Tech Support Forum banner
Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Hello - I have been trying to fix my sister's computer for the last 3 weeks. As you can imagine, I am at my wit's end. I posted my log on another forum, but after almost three weeks with no responses, I closed it. I am hoping and praying that someone here might be able to help. Basically, the computer was infected with a ton of spyware and other goodies. When all of his started, the desktop background had been changed, there were tons of warnings and popups, and an error that said there was a "buffer overrun." I have used a combination of Adaware, Spybot S+D, and AVG Free. A lot of my problems have been fixed using those programs and other research, but it appears that there is still work to be done. Basically, when I restart the computer a couple of black DOS looking screens quickly flash and go away. They appear to say "command.exe" and "cmd.exe." I am still getting popups whenever I am online, and both the computer and internet are ridiculously slow. After three long weeks and a nagging sister, I am beyond desperate. If anyone out there could take the time to help, I would greatly appreciate it. I realize that everyone here is a volunteer with valuable time, so I appreciate this more than you will ever know. Thanks.



Logfile of HijackThis v1.97.7
Scan saved at 5:58:27 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
D:\bryon\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7A7AEF0F-D0EA-46C3-8360-CBEC0FF49C0A} - C:\WINDOWS\system32\jkkHWQIX.dll (file missing)
O2 - BHO: (no name) - {8A12F6E7-94A9-4B2F-923C-C18A9AF765EB} - C:\WINDOWS\system32\cbXOExVM.dll (file missing)
O2 - BHO: (no name) - {9F8439F4-D24B-A5C1-1195-A08F02547A94} - C:\WINDOWS\system32\cfzxt.dll (file missing)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\tuvTjKCr.dll (file missing)
O2 - BHO: {6ee35544-ee2e-312b-1284-10e8a0769eed} - {dee9670a-8e01-4821-b213-e2ee44553ee6} - C:\WINDOWS\system32\vjftetfu.dll
O2 - BHO: (no name) - {EFC79B80-1CCE-4C1B-913C-C58870718B29} - C:\WINDOWS\system32\urqoPjIc.dll (file missing)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [kxshstjm] C:\WINDOWS\System32\clvdwcp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [1871ccc1] rundll32.exe "C:\WINDOWS\system32\mlkbxkwq.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM1b42ff5d] Rundll32.exe "C:\WINDOWS\system32\gqcklxci.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [homwanco] C:\WINDOWS\system32\lmxihufa.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Me\Application Data\Microsoft\dtsc\28775.exe
O4 - HKCU\..\Run: [A00FF3E38.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FF3E38.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00FE1FD8.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FE1FD8.exe
O4 - HKCU\..\Run: [A00F52D7A82.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F52D7A82.exe
O4 - HKCU\..\Run: [A00FA832A2B.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FA832A2B.exe
O4 - HKCU\..\Run: [A00F6C68AF.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F6C68AF.exe
O4 - HKCU\..\Run: [A00F82717E.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F82717E.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096151892750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138753354218
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.6777199074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Registered
Joined
·
4,582 Posts
Hi, welcome to tsf!

You're using a very old version of hijackthis. Please uninstall it via control panel > add/remove programs.

Download Deckard's System Scanner to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - main.txt.txt<<this one will be maximized and extra.txt <<this one will be minimized.
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt.txt in your next reply.
6. Please copy and paste the contents of main.txt and extra.txt to your post.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Hello Angelfire777 - THANKYOU SO MUCH FOR REPLYING!! My sister has been without a computer for almost a month now, so you have no idea how much I appeciate this.

MAIN:

Deckard's System Scanner v20071014.68
Run by Me on 2008-06-14 14:02:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
52: 2008-06-14 18:02:36 UTC - RP554 - Deckard's System Scanner Restore Point
51: 2008-06-14 00:31:40 UTC - RP553 - System Checkpoint
50: 2008-06-12 23:33:14 UTC - RP552 - System Checkpoint
49: 2008-06-11 23:31:36 UTC - RP551 - System Checkpoint
48: 2008-06-10 23:29:03 UTC - RP550 - System Checkpoint


