dll
2007-11-30 15:56 . 2007-11-30 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-30 14:14 . 2007-11-30 14:15 <DIR> d-------- C:\VundoFix Backups
2007-11-30 13:12 . 2007-12-03 11:47 793,104 ---hs---- C:\WINDOWS\system32\sbfwqlhf.ini
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\RegistrySmart
2007-11-29 19:49 . 2007-11-29 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 19:47 . 2007-11-29 19:48 <DIR> d-------- C:\Deckard
2007-11-29 19:33 . 2007-11-29 19:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-29 19:32 . 2007-11-29 19:46 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-29 18:51 . 2007-11-29 18:51 164 --a------ C:\install.dat
2007-11-29 13:08 . 2007-11-29 13:08 31,900 --a------ C:\WINDOWS\system32\oxafrykn.dll
2007-11-28 21:24 . 2007-11-28 21:24 <DIR> d--hs---- C:\FOUND.000
2007-11-28 20:27 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 20:27 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-28 20:27 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2007-11-28 19:08 . 2007-11-28 21:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 13:07 . 2007-11-29 13:07 4,772 ---hs---- C:\WINDOWS\system32\gvphmpdh.ini
2007-11-27 23:04 . 2007-11-27 23:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-27 21:10 . 2007-11-27 21:11 38 --a------ C:\WINDOWS\avisplitter.INI
2007-11-27 21:00 . 2007-11-27 21:00 46,360 --a------ C:\WINDOWS\FontData.fdb
2007-11-27 20:58 . 2007-11-27 20:58 56 -r-hs---- C:\WINDOWS\system32\3557BE4C83.sys
2007-11-27 15:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-27 15:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Corel
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-27 15:07 . 2007-11-27 15:07 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Corel
2007-11-27 15:06 . 2007-11-27 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 14:53 . 2007-11-27 20:58 3,610 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-27 14:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-27 14:29 . 2007-11-27 14:41 376 --a------ C:\WINDOWS\ODBC.INI
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-11-27 14:14 . 2007-11-27 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-27 12:56 . 2007-11-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 12:48 . 2007-11-27 12:48 <DIR> d-------- C:\Program Files\Bonjour
2007-11-27 12:40 . 2007-11-27 12:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 21:59 . 2007-11-26 21:59 <DIR> d-------- C:\Program Files\EwisoftWeb
2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Shared
2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Incomplete
2007-11-26 18:54 . 2007-11-26 18:54 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\LimeWire
2007-11-23 15:36 . 2007-11-23 15:36 <DIR> d-------- C:\Program Files\Atari
2007-11-22 22:31 . 2007-11-22 22:31 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Media Player Classic
2007-11-22 22:30 . 2007-11-22 22:30 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-22 18:56 . 2007-11-22 18:56 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-22 18:45 . 2007-11-22 18:45 <DIR> d-------- C:\Program Files\Codemasters
2007-11-22 18:44 . 2007-11-22 18:44 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\InstallShield
2007-11-22 18:33 . 2007-11-22 18:33 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\AdobeUM
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-11-21 10:10 . 2007-11-21 10:10 <DIR> d-------- C:\Program Files\The Witcher
2007-11-20 09:35 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-20 09:35 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-11-20 09:35 . 2007-11-21 10:20 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-20 09:35 . 2007-11-20 09:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-20 09:31 . 2007-11-20 09:31 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-20 09:27 . 2007-11-20 09:27 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\DAEMON Tools Pro
2007-11-20 09:26 . 2007-11-20 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-20 09:24 . 2007-11-20 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2007-11-20 09:22 . 2007-11-20 09:22 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-20 09:18 . 2004-08-04 05:00 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-20 09:08 . 2007-11-20 09:08 <DIR> d--hs---- C:\Recycled
2007-11-20 08:57 . 2007-08-20 12:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-20 08:57 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-20 08:57 . 2007-03-08 07:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-20 08:57 . 2007-08-20 12:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-20 08:57 . 2007-08-20 12:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-20 08:57 . 2007-08-20 12:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-20 08:57 . 2007-08-20 12:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-20 08:57 . 2007-08-20 12:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-20 08:57 . 2007-08-17 12:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-20 05:53 . 2007-12-04 23:39 343 --a------ C:\WINDOWS\system32\eRLog.ini
2007-11-20 05:52 . 2007-11-20 05:52 92 --a------ C:\WINDOWS\GridV.UNI
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Acer
2007-11-20 05:46 . 2007-11-20 05:46 <DIR> d-------- C:\Program Files\WinPCap
2007-11-20 05:46 . 2006-01-23 12:41 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2007-11-20 05:46 . 2007-11-20 05:46 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-20 05:46 . 2006-01-23 12:41 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2007-11-20 05:45 . 2007-11-20 05:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Program Files\Launch Manager
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2007-11-20 05:45 . 2006-04-10 10:09 61,440 --a------ C:\WINDOWS\system32\acerGina.dll
2007-11-20 05:45 . 2002-12-19 15:58 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2007-11-20 05:45 . 2004-12-08 14:10 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2007-11-20 05:45 . 2004-12-09 12:04 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2007-11-20 05:45 . 2007-11-20 05:45 83 --a------ C:\WINDOWS\QtZgAcer.UNI
2007-11-20 05:45 . 2007-11-20 05:45 0 --a------ C:\WINDOWS\NT.INI
2007-11-20 05:43 . 2007-11-20 05:43 <DIR> d-------- C:\Documents and Settings\Francois\Bluetooth Software
2007-11-20 05:43 . 2006-01-20 15:56 225,350 --a------ C:\WINDOWS\system32\Epm-Po.dll
2007-11-20 05:43 . 2006-01-20 15:56 53,248 --a------ C:\WINDOWS\system32\acpimof.dll
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Program Files\WIDCOMM
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\ATI
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\WINDOWS\Acer
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\Program Files\ATI Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 20:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-19 20:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-28 15:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 15:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 15:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll
2007-09-04 15:56 164,352 ----a-w C:\WINDOWS\system32\unrar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A73C0A-8DF5-4444-BF95-DF237B76DA77}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DE0D0A9-1545-40EF-9733-7CD20092AE26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DDEB637-D486-4A89-A531-BD9D3854FF70}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5895BE39-EED2-4982-B660-A0FE213A03C0}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB58EA0-A933-43EE-A761-C40960F60E43}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACE2002-725D-4428-B7C0-8A389404A69B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8539543E-FBD0-4E09-964F-1E92AB75CEFB}]
2007-12-01 14:12 324192 --a------ C:\WINDOWS\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0242B32-27E4-4E13-84C1-9D1DCBD4F44B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D635D348-C0E5-4B49-8C42-F06781E62965}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED94524D-12F8-4350-A8E5-2ACCD2B0134B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2B4C1B1-2FB8-43FE-92A9-4D1106F93679}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4ea1405-b59d-4d76-b5e9-53e0fa1388bf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE274981-54DF-4F99-878D-4AC593CD26AD}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\SymProbe.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 02:44 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 23:21]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 11:54]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 18:41]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 17:03]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-03-31 10:47]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-03-31 10:24]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-03-31 10:32]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-27 14:47:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvvv]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqn.dll