-- First Restore Point --
1: 2008-05-25 23:37:11 UTC - RP503 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-14 14:04:36
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Me\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7A7AEF0F-D0EA-46C3-8360-CBEC0FF49C0A} - C:\WINDOWS\system32\jkkHWQIX.dll (file missing)
O2 - BHO: (no name) - {8A12F6E7-94A9-4B2F-923C-C18A9AF765EB} - C:\WINDOWS\system32\cbXOExVM.dll (file missing)
O2 - BHO: (no name) - {9F8439F4-D24B-A5C1-1195-A08F02547A94} - C:\WINDOWS\system32\cfzxt.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\tuvTjKCr.dll (file missing)
O2 - BHO: {6ee35544-ee2e-312b-1284-10e8a0769eed} - {dee9670a-8e01-4821-b213-e2ee44553ee6} - C:\WINDOWS\system32\vjftetfu.dll (file missing)
O2 - BHO: (no name) - {EFC79B80-1CCE-4C1B-913C-C58870718B29} - C:\WINDOWS\system32\urqoPjIc.dll (file missing)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [kxshstjm] C:\WINDOWS\System32\clvdwcp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [1871ccc1] rundll32.exe "C:\WINDOWS\system32\mlkbxkwq.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM1b42ff5d] Rundll32.exe "C:\WINDOWS\system32\gqcklxci.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [homwanco] C:\WINDOWS\system32\lmxihufa.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Me\Application Data\Microsoft\dtsc\28775.exe
O4 - HKCU\..\Run: [A00FF3E38.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FF3E38.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00FE1FD8.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FE1FD8.exe
O4 - HKCU\..\Run: [A00F52D7A82.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F52D7A82.exe
O4 - HKCU\..\Run: [A00FA832A2B.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FA832A2B.exe
O4 - HKCU\..\Run: [A00F6C68AF.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F6C68AF.exe
O4 - HKCU\..\Run: [A00F82717E.exe] C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F82717E.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096151892750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138753354218
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.6777199074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: rtutrxy - C:\WINDOWS\system32\rtutrxy.dll (file missing)
O20 - Winlogon Notify: tuvTjKCr - C:\WINDOWS\system32\tuvTjKCr.dll (file missing)
O20 - Winlogon Notify: __c0017490 - C:\WINDOWS\system32\__c0017490.dat
O20 - Winlogon Notify: __c005C7FC - C:\WINDOWS\system32\__c005C7FC.dat (file missing)
O20 - Winlogon Notify: __c007328E - C:\WINDOWS\system32\__c007328E.dat
O20 - Winlogon Notify: __c008EFAE - C:\WINDOWS\system32\__c008EFAE.dat (file missing)
O20 - Winlogon Notify: __c00A8DC6 - C:\WINDOWS\system32\__c00A8DC6.dat
O21 - SSODL: SrvHlpEn - {74484990-E3F3-C5B3-053E-0606278A4A73} - C:\Program Files\uqyfkdd\SrvHlpEn.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe service
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 10723 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ATMhelpr - c:\windows\system32\drivers\atmhelpr.sys <Not Verified; Adobe Systems Incorporated; Adobe Type Manager Deluxe>
R2 V7 - c:\windows\system32\drivers\v7.sys <Not Verified; IBM Corporation; IBM V7 Driver for Windows NT/2000>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NAVAP - c:\program files\navnt\navap.sys (file missing)
S3 NAVENG - c:\progra~1\common~1\symant~1\virusd~1\20080521.003\naveng.sys (file missing)
S3 NAVEX15 - c:\progra~1\common~1\symant~1\virusd~1\20080521.003\navex15.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP20\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP20\0000
Service: HPFECP20


-- Scheduled Tasks -------------------------------------------------------------

2008-06-13 11:46:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-10 17:28:34 24576 --a------ C:\WINDOWS\system32\__c00D6C4E.dat
2008-06-10 17:28:34 24576 --a------ C:\WINDOWS\system32\__c00CD3E9.dat
2008-06-10 17:28:26 24576 --a------ C:\WINDOWS\system32\__c0017490.dat
2008-06-10 17:28:23 24576 --a------ C:\WINDOWS\system32\__c00A8DC6.dat
2008-06-10 17:28:23 24576 --a------ C:\WINDOWS\system32\__c007328E.dat
2008-06-10 15:31:40 0 d--hs---- C:\FOUND.000
2008-06-09 19:23:33 0 d--h----- C:\$AVG8.VAULT$
2008-06-09 19:13:27 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 19:13:24 0 d-------- C:\Documents and Settings\Me\Application Data\AVGTOOLBAR
2008-06-09 19:13:00 0 d-------- C:\Program Files\AVG
2008-06-09 19:13:00 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-09 18:28:08 37888 --a------ C:\WINDOWS\system32\eqicnnyl.exe
2008-06-09 18:22:20 84704 --a------ C:\WINDOWS\system32\mlkbxkwq.dll
2008-06-09 18:22:16 90288 --a------ C:\WINDOWS\system32\jegmxofx.dll
2008-06-09 18:10:04 98544 --a------ C:\WINDOWS\system32\yasqkoci.dll
2008-06-09 18:04:06 37888 --a------ C:\WINDOWS\system32\tnbkqgfp.exe
2008-06-09 17:58:09 90336 --a------ C:\WINDOWS\system32\aqaswtfu.dll
2008-06-07 16:54:50 98528 --a------ C:\WINDOWS\system32\qbhrodcy.dll
2008-06-07 16:45:50 37888 --a------ C:\WINDOWS\system32\nkdpkgtu.exe
2008-06-07 16:44:25 90336 --a------ C:\WINDOWS\system32\gqcklxci.dll
2008-06-06 15:54:04 37888 --a------ C:\WINDOWS\system32\nitbotts.exe
2008-06-06 15:51:03 98528 --a------ C:\WINDOWS\system32\ikeuytcc.dll
2008-06-06 15:48:03 84688 --a------ C:\WINDOWS\system32\odhtasqn.dll
2008-06-06 15:46:00 90336 --a------ C:\WINDOWS\system32\hvvlekfd.dll
2008-06-06 15:45:02 701690 --ahs---- C:\WINDOWS\system32\XIQWHkkj.ini2
2008-06-05 18:01:41 47 --a------ C:\xcrashdump.dat
2008-06-04 19:07:38 98224 --a------ C:\WINDOWS\system32\fvknwdkh.dll
2008-06-04 18:38:55 37888 --a------ C:\WINDOWS\system32\pvildlem.exe
2008-06-04 18:29:55 728646 --ahs---- C:\WINDOWS\system32\qXEOVvut.ini2
2008-06-04 17:44:48 0 d-------- C:\WINDOWS\network diagnostic
2008-06-04 16:54:47 37888 --a------ C:\WINDOWS\system32\vtefbxoi.exe
2008-06-04 16:54:38 98224 --a------ C:\WINDOWS\system32\fitbwkoe.dll
2008-06-04 16:41:26 0 d-------- C:\Program Files\Common Files\??curity
2008-05-29 18:55:43 98208 --a------ C:\WINDOWS\system32\bkwrjkth.dll
2008-05-29 18:53:12 84896 --a------ C:\WINDOWS\system32\kfjcjqyr.dll
2008-05-29 18:46:44 729643 --ahs---- C:\WINDOWS\system32\cIjPoqru.ini2
2008-05-29 18:42:52 0 d-------- C:\Documents and Settings\All Users\Application Data\setapicom
2008-05-29 18:42:46 0 d-------- C:\Documents and Settings\All Users\Application Data\AplMsg
2008-05-29 14:48:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 14:41:10 98208 --a------ C:\WINDOWS\system32\fwkeugxg.dll
2008-05-29 14:31:43 0 d-------- C:\Documents and Settings\All Users\Application Data\dscgen
2008-05-29 14:31:28 0 d-------- C:\Documents and Settings\All Users\Application Data\comwincfg
2008-05-27 13:22:56 0 d-------- C:\Program Files\Common Files\?dobe
2008-05-25 22:37:07 0 d-------- C:\Documents and Settings\Me\Application Data\uTorrent
2008-05-25 19:50:45 22528 --a------ C:\WINDOWS\time.exe
2008-05-25 19:50:43 28416 --a------ C:\WINDOWS\svcinit.exe
2008-05-25 19:50:42 31744 --a------ C:\WINDOWS\svchost32.exe
2008-05-25 19:50:41 22784 --a------ C:\WINDOWS\sistem.exe
2008-05-25 19:50:40 17152 --a------ C:\WINDOWS\searchword.dll
2008-05-25 19:50:39 31232 --a------ C:\WINDOWS\rundll16.exe
2008-05-25 19:50:38 14592 --a------ C:\WINDOWS\quicken.exe
2008-05-25 19:50:37 27904 --a------ C:\WINDOWS\qttasks.exe
2008-05-25 19:50:34 14848 --a------ C:\WINDOWS\mswsc20.dll
2008-05-25 19:50:34 10496 --a------ C:\WINDOWS\mswsc10.dll
2008-05-25 19:50:32 15616 --a------ C:\WINDOWS\msspi.dll
2008-05-25 19:50:31 13312 --a------ C:\WINDOWS\msconfd.dll
2008-05-25 19:50:30 15104 --a------ C:\WINDOWS\internet.exe
2008-05-25 19:50:30 23808 --a------ C:\WINDOWS\inetinf.exe
2008-05-25 19:50:29 20736 --a------ C:\WINDOWS\helpcvs.exe
2008-05-25 19:50:28 8704 --a------ C:\WINDOWS\gfmnaaa.dll
2008-05-25 19:50:28 9216 --a------ C:\WINDOWS\funny.exe
2008-05-25 19:50:28 25600 --a------ C:\WINDOWS\funniest.exe
2008-05-25 19:50:27 28160 --a------ C:\WINDOWS\explorer32.exe
2008-05-25 19:50:26 21248 --a------ C:\WINDOWS\explore.exe
2008-05-25 19:50:25 30464 --a------ C:\WINDOWS\editpad.exe
2008-05-25 19:50:24 14336 --a------ C:\WINDOWS\dnsrelay.dll
2008-05-25 19:50:24 11264 --a------ C:\WINDOWS\directx32.exe
2008-05-25 19:50:24 28928 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-25 19:50:23 29184 --a------ C:\WINDOWS\ctfmon32.exe
2008-05-25 19:50:22 11520 --a------ C:\WINDOWS\cpan.dll
2008-05-25 19:36:57 808574 --ahs---- C:\WINDOWS\system32\MVxEOXbc.ini2
2008-05-25 19:34:18 0 d-------- C:\Program Files\uqyfkdd
2008-05-25 19:33:42 0 d-------- C:\Documents and Settings\All Users\Application Data\lmnqbyjk
2008-05-25 19:33:37 0 d-------- C:\Documents and Settings\All Users\Application Data\enutil
2008-05-25 19:33:35 0 d-------- C:\Documents and Settings\All Users\Application Data\admshcmd
2008-05-25 19:33:18 0 d-------- C:\WINDOWS\system32\vntiho06
2008-05-25 19:32:55 0 d-------- C:\Program Files\uTorrent
2008-05-25 19:32:45 0 d-------- C:\Program Files\QdrPack
2008-05-25 19:32:29 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-25 19:32:18 4 --a------ C:\WINDOWS\system32\hljwugsf.bin