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
R3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys
S3 AVerE506;AVerE506 service;C:\WINDOWS\system32\DRIVERS\AVerE506.sys
S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 16:57:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Francois.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-11-29 18:09:58 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:39:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 23:41:06 - machine was rebooted
.
--- E O F ---


HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:27 PM, on 2007/12/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\DOCUME~1\Francois\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\Francois.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.salestronics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = dsl-cache.saix.net:8080
O2 - BHO: (no name) - {05A73C0A-8DF5-4444-BF95-DF237B76DA77} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DE0D0A9-1545-40EF-9733-7CD20092AE26} - (no file)
O2 - BHO: (no name) - {1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2} - (no file)
O2 - BHO: (no name) - {4DDEB637-D486-4A89-A531-BD9D3854FF70} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5895BE39-EED2-4982-B660-A0FE213A03C0} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {6DB58EA0-A933-43EE-A761-C40960F60E43} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7ACE2002-725D-4428-B7C0-8A389404A69B} - (no file)
O2 - BHO: (no name) - {7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C} - (no file)
O2 - BHO: (no name) - {8539543E-FBD0-4E09-964F-1E92AB75CEFB} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D0242B32-27E4-4E13-84C1-9D1DCBD4F44B} - (no file)
O2 - BHO: (no name) - {D635D348-C0E5-4B49-8C42-F06781E62965} - (no file)
O2 - BHO: (no name) - {ED94524D-12F8-4350-A8E5-2ACCD2B0134B} - (no file)
O2 - BHO: (no name) - {F2B4C1B1-2FB8-43FE-92A9-4D1106F93679} - (no file)
O2 - BHO: (no name) - {f4ea1405-b59d-4d76-b5e9-53e0fa1388bf} - (no file)
O2 - BHO: (no name) - {FE274981-54DF-4F99-878D-4AC593CD26AD} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Acer\OrbiCam\CameraAssistant.exe"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Acer\OrbiCam\InstallHelper.exe" /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196164825156
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{4363C401-3C0E-448C-9EF5-259A8C63E052}: NameServer = 196.25.1.11
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14735 bytes


Again thank you very much for your help!
Last edited by tetonbob; 12-04-2007 at 05:25 PM. Reason: removed quote tags; makes logs harder to read
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-05-2007, 02:51 AM   #6 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: Trojan.vundo, Constant Popups and slowed system.
Hello again

Please read these instructions very carefully, and follow them in the exact order I have listed. If you don’t understand any part of the fix please ask before proceeding.

You may want to print out these instructions, or copy them into Notepad.

Please note: Just because you have lack of symptoms it doesn’t mean the problem is gone. Please stay with me until I declare your log’s clean. Thank you.

=====================

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\sbfwqlhf.ini
C:\WINDOWS\system32\oxafrykn.dll
C:\WINDOWS\system32\gvphmpdh.ini
C:\WINDOWS\system32\mcrh.tmp

Folder::
C:\Documents and Settings\Francois\Shared
C:\Documents and Settings\Francois\Incomplete
C:\Documents and Settings\Francois\Application Data\LimeWire
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A73C0A-8DF5-4444-BF95-DF237B76DA77}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DE0D0A9-1545-40EF-9733-7CD20092AE26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A3FC7B6-33A6-4AE8-96BF-02AB8A4D9EF2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DDEB637-D486-4A89-A531-BD9D3854FF70}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5895BE39-EED2-4982-B660-A0FE213A03C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB58EA0-A933-43EE-A761-C40960F60E43}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACE2002-725D-4428-B7C0-8A389404A69B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D5B109A-6A3C-44C1-A4A2-CDE0D359B12C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8539543E-FBD0-4E09-964F-1E92AB75CEFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0242B32-27E4-4E13-84C1-9D1DCBD4F44B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D635D348-C0E5-4B49-8C42-F06781E62965}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED94524D-12F8-4350-A8E5-2ACCD2B0134B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2B4C1B1-2FB8-43FE-92A9-4D1106F93679}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4ea1405-b59d-4d76-b5e9-53e0fa1388bf}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE274981-54DF-4F99-878D-4AC593CD26AD}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvvv]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

**Please Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall**

=====================

Panda Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here

=====================

Please double click on Francois.exe and click on Do a System Scan Only. Check the following entries (If they still exist, make sure you do not miss any)


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Please remember to close all other windows, including browsers then click Fix checked.

Then click Scan and Save log

Please post the log back into this thread.

=====================

Required Logs

In your next reply please include:
  • Hijackthis log
  • ComboFix.txt
  • Panda online scan results
Also how is your system behaving now?
__________________


Last edited by Go The Power; 12-05-2007 at 02:53 AM.
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-06-2007, 10:24 AM   #7 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Hello again. I'm very sorry for not replying sooner!! But I got home as soon as I could and here is my new logs. The computer seems o.k. The popups are a lot less. Maybe once everytime I browse or twice and Norton is not giving any warnings. Here is my new logs. From now on I'll be replying everyday!

Here is my logs:

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:04:14 PM, on 2007/12/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\DOCUME~1\Francois\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\Francois.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.salestronics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = dsl-cache.saix.net:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35A2EE48-9FA3-4C88-A66C-AB897F224865} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Acer\OrbiCam\CameraAssistant.exe"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Acer\OrbiCam\InstallHelper.exe" /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196164825156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12923 bytes


ComboFix:

ComboFix 07-12-02.7 - Francois 2007-12-05 15:21:48.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.477 [GMT 2:00]
Running from: C:\Documents and Settings\Francois\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Francois\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\gvphmpdh.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\oxafrykn.dll
C:\WINDOWS\system32\sbfwqlhf.ini
C:\WINDOWS\system32\vtstq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Francois\Application Data\LimeWire
C:\Documents and Settings\Francois\Application Data\LimeWire\414splashfree.png
C:\Documents and Settings\Francois\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Francois\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Francois\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Francois\Application Data\LimeWire\filters.props
C:\Documents and Settings\Francois\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Francois\Application Data\LimeWire\installation.props
C:\Documents and Settings\Francois\Application Data\LimeWire\library.dat
C:\Documents and Settings\Francois\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Francois\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Francois\Application Data\LimeWire\questions.props
C:\Documents and Settings\Francois\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Francois\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Francois\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Francois\Application Data\LimeWire\tables.props
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Francois\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Francois\Application Data\LimeWire\version.xml
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Francois\Application Data\LimeWire\xml\schemas\video.xsd
C:\Documents and Settings\Francois\Incomplete
C:\Documents and Settings\Francois\Incomplete\downloads.bak
C:\Documents and Settings\Francois\Incomplete\downloads.dat
C:\Documents and Settings\Francois\Shared
C:\VundoFix Backups
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\gvphmpdh.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\oxafrykn.dll
C:\WINDOWS\system32\sbfwqlhf.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 23:40 . 2007-12-05 15:21 6,751 --ahs---- C:\WINDOWS\system32\nqtwa.ini2
2007-11-30 15:56 . 2007-11-30 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\RegistrySmart
2007-11-29 19:49 . 2007-11-29 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 19:47 . 2007-11-29 19:48 <DIR> d-------- C:\Deckard
2007-11-29 19:33 . 2007-11-29 19:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-29 19:32 . 2007-11-29 19:46 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-29 18:51 . 2007-11-29 18:51 164 --a------ C:\install.dat
2007-11-28 21:24 . 2007-11-28 21:24 <DIR> d--hs---- C:\FOUND.000
2007-11-28 20:27 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 20:27 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-28 20:27 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2007-11-27 23:04 . 2007-11-27 23:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-27 21:10 . 2007-11-27 21:11 38 --a------ C:\WINDOWS\avisplitter.INI
2007-11-27 21:00 . 2007-11-27 21:00 46,360 --a------ C:\WINDOWS\FontData.fdb
2007-11-27 20:58 . 2007-11-27 20:58 56 -r-hs---- C:\WINDOWS\system32\3557BE4C83.sys
2007-11-27 15:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-27 15:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Corel
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-27 15:07 . 2007-11-27 15:07 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Corel
2007-11-27 15:06 . 2007-11-27 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 14:53 . 2007-11-27 20:58 3,610 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-27 14:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-27 14:29 . 2007-11-27 14:41 376 --a------ C:\WINDOWS\ODBC.INI
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-11-27 14:14 . 2007-11-27 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-27 12:56 . 2007-11-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 12:48 . 2007-11-27 12:48 <DIR> d-------- C:\Program Files\Bonjour
2007-11-27 12:40 . 2007-11-27 12:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 21:59 . 2007-11-26 21:59 <DIR> d-------- C:\Program Files\EwisoftWeb
2007-11-23 15:36 . 2007-11-23 15:36 <DIR> d-------- C:\Program Files\Atari
2007-11-22 22:31 . 2007-11-22 22:31 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Media Player Classic
2007-11-22 22:30 . 2007-11-22 22:30 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-22 18:56 . 2007-11-22 18:56 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-22 18:45 . 2007-11-22 18:45 <DIR> d-------- C:\Program Files\Codemasters
2007-11-22 18:44 . 2007-11-22 18:44 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\InstallShield
2007-11-22 18:33 . 2007-11-22 18:33 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\AdobeUM
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-11-21 10:10 . 2007-11-21 10:10 <DIR> d-------- C:\Program Files\The Witcher
2007-11-20 09:35 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-20 09:35 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-11-20 09:35 . 2007-11-21 10:20 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-20 09:35 . 2007-11-20 09:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-20 09:31 . 2007-11-20 09:31 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-20 09:27 . 2007-11-20 09:27 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\DAEMON Tools Pro
2007-11-20 09:26 . 2007-11-20 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-20 09:24 . 2007-11-20 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2007-11-20 09:22 . 2007-11-20 09:22 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-20 09:18 . 2004-08-04 05:00 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-20 09:08 . 2007-11-20 09:08 <DIR> d--hs---- C:\Recycled
2007-11-20 08:57 . 2007-08-20 12:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-20 08:57 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-20 08:57 . 2007-03-08 07:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-20 08:57 . 2007-08-20 12:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-20 08:57 . 2007-08-20 12:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-20 08:57 . 2007-08-20 12:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-20 08:57 . 2007-08-20 12:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-20 08:57 . 2007-08-20 12:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-20 08:57 . 2007-08-17 12:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-20 05:53 . 2007-12-05 15:07 343 --a------ C:\WINDOWS\system32\eRLog.ini
2007-11-20 05:52 . 2007-11-20 05:52 92 --a------ C:\WINDOWS\GridV.UNI
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Acer
2007-11-20 05:46 . 2007-11-20 05:46 <DIR> d-------- C:\Program Files\WinPCap
2007-11-20 05:46 . 2006-01-23 12:41 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2007-11-20 05:46 . 2007-11-20 05:46 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-20 05:46 . 2006-01-23 12:41 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2007-11-20 05:45 . 2007-11-20 05:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Program Files\Launch Manager
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2007-11-20 05:45 . 2006-04-10 10:09 61,440 --a------ C:\WINDOWS\system32\acerGina.dll
2007-11-20 05:45 . 2002-12-19 15:58 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2007-11-20 05:45 . 2004-12-08 14:10 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2007-11-20 05:45 . 2004-12-09 12:04 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2007-11-20 05:45 . 2007-11-20 05:45 83 --a------ C:\WINDOWS\QtZgAcer.UNI
2007-11-20 05:45 . 2007-11-20 05:45 0 --a------ C:\WINDOWS\NT.INI
2007-11-20 05:43 . 2007-11-20 05:43 <DIR> d-------- C:\Documents and Settings\Francois\Bluetooth Software
2007-11-20 05:43 . 2006-01-20 15:56 225,350 --a------ C:\WINDOWS\system32\Epm-Po.dll
2007-11-20 05:43 . 2006-01-20 15:56 53,248 --a------ C:\WINDOWS\system32\acpimof.dll
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Program Files\WIDCOMM
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\ATI
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\WINDOWS\Acer
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\Program Files\ATI Technologies
2007-11-20 05:30 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Symantec
2007-11-20 05:30 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\CyberLink
2007-11-20 05:30 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Acer
2007-11-20 05:29 . 2003-09-03 15:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2007-11-20 05:29 . 2003-09-03 15:59 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink
2007-11-20 05:29 . 2003-09-03 15:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Acer
2007-11-20 00:20 . 2006-08-21 11:14 128,896 --------- C:\WINDOWS\system32\dllcache\SET89.tmp
2007-11-20 00:20 . 2006-08-21 11:14 23,040 --------- C:\WINDOWS\system32\SET87.tmp
2007-11-20 00:20 . 2006-08-21 11:14 23,040 --------- C:\WINDOWS\system32\dllcache\SET8A.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 20:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-19 20:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-28 15:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 15:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 15:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35A2EE48-9FA3-4C88-A66C-AB897F224865}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\SymProbe.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 02:44 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 23:21]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 11:54]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 18:41]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 17:03]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-03-31 10:47]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-03-31 10:24]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-03-31 10:32]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-27 14:47:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqn.dll