-- Find3M Report ---------------------------------------------------------------

2008-06-04 16:41:28 0 d-------- C:\Program Files\Common Files\??curity
2008-05-27 13:22:58 0 d-------- C:\Program Files\Common Files\?dobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A7AEF0F-D0EA-46C3-8360-CBEC0FF49C0A}]
C:\WINDOWS\system32\jkkHWQIX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A12F6E7-94A9-4B2F-923C-C18A9AF765EB}]
C:\WINDOWS\system32\cbXOExVM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F8439F4-D24B-A5C1-1195-A08F02547A94}]
C:\WINDOWS\system32\cfzxt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/09/2008 07:13 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A64443-6FCA-41CE-8D51-5F8991257555}]
C:\WINDOWS\system32\tuvTjKCr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dee9670a-8e01-4821-b213-e2ee44553ee6}]
C:\WINDOWS\system32\vjftetfu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFC79B80-1CCE-4C1B-913C-C58870718B29}]
C:\WINDOWS\system32\urqoPjIc.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/09/2008 07:13 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpinstantsupport"="C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" [02/22/2003 12:47 PM]
"kxshstjm"="C:\WINDOWS\System32\clvdwcp.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 09:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [02/05/2003 12:38 PM]
"1871ccc1"="C:\WINDOWS\system32\mlkbxkwq.dll" [06/09/2008 06:22 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/09/2008 07:13 PM]
"BM1b42ff5d"="C:\WINDOWS\system32\gqcklxci.dll" [06/07/2008 04:44 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"rasmxs"="C:\WINDOWS\System32\rasmxs.exe" []
"homwanco"="C:\WINDOWS\system32\lmxihufa.exe" []
"Microsoft Windows Installer"="C:\Documents and Settings\Me\Application Data\Microsoft\dtsc\28775.exe" []
"A00FF3E38.exe"="C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FF3E38.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"A00FE1FD8.exe"="C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FE1FD8.exe" []
"A00F52D7A82.exe"="C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F52D7A82.exe" []
"A00FA832A2B.exe"="C:\DOCUME~1\Me\LOCALS~1\Temp\_A00FA832A2B.exe" []
"A00F6C68AF.exe"="C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F6C68AF.exe" []
"A00F82717E.exe"="C:\DOCUME~1\Me\LOCALS~1\Temp\_A00F82717E.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [9/11/2001 8:05:59 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B1A64443-6FCA-41CE-8D51-5F8991257555}"= C:\WINDOWS\system32\tuvTjKCr.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvHlpEn"= {74484990-E3F3-C5B3-053E-0606278A4A73} - C:\Program Files\uqyfkdd\SrvHlpEn.dll [05/25/2008 07:34 PM 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rtutrxy]
rtutrxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvTjKCr]
tuvTjKCr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0017490]
C:\WINDOWS\system32\__c0017490.dat 06/14/2008 01:55 PM 24576 C:\WINDOWS\system32\__c0017490.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005C7FC]
C:\WINDOWS\system32\__c005C7FC.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007328E]
C:\WINDOWS\system32\__c007328E.dat 08/16/1980 08:00 PM 24576 C:\WINDOWS\system32\__c007328E.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008EFAE]
C:\WINDOWS\system32\__c008EFAE.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A8DC6]
C:\WINDOWS\system32\__c00A8DC6.dat 08/16/1980 08:00 PM 24576 C:\WINDOWS\system32\__c00A8DC6.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkHWQIX

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-14 14:07:16 ------------





EXTRA:



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(TM) CPU 1200MHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 254.53 MiB / 57.35 MiB
Pagefile Memory (total/avail): 625.94 MiB / 299.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.45 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 15.97 GiB total, 2.84 GiB free.
D: is Fixed (NTFS) - 41.25 GiB total, 38.25 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 4D060H3 - 57.25 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 16 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 41.25 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Me\Application Data
CLASSPATH=C:\Program Files\PhotoDeluxe BE 1.0\AdobeConnectables;
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MELISSA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Me
LOGONSERVER=\\MELISSA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\pcdce32\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Me\LOCALS~1\Temp
TMP=C:\DOCUME~1\Me\LOCALS~1\Temp
USERDOMAIN=MELISSA
USERNAME=Me
USERPROFILE=C:\Documents and Settings\Me
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Me (admin)
Administrator.MELISSA (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\PhotoDeluxe BE 1.0\DeIsL1.isu"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7E9980-3652-29D4-8908-006097A470FC}\setup.exe" /Uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21313051-BEA2-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CAF07A2-BEA4-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7052066D-7016-11D5-B89E-00B0D0D26B88}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D942}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D969}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B960F4A0-BEEF-4170-86CD-57CABE6237E6}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D54AAC0A-BE99-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Type Manager 4.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Adobe Type Manager\DeIsL1.isu" -c"C:\Program Files\Adobe Type Manager\UNINST.DLL"
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
AT&T WorldNet Setup 2.5 --> C:\PROGRA~1\WORLDNET\wnun25.exe C:\PROGRA~1\WORLDNET
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Corel Applications --> C:\WINDOWS\Corel\Uninst32.exe
DelFin Media Viewer --> C:\WINDOWS\unvise32.exe C:\Program Files\DelFin\PromulGate\uninstal.log
DigitalPrint 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E2069DE3-5924-4766-A385-CDA273885A31}\setup.exe" /Uninstall
DVDExpress --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"
DVgate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{29F61465-428A-11D4-B646-00C04F790F76}\setup.exe"
[email protected] 1.9.5 --> MsiExec.exe /I{9F185C48-595B-401A-A1D6-AAB324890DC4}
hp deskjet 3820 series --> rundll32 hpzcon05.dll,VendorJettison hp deskjet 3820 series
hp deskjet 3820 series (Remove only) --> C:\Program Files\hp deskjet 3820 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=LPT1: -vproduct=3820 -huninstall
HP Deskjet 5400 series --> C:\Program Files\HP\Digital Imaging\{EB57A16E-500D-43d7-85B9-FBE279EBBA6E}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe CeS
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
KaZaA Media Desktop --> RunDll32 C:\WINDOWS\System32\cd_clint.dll,ServiceRunDll u_291 "{7D50E972-F2C4-4327-AA79-88FA868A4507}"
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Media Bar 3.2.11 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FAF5A9F-7EDE-4F1A-B082-C95A9F420630}\SETUP.EXE"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Moraff's Maximum MahJongg --> C:\Program Files\Moraff's Maximum MahJongg\uninstall.exe
Motion JPEG Software Decoder --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sony\Motion JPEG Software Decoder\Uninst.isu"
MovieShaker 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4A49B00-02F8-11D5-B64D-00C04F790F76}\setup.exe"
Music Visualizer Library 1.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\setup.exe"
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
OpenMG Secure Module --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A228A09C-4826-42E0-A3D8-95B2BAAB5049}\setup.exe" UNINSTALL
Paint Shop Pro 5.01 --> C:\PROGRA~1\PAINTS~1\UNWISE.EXE C:\PROGRA~1\PAINTS~1\INSTALL.LOG
Panicware Pop-Up Stopper --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
PicoPlayer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8139011A-4039-46C7-8614-A3F8948121AD}\setup.exe"
PictureGear 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FF58521-5E44-11D4-A433-00105A8547C6}\setup.exe"
Quicken 2002 New User Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RealProducer Basic 8.5 --> C:\Program Files\Real\RealProducer\rnuninst.exe RealNetworks|RealProducer|8.5
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Shrooms 5.0 --> C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Shrooms 5.0\ST5UNST.LOG"
Smart Capture --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B6F4C00-E935-11D3-A98A-0080986030D9}\setup.exe"
SonicStage CD-R Writing Module --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3CB4DC0-4FC0-11D5-9254-0000F460E7A9}\setup.exe"
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony DV Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Support Actions Win2K,WinXP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48BE827A-2D06-4804-90C3-4F2F8460F9D4}\setup.exe"
truball --> c:\program files\Uninstal.exe
Ulead PhotoImpact 4.2 --> C:\WINDOWS\ISUninst.exe -f"C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\Uninst.isu" -c"C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\IS32Inst.dll"
VAIO Action Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C67D8C0-F0EC-11D3-99D3-00C04FCCB775}\setup.exe"
VAIO Grid Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21CF3E6E-1659-433E-B6CE-165D793560DA}\setup.exe"
VAIO Help & Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6060E6A1-5342-4D2B-8F66-B6D6E20BBD03}\setup.exe"
VAIO Registration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6DF804A8-2CC2-4D22-A958-4534F6EC3C76}\setup.exe"
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
Vaio Tour --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F69B5C-09F1-44D2-8D1C-5B3E72BB46D2}\setup.exe"
VAIOWorld --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{601B53EE-509D-4649-9173-14A864F1E807}\setup.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VisualFlow 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D920}\setup.exe" /Uninstall
VPHoldem version 1.0.23 --> C:\WINDOWS\desktop\VPHoldem\unins000.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type16114 / Warning
Event Submitted/Written: 06/09/2008 04:13:44 PM
Event ID/Source: 22 / Norton AntiVirus
Event Description:
Norton AntiVirus Realtime Protection failed to load.