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
R3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys
S3 AVerE506;AVerE506 service;C:\WINDOWS\system32\DRIVERS\AVerE506.sys
S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 16:57:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Francois.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-11-29 18:09:58 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 15:27:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 15:29:08 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 23:41
.
--- E O F ---


Panda Online Scan:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Francois\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Francois\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Francois\Cookies\francois@hotlog[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Francois\Cookies\francois@serving-sys[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Francois\Cookies\francois@advertising[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Francois\Cookies\francois@overture[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Francois\Cookies\francois@adserver.easyad[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Francois\Cookies\francois@adtech[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Francois\Cookies\francois@anm.co[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Francois\Cookies\francois@fortunecity[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Francois\Cookies\francois@com[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Francois\Cookies\francois@atdmt[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Francois\Cookies\francois@ads.pointroll[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Francois\Cookies\francois@questionmarket[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Francois\Cookies\francois@server.iad.liveperson[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Francois\Cookies\francois@statcounter[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Francois\Cookies\francois@bs.serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Francois\Cookies\francois@tribalfusion[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Francois\Cookies\francois@doubleclick[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Deckard\System Scanner\20071130133204\BACKUP\DOCUME~1\Francois\LOCALS~1\Temp\LNPVKJXE.EXE
Virus:Trj/Downloader.PJT Disinfected C:\Deckard\System Scanner\20071130133204\BACKUP\DOCUME~1\Francois\LOCALS~1\Temp\DUUWRCWE.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\Deckard\System Scanner\20071130133204\BACKUP\DOCUME~1\Francois\LOCALS~1\Temp\PSFEKLDI.EXE
Virus:Trj/Downloader.PJT Disinfected C:\Deckard\System Scanner\20071130133204\BACKUP\DOCUME~1\Francois\LOCALS~1\Temp\VRTXQOGA.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\QOOBOX\Quarantine\C\WINDOWS\SYSTEM32\mkifttmc.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QOOBOX\Quarantine\catchme2007-12-04_233808.82.zip[xxyvvvv.dll]
Last edited by tetonbob; 12-06-2007 at 10:37 AM. Reason: removed quote tags; makes logs harder to read
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-07-2007, 05:14 PM   #8 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: Trojan.vundo, Constant Popups and slowed system.
Please read these instructions very carefully, and follow them in the exact order I have listed. If you don’t understand any part of the fix please ask before proceeding.

You may want to print out these instructions, or copy them into Notepad.

Please note: Just because you have lack of symptoms it doesn’t mean the problem is gone. Please stay with me until I declare your log’s clean. Thank you.

=====================

Download

Click Here to download ATF Cleaner by Atribune. Save it to your Desktop.

=====================

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\nqtwa.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35A2EE48-9FA3-4C88-A66C-AB897F224865}]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

**Please Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall**

=====================

Clean TEMP files

Go to your desktop and double click on ATF-Cleaner.exe.

Main

Under Main. Click Select All, then click Empty

----------------------------

If you use Firefox, click Firefox on the menu bar

Click on Select All, then click Empty
Note: If you want to keep your saved Passwords click No on the prompt.

----------------------------

If you use Opera, click Opera on the menu bar

Click on Select All, then click Empty
Note: If you want to keep your saved Passwords click No on the prompt.

=====================

Please produce a fresh Hijackthis log

=====================

Required Logs

In your next reply please include:
  • Combofix.txt
  • Hijackthis.log
Also how is your system behaving now?
__________________
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-08-2007, 09:42 AM   #9 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Hello,

The only thing that changed is that Norton picked up two entries for trojan.vundo.

Here is my logs:

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:33:29 PM, on 2007/12/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Francois\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\Francois.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.salestronics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = dsl-cache.saix.net:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Acer\OrbiCam\CameraAssistant.exe"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Acer\OrbiCam\InstallHelper.exe" /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196164825156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12639 bytes

ComboFix:

ComboFix 07-12-02.7 - Francois 2007-12-08 18:48:52.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.453 [GMT 2:00]
Running from: C:\Documents and Settings\Francois\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Francois\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\nqtwa.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-05 16:33 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-05 15:34 . 2007-12-05 15:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-05 15:34 . 2007-12-06 19:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-30 15:56 . 2007-11-30 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-29 20:09 . 2007-11-29 20:09 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\RegistrySmart
2007-11-29 19:49 . 2007-11-29 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 19:47 . 2007-11-29 19:48 <DIR> d-------- C:\Deckard
2007-11-29 19:33 . 2007-12-06 19:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-29 19:32 . 2007-12-06 19:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-29 18:51 . 2007-11-29 18:51 164 --a------ C:\install.dat
2007-11-28 21:24 . 2007-11-28 21:24 <DIR> d--hs---- C:\FOUND.000
2007-11-28 20:27 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 20:27 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-28 20:27 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2007-11-27 23:04 . 2007-11-27 23:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-27 21:10 . 2007-11-27 21:11 38 --a------ C:\WINDOWS\avisplitter.INI
2007-11-27 21:00 . 2007-11-27 21:00 46,360 --a------ C:\WINDOWS\FontData.fdb
2007-11-27 20:58 . 2007-11-27 20:58 56 -r-hs---- C:\WINDOWS\system32\3557BE4C83.sys
2007-11-27 15:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-27 15:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Corel
2007-11-27 15:18 . 2007-11-27 15:18 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-27 15:07 . 2007-11-27 15:07 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Corel
2007-11-27 15:06 . 2007-11-27 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 14:53 . 2007-11-27 20:58 3,610 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-27 14:29 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-27 14:29 . 2007-11-27 14:41 376 --a------ C:\WINDOWS\ODBC.INI
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-27 14:15 . 2007-11-27 14:15 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-11-27 14:14 . 2007-11-27 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-27 14:13 . 2007-11-27 14:13 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-27 12:56 . 2007-11-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 12:48 . 2007-11-27 12:48 <DIR> d-------- C:\Program Files\Bonjour
2007-11-27 12:40 . 2007-11-27 12:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 21:59 . 2007-11-26 21:59 <DIR> d-------- C:\Program Files\EwisoftWeb
2007-11-23 15:36 . 2007-11-23 15:36 <DIR> d-------- C:\Program Files\Atari
2007-11-22 22:31 . 2007-11-22 22:31 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Media Player Classic
2007-11-22 22:30 . 2007-11-22 22:30 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-22 18:56 . 2007-11-22 18:56 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-22 18:45 . 2007-11-22 18:45 <DIR> d-------- C:\Program Files\Codemasters
2007-11-22 18:44 . 2007-11-22 18:44 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\InstallShield
2007-11-22 18:33 . 2007-11-22 18:33 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\AdobeUM
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-21 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-21 15:13 . 2004-08-04 05:00 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-11-21 10:10 . 2007-11-21 10:10 <DIR> d-------- C:\Program Files\The Witcher
2007-11-20 09:35 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-20 09:35 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-11-20 09:35 . 2007-11-21 10:20 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-20 09:35 . 2007-11-20 09:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-20 09:31 . 2007-11-20 09:31 <DIR> d-------- C:\Program Files\Ubisoft
2007-11-20 09:27 . 2007-11-20 09:27 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\DAEMON Tools Pro
2007-11-20 09:26 . 2007-11-20 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-20 09:24 . 2007-11-20 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2007-11-20 09:22 . 2007-11-20 09:22 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-20 09:18 . 2004-08-04 05:00 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-20 09:08 . 2007-11-20 09:08 <DIR> d--hs---- C:\Recycled
2007-11-20 08:57 . 2007-08-20 12:04 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-20 08:57 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-20 08:57 . 2007-03-08 07:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-20 08:57 . 2007-08-20 12:04 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-20 08:57 . 2007-08-20 12:04 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-20 08:57 . 2007-08-20 12:04 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-20 08:57 . 2007-08-20 12:04 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-20 08:57 . 2007-08-20 12:04 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-20 08:57 . 2007-08-17 12:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-20 05:53 . 2007-12-08 18:42 343 --a------ C:\WINDOWS\system32\eRLog.ini
2007-11-20 05:52 . 2007-11-20 05:52 92 --a------ C:\WINDOWS\GridV.UNI
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-11-20 05:48 . 2007-11-20 05:48 <DIR> d-------- C:\Program Files\Common Files\Acer
2007-11-20 05:46 . 2007-11-20 05:46 <DIR> d-------- C:\Program Files\WinPCap
2007-11-20 05:46 . 2006-01-23 12:41 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2007-11-20 05:46 . 2007-11-20 05:46 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-20 05:46 . 2006-01-23 12:41 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2007-11-20 05:45 . 2007-11-20 05:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Program Files\Launch Manager
2007-11-20 05:45 . 2007-11-20 05:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2007-11-20 05:45 . 2006-04-10 10:09 61,440 --a------ C:\WINDOWS\system32\acerGina.dll