Event Record #/Type16111 / Error
Event Submitted/Written: 06/07/2008 04:57:54 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type16107 / Error
Event Submitted/Written: 06/06/2008 03:36:04 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.LowZones in File: C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP545\A0069332.exe by: Manual scan. Action: Clean failed : Quarantine succeeded :

Virus Found!Virus name: Trojan.LowZones in File: C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP545\A0069333.exe by: Manual scan. Action: Clean failed : Quarantine succeeded :

Virus Found!Virus name: Trojan.LowZones in File: C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP545\A0069334.exe by: Manual scan. Action: Clean failed : Quarantine succeeded :

Event Record #/Type16106 / Warning
Event Submitted/Written: 06/06/2008 03:35:55 PM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not open file D:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP545\change.log [00000003]

Event Record #/Type16105 / Warning
Event Submitted/Written: 06/06/2008 03:35:15 PM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Could not scan 10 files inside C:\dj3820\3820-enu-win2k_xp.exe due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type334677 / Error
Event Submitted/Written: 06/14/2008 01:59:03 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type333837 / Warning
Event Submitted/Written: 06/14/2008 04:52:40 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-06-14 14:07:16 ------------
 

·
Registered
Joined
·
4,582 Posts
Hi,

Please visit this webpage for download links, and instructions for running combofixl:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #5 ·
I have followed your instructions. One thing - and I'm not sure if this is normal - but the computer seems to be running even slower after combofix finished. THANKS AGAIN!!


Combolog:


ComboFix 08-06-12.2 - Me 2008-06-14 18:07:06.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.66 [GMT -4:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Me\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Me\Application Data\Microsoft\dtsc
C:\Documents and Settings\Me\Application Data\Microsoft\dtsc\16109.dll
C:\Documents and Settings\Me\Application Data\Microsoft\dtsc\19144.dll
C:\Documents and Settings\Me\Application Data\Microsoft\dtsc\id
C:\Program Files\Common Files\curity~1
C:\Program Files\delfin
C:\Program Files\QdrPack
C:\Temp\vtmp2
C:\WINDOWS\bundles
C:\WINDOWS\bundles\2504040824.exe
C:\WINDOWS\bundles\Tvm_b5_269.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\system32\aqaswtfu.dll
C:\WINDOWS\system32\bkwrjkth.dll
C:\WINDOWS\system32\bxgultmf.ini
C:\WINDOWS\system32\cIjPoqru.ini
C:\WINDOWS\system32\cIjPoqru.ini2
C:\WINDOWS\system32\fitbwkoe.dll
C:\WINDOWS\system32\fvknwdkh.dll
C:\WINDOWS\system32\fwkeugxg.dll
C:\WINDOWS\system32\gqcklxci.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\HOWEKRqr.ini
C:\WINDOWS\system32\hvvlekfd.dll
C:\WINDOWS\system32\ikeuytcc.dll
C:\WINDOWS\system32\jegmxofx.dll
C:\WINDOWS\system32\kfjcjqyr.dll
C:\WINDOWS\system32\luhycuth.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlkbxkwq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\MVxEOXbc.ini
C:\WINDOWS\system32\MVxEOXbc.ini2
C:\WINDOWS\system32\nqsathdo.ini
C:\WINDOWS\system32\nrbnxftj.ini
C:\WINDOWS\system32\odhtasqn.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qbhrodcy.dll
C:\WINDOWS\system32\qwkxbklm.ini
C:\WINDOWS\system32\qXEOVvut.ini
C:\WINDOWS\system32\qXEOVvut.ini2
C:\WINDOWS\system32\ryqjcjfk.ini
C:\WINDOWS\system32\uqklcwxq.ini
C:\WINDOWS\system32\whskquel.ini
C:\WINDOWS\system32\xanebptj.ini
C:\WINDOWS\system32\XIQWHkkj.ini
C:\WINDOWS\system32\XIQWHkkj.ini2
C:\WINDOWS\system32\yasqkoci.dll
C:\WINDOWS\time.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 15:57 . 2008-06-14 15:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 14:02 . 2008-06-14 14:02 <DIR> d-------- C:\Deckard
2008-06-10 17:28 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00D6C4E.dat
2008-06-10 17:28 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00CD3E9.dat
2008-06-10 17:28 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c00A8DC6.dat
2008-06-10 17:28 . 1980-08-16 20:00 24,576 --a------ C:\WINDOWS\system32\__c007328E.dat
2008-06-10 17:28 . 2008-06-14 13:55 24,576 --a------ C:\WINDOWS\system32\__c0017490.dat
2008-06-10 15:31 . 2008-06-10 15:31 <DIR> d--hs---- C:\FOUND.000
2008-06-09 19:23 . 2008-06-09 19:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Program Files\AVG
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Documents and Settings\Me\Application Data\AVGTOOLBAR
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-09 19:13 . 2008-06-09 19:13 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 19:13 . 2008-06-09 19:13 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 19:13 . 2008-06-09 19:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-09 18:28 . 2008-06-09 18:28 37,888 --a------ C:\WINDOWS\system32\eqicnnyl.exe
2008-06-09 18:04 . 2008-06-09 18:04 37,888 --a------ C:\WINDOWS\system32\tnbkqgfp.exe
2008-06-07 16:45 . 2008-06-07 16:45 37,888 --a------ C:\WINDOWS\system32\nkdpkgtu.exe
2008-06-06 15:54 . 2008-06-06 15:54 37,888 --a------ C:\WINDOWS\system32\nitbotts.exe
2008-06-06 14:49 . 2004-10-10 19:30 1,688 --a------ C:\WINDOWS\system32\AUTOEXEC.NT
2008-06-04 18:38 . 2008-06-04 18:38 37,888 --a------ C:\WINDOWS\system32\pvildlem.exe
2008-06-04 17:55 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-04 17:55 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-04 17:55 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-04 17:55 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-04 17:55 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-04 17:55 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-04 17:55 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-04 17:55 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-04 17:55 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-04 17:44 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-06-04 16:54 . 2008-06-04 16:54 37,888 --a------ C:\WINDOWS\system32\vtefbxoi.exe
2008-05-29 18:42 . 2008-05-29 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\setapicom
2008-05-29 18:42 . 2008-05-29 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AplMsg
2008-05-29 14:48 . 2008-05-29 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 14:48 . 2008-05-29 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 14:42 . 2008-05-29 18:52 534 ---hs---- C:\WINDOWS\system32\ipppurvn.ini
2008-05-29 14:31 . 2008-05-29 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dscgen
2008-05-29 14:31 . 2008-05-29 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comwincfg
2008-05-27 13:33 . 2008-05-29 18:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-27 13:22 . 2008-05-27 13:22 <DIR> d-------- C:\Program Files\Common Files\àdobe
2008-05-25 22:37 . 2008-05-25 22:37 <DIR> d-------- C:\Documents and Settings\Me\Application Data\uTorrent
2008-05-25 19:43 . 2008-06-10 17:58 113 --a------ C:\WINDOWS\BM1b42ff5d.xml
2008-05-25 19:34 . 2008-05-25 19:34 <DIR> d-------- C:\Program Files\uqyfkdd
2008-05-25 19:33 . 2008-05-25 19:33 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-25 19:33 . 2008-05-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lmnqbyjk
2008-05-25 19:33 . 2008-05-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\enutil
2008-05-25 19:33 . 2008-05-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\admshcmd
2008-05-25 19:32 . 2008-05-25 19:32 <DIR> d-------- C:\Program Files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 17:22 --------- d-----w C:\Program Files\Common Files\?dobe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2004-09-06 19:23 38 ----a-w C:\Documents and Settings\Me\Application Data\tvmcwrd.dll
2004-09-06 19:23 33 ----a-w C:\Documents and Settings\Me\Application Data\tvmuknwrd.dll
2004-09-06 01:54 216,097 ----a-w C:\Documents and Settings\Me\Application Data\tvmknwrd.dll
2002-02-16 17:27 764 ----a-w C:\Documents and Settings\Me\MCRNPEN.DAT
2002-02-16 17:27 756 ----a-w C:\Documents and Settings\Me\MCRYPEN.DAT
2002-02-16 17:27 41 ----a-w C:\Documents and Settings\Me\MCRWPEN.DAT
2002-02-16 17:27 23 ----a-w C:\Documents and Settings\Me\MCRPLAY.DAT
2002-02-16 17:27 1,039 ----a-w C:\Documents and Settings\Me\MCROPEN.DAT
2002-01-27 02:38 37,470 ----a-w C:\Program Files\Uninstal.exe
2002-01-10 20:07 0 ----a-w C:\Documents and Settings\Me\MCRREG.DAT
2000-01-08 15:57 139 ----a-w C:\Program Files\VS.VSN
1999-08-15 11:36 281,600 ----a-w C:\Program Files\cncs232.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A7AEF0F-D0EA-46C3-8360-CBEC0FF49C0A}]
C:\WINDOWS\system32\jkkHWQIX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A12F6E7-94A9-4B2F-923C-C18A9AF765EB}]
C:\WINDOWS\system32\cbXOExVM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F8439F4-D24B-A5C1-1195-A08F02547A94}]
C:\WINDOWS\system32\cfzxt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dee9670a-8e01-4821-b213-e2ee44553ee6}]
C:\WINDOWS\system32\vjftetfu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFC79B80-1CCE-4C1B-913C-C58870718B29}]
C:\WINDOWS\system32\urqoPjIc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rasmxs"="C:\WINDOWS\System32\rasmxs.exe" [ ]
"homwanco"="C:\WINDOWS\system32\lmxihufa.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpinstantsupport"="C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" [2003-02-22 12:47 26112]
"kxshstjm"="C:\WINDOWS\System32\clvdwcp.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-02-05 12:38 143360]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 19:13 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-11 08:05:59 40960]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvHlpEn"= {74484990-E3F3-C5B3-053E-0606278A4A73} - C:\Program Files\uqyfkdd\SrvHlpEn.dll [2008-05-25 19:34 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rtutrxy]
rtutrxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvTjKCr]
tuvTjKCr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0017490]
C:\WINDOWS\system32\__c0017490.dat 2008-06-14 13:55 24576 C:\WINDOWS\system32\__c0017490.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005C7FC]
C:\WINDOWS\system32\__c005C7FC.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007328E]
C:\WINDOWS\system32\__c007328E.dat 1980-08-16 20:00 24576 C:\WINDOWS\system32\__c007328E.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008EFAE]
C:\WINDOWS\system32\__c008EFAE.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A8DC6]
C:\WINDOWS\system32\__c00A8DC6.dat 1980-08-16 20:00 24576 C:\WINDOWS\system32\__c00A8DC6.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 19:13]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 19:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 19:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 19:13]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 15:46:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 18:19:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c0017490.dat
-> C:\WINDOWS\system32\__c007328E.dat
-> C:\WINDOWS\system32\__c00A8DC6.dat
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-14 18:27:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 22:27:12