2007-11-20 05:45 . 2002-12-19 15:58 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2007-11-20 05:45 . 2004-12-08 14:10 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2007-11-20 05:45 . 2004-12-09 12:04 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2007-11-20 05:45 . 2007-11-20 05:45 83 --a------ C:\WINDOWS\QtZgAcer.UNI
2007-11-20 05:45 . 2007-11-20 05:45 0 --a------ C:\WINDOWS\NT.INI
2007-11-20 05:43 . 2007-11-20 05:43 <DIR> d-------- C:\Documents and Settings\Francois\Bluetooth Software
2007-11-20 05:43 . 2006-01-20 15:56 225,350 --a------ C:\WINDOWS\system32\Epm-Po.dll
2007-11-20 05:43 . 2006-01-20 15:56 53,248 --a------ C:\WINDOWS\system32\acpimof.dll
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Program Files\WIDCOMM
2007-11-20 05:38 . 2007-11-20 05:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\ATI
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\WINDOWS\Acer
2007-11-20 05:31 . 2007-11-20 05:31 <DIR> d-------- C:\Program Files\ATI Technologies
2007-11-20 05:30 . 2003-09-03 15:57 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Symantec
2007-11-20 05:30 . 2003-09-03 15:59 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\CyberLink
2007-11-20 05:30 . 2003-09-03 15:38 <DIR> d-------- C:\Documents and Settings\Francois\Application Data\Acer
2007-11-20 05:29 . 2003-09-03 15:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2007-11-20 05:29 . 2003-09-03 15:59 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink
2007-11-20 05:29 . 2003-09-03 15:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Acer
2007-11-20 00:20 . 2006-08-21 11:14 128,896 --------- C:\WINDOWS\system32\dllcache\SET89.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 20:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-19 20:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-28 15:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 15:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 15:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_23.40.04.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 06:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\asinst.dll
+ 2007-03-29 07:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 14:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 12:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 09:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 11:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 07:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-16 16:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 16:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 09:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 13:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 11:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 08:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 11:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 16:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 14:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 09:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 12:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 12:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 08:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 11:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 1108 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 11:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 09:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 09:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 06:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 12:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 08:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 08:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 14:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 07:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 08:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 12:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 12:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 11:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 06:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 06:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 07:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 12:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 07:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 09:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 06:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 13:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 06:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 06:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 13:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 09:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 09:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 15:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 12:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 07:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 08:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 04:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 15:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 07:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2003-03-25 16:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\SymProbe.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 02:44 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 23:21]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 11:54]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 18:41]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 17:03]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-03-31 10:47]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-03-31 10:24]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-03-31 10:32]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-27 14:47:48]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
R3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys
S3 AVerE506;AVerE506 service;C:\WINDOWS\system32\DRIVERS\AVerE506.sys
S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys
S3 SDTHOOK;SDTHOOK;C:\WINDOWS\system32\DRIVERS\SDTHOOK.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 20:33:18 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Francois.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-11-29 18:09:58 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 19:25:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 19:26:14 - machine was rebooted
C:\ComboFix3.txt ... 2007-12-04 23:41
C:\ComboFix2.txt ... 2007-12-05 15:29
.
--- E O F ---
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-09-2007, 03:12 PM   #10 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: Trojan.vundo, Constant Popups and slowed system.
Hello again,