Pre-Run: 2,939,625,472 bytes free
Post-Run: 2,835,681,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

278 --- E O F --- 2008-06-04 22:00:12






Hijack Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:15 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7A7AEF0F-D0EA-46C3-8360-CBEC0FF49C0A} - C:\WINDOWS\system32\jkkHWQIX.dll (file missing)
O2 - BHO: (no name) - {8A12F6E7-94A9-4B2F-923C-C18A9AF765EB} - C:\WINDOWS\system32\cbXOExVM.dll (file missing)
O2 - BHO: (no name) - {9F8439F4-D24B-A5C1-1195-A08F02547A94} - C:\WINDOWS\system32\cfzxt.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: {6ee35544-ee2e-312b-1284-10e8a0769eed} - {dee9670a-8e01-4821-b213-e2ee44553ee6} - C:\WINDOWS\system32\vjftetfu.dll (file missing)
O2 - BHO: (no name) - {EFC79B80-1CCE-4C1B-913C-C58870718B29} - C:\WINDOWS\system32\urqoPjIc.dll (file missing)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [kxshstjm] C:\WINDOWS\System32\clvdwcp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - HKCU\..\Run: [homwanco] C:\WINDOWS\system32\lmxihufa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096151892750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138753354218
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: rtutrxy - rtutrxy.dll (file missing)
O20 - Winlogon Notify: tuvTjKCr - tuvTjKCr.dll (file missing)
O20 - Winlogon Notify: __c0017490 - C:\WINDOWS\system32\__c0017490.dat
O20 - Winlogon Notify: __c005C7FC - C:\WINDOWS\system32\__c005C7FC.dat (file missing)
O20 - Winlogon Notify: __c007328E - C:\WINDOWS\system32\__c007328E.dat
O20 - Winlogon Notify: __c008EFAE - C:\WINDOWS\system32\__c008EFAE.dat (file missing)
O20 - Winlogon Notify: __c00A8DC6 - C:\WINDOWS\system32\__c00A8DC6.dat
O21 - SSODL: SrvHlpEn - {74484990-E3F3-C5B3-053E-0606278A4A73} - C:\Program Files\uqyfkdd\SrvHlpEn.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7914 bytes
 

·
Registered
Joined
·
4,582 Posts
Hi,

Don't worry about the slowness, let's continue fixing the machine and we'll check the status later when we're done.

*Uninstall the items in bold if found:

DelFin Media Viewer - It is a media viewer based on adwares
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050515-5939-99&tabid=2
http://research.sunbelt-software.com/threatdisplay.aspx?name=Delfin.Media Viewer&threatid=4325

Media Bar 3.2.11

KaZaA Media Desktop - Even if by nature, kazaa is a p2p program, it IS spyware and is bundled with a lot of adwares and other form of malware.
Run this tool to remove all components of kazaa: http://www.softpedia.com/progDownload/KazaaBegone-Download-71583.html

LiveUpdate 1.6 (Symantec Corporation) - leftover from a norton installation.

*A few optionals that I would recommend be uninstalled.