Did Norton give a location for what it was finding? For example, a file path, or file name? And was it able to remove what it found?

===================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-10-2007, 10:17 AM   #11 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Hello, basically what happens is norton picks up trojan.vundo and then gives me the options to remove, repair and quarantine. When I select remove it prompts me to restart my computer and it then continues to remove the rest of it. It then gives a report saying the removal was successfull. However although I know that i'm still infected I don't see any symptoms anymore.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 10, 2007 6:01:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 478251
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 104827
Number of viruses found: 10
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 00:53:48

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{53C04906-249F-49ED-B27C-F671A9354961}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped
C:\WINDOWS\Temp\sqlite_bbLLIBTJsEv6i6t Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Francois\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Francois\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Temp\Perflib_Perfdata_f1c.dat Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Temp\Perflib_Perfdata_10c4.dat Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Temp\Perflib_Perfdata_10d0.dat Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Application Data\Acer Arcade\Log\Trace20071210.log Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Francois\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Francois\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Francois\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0525NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP1\A0001090.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP6\A0003108.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP6\A0003118.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP8\A0004471.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP8\A0004473.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP8\A0004474.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP8\A0004476.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP8\A0004491.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP10\A0004761.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP10\A0004984.EXE Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP10\A0004985.EXE Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\change.log Object is locked skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\A0005411.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\A0005413.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\A0005415.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\A0005416.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\A0005417.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{35FCD7EF-6098-4010-A613-2A9EB0916AFF}\RP13\A0005418.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\Deckard\System Scanner\20071130133204\backup\DOCUME~1\Francois\LOCALS~1\Temp\lnpvkjxe.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Deckard\System Scanner\20071130133204\backup\DOCUME~1\Francois\LOCALS~1\Temp\psfekldi.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mmtarnxs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ukdxjrei.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xopdvbvb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oxafrykn.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\catchme2007-12-04_233808.82.zip/xxyvvvv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayy skipped
C:\qoobox\Quarantine\catchme2007-12-04_233808.82.zip ZIP: infected - 1 skipped

Scan process completed.
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-10-2007, 10:22 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,561
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan.vundo, Constant Popups and slowed system.
Hi -

I'm going to step in for a moment...

Quote:
Hello, basically what happens is norton picks up trojan.vundo and then gives me the options to remove, repair and quarantine.
It would be helpful to know the exact location Norton is finding these.

If in System Volume Information, that's System Restore, and we'll address that soon.

If in C:\Qoobox\Quarantine, that's ComboFix quarantine, they are safe there, and will also be addressed soon.

Can you more precisely tell us the locations of what Norton is alerting you to?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-11-2007, 06:15 AM   #13 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Hello sorry if my replies are vague, but most cases where Trojan.vundo was found was in the system32 folder. However this was 2 days ago which I removed via Norton. Therefore I can't remember the precise location since then Norton has not picked up any areas infected with Trojan.vundo. However i'm going to do a full system scan with Norton and if it picks up the the trojan I will post the directories.

Quote:
I went through Norton's old log files. Trojan.vundo was picked up in this location: Source: C:\WINDOWS\system32\awtqn.dll Norton is also unable to repair or delete this entry. The rest of the logs pick up Trojan.vundo in qoobox which is fine.
Last edited by frantheonlyter; 12-11-2007 at 06:29 AM. Reason: Added areas from Norton's where Trojan.vundo was picked up from log file
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-11-2007, 07:04 AM   #14 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Hello i've just finished running the full system scan from Norton and it detected nothing is says that my computer is safe.
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-12-2007, 09:00 PM   #15 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: Trojan.vundo, Constant Popups and slowed system.
Thank you frantheonlyter

Please follow the steps Here to empty Norton's Quarantine.

=====================

Well done your logs are clean!

Please follow all steps below to help prevent a re-infection

=====================

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start => Run and copy and paste the command below into the run box:

Combofix /u

Click Ok


=====================

Microsoft updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

=====================

Antivirus and Firewall

It is very important that your Antivirus and Firewall stay up to date with the latest definitions. It would be best if you update your Antivirus and firewall Atleast once a week

**Note: Only have One Firewall and Antivirus installed on a system at the same time. If you have more than one they may cause conflicts and system instability.**

--------------------------

Here are some free good Antivirus and Firewall's, in case you want to update or change

Free Anti virus:

Free firewalls:
.

=====================

Spyware protection

Spybot -- Download and install Spybot. It is recommended that you enable Tea Timer as it gives you real time protection against spyware & hijacker's. Follow these steps to enable Tea timer:
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Check the "Resident "TeaTimer" (Protection of overall system settings) active." box.
--------------------------------------------------------------------------------------------------------
  • McAfee SiteAdvisor -- Is a small Add-on that warns you if a site you are about to go on contains Malware/Spam/Scam. This tool is available for Firefox and Internet Explorer
=====================

Alternative Browsers

Using another browser can help prevent a Malware infection as these two (free) browsers are safer to use than IE.=====================

Recommended reading material

Please read though these three links as the provide very useful information to prevent re-infected
Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-13-2007, 05:13 AM   #16 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 12
OS: Windows XP Home Service Pack 2


Re: Trojan.vundo, Constant Popups and slowed system.
Thank you very much for your help everything is in great working order.
frantheonlyter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-13-2007, 03:09 PM   #17 (permalink)
Moderator, Microsoft Support
 
Go The Power's Avatar
 
Join Date: Mar 2007
Location: South Australia
Posts: 10,927
OS: Windows XP Home SP2


Blog Entries: 1
Send a message via MSN to Go The Power Send a message via Skype™ to Go The Power
Re: [SOLVED] Trojan.vundo, Constant Popups and slowed system.
Your welcome :)
__________________
Go The Power is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:04 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84