µTorrent
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

Viewpoint, Viewpoint Manager, Viewpoint Media Player
are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Please delete the folder/s if you uninstalled the corresponding program/s

C:\Program Files\uTorrent
C:\Documents and Settings\Me\Application Data\uTorrent
C:\Program Files\Viewpoint
____

*Delete this folder:

C:\Program Files\Common Files\?dobe - The ? there means that the folder's first character is unicode but windows will not be able to show you that. The folder is probably disguising and has a letter "a" instead of a unicode. That folder was created on May 27 2008 and it shouldn't have anything inside it.

  • Open notepad.
  • Copy and paste the text inside the code box below to notepad
Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/258316-command-exe-other-problems-please-help.html
Killall::
File::
C:\Documents and Settings\Me\Application Data\tvmcwrd.dll
C:\Documents and Settings\Me\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Me\Application Data\tvmknwrd.dll
C:\WINDOWS\BM1b42ff5d.xml
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\ipppurvn.ini
C:\WINDOWS\system32\eqicnnyl.exe
C:\WINDOWS\system32\tnbkqgfp.exe
C:\WINDOWS\system32\nkdpkgtu.exe
C:\WINDOWS\system32\nitbotts.exe
C:\WINDOWS\system32\pvildlem.exe
C:\WINDOWS\system32\vtefbxoi.exe
C:\WINDOWS\System32\cd_clint.dll
Folder::
C:\Program Files\uqyfkdd
C:\WINDOWS\system32\vntiho06
C:\Documents and Settings\All Users\Application Data\lmnqbyjk
C:\Documents and Settings\All Users\Application Data\enutil
C:\Documents and Settings\All Users\Application Data\admshcmd
C:\Program Files\Symantec
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A7AEF0F-D0EA-46C3-8360-CBEC0FF49C0A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\SOFTWARE]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A12F6E7-94A9-4B2F-923C-C18A9AF765EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F8439F4-D24B-A5C1-1195-A08F02547A94}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dee9670a-8e01-4821-b213-e2ee44553ee6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFC79B80-1CCE-4C1B-913C-C58870718B29}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"_{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rasmxs"=-
"homwanco"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kxshstjm"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvHlpEn"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rtutrxy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvTjKCr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0017490]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005C7FC]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007328E]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008EFAE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A8DC6]
Collect::
C:\WINDOWS\system32\__c00D6C4E.dat
C:\WINDOWS\system32\__c00CD3E9.dat
C:\WINDOWS\system32\__c00A8DC6.dat
C:\WINDOWS\system32\__c007328E.dat
C:\WINDOWS\system32\__c0017490.dat
Filelook::
C:\Program Files\Uninstal.exe
Dirlook::
C:\Documents and Settings\All Users\Application Data\dscgen
C:\Documents and Settings\All Users\Application Data\comwincfg
C:\Documents and Settings\All Users\Application Data\setapicom
C:\Documents and Settings\All Users\Application Data\AplMsg:
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log along with a fresh HijackThis log.
  • Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.
________

*Download Java Runtime Environment 6u6, and install it to your computer. We will need it for the online scan that you will perform next.

*Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a
  • Fresh HijackThis log.
  • kaspersky scan log
  • combofix log
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #7 ·
Hello - I'm sorry that it took me so long to get back to you. I have followed your instructions, but I ran into a few problems along the way.

When I tried to uninstall the delfin media viewer, I got the following error:
"The following file does not exist or is not a valid uninstallation log file.
C:\Program Files\DelFin\PromulGate\uninstal.log"

When I tried to uninstall Utorrent, I got this message:
"An error occured while trying to uninstall UTorrent. The program may have already been uninstalled.
WOuld you like to remove it from the add or remove programs list?"

And lastly, when I ran combofix and tried to submit the malware for further review, I was transfered to bleeping computer. Once there, though, I got this message:
"Malware Submission
Improper Usage"

I continued with the steps, and here are my logs. Again, thankyou so much for your valuable time and expertise. I really can't thank you enough.


Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:06 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096151892750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138753354218
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6523 bytes




Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 15, 2008 16:51:15
Records in database: 867762
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 67161
Threat name: 13
Infected objects: 35
Suspicious objects: 0
Duration of the scan: 02:01:06


File name / Threat name / Threats count
C:\WINDOWS\system32\bde3d_refp3.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.g 1
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b 1
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected: Trojan-Dropper.Win32.VB.cd 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP541\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP543\A0067704.exe Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP543\A0067719.exe Infected: not-a-virus:AdWare.Win32.Gator.2001 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP543\A0067720.exe Infected: not-a-virus:AdWare.Win32.Gator.2002 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP543\A0067893.DLL Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP543\A0067917.EXE Infected: not-a-virus:RiskTool.Win32.PsKill.a 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP549\A0070615.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP555\A0072609.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP555\A0072647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymm 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP555\A0072649.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP556\A0072821.exe Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP556\A0072823.exe Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP556\A0072824.exe Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP556\A0072825.exe Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP556\A0072826.exe Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP556\A0072827.exe Infected: Trojan.Win32.Monder.gen 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\temp.frE294 Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\_A00F52D7A82.exe Infected: Trojan.Win32.Monder.gen 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\_A00FF3E38.exe Infected: Trojan.Win32.Monder.gen 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\_A00FE1FD8.exe Infected: Trojan.Win32.Monder.gen 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\_A00FA832A2B.exe Infected: Trojan.Win32.Monder.gen 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\_A00F6C68AF.exe Infected: Trojan.Win32.Monder.gen 1
C:\Deckard\System Scanner\20080614155704\backup\DOCUME~1\Me\LOCALS~1\Temp\_A00F82717E.exe Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\bundles\2504040824.exe.vir Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jegmxofx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ymm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mlkbxkwq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ymn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\eqicnnyl.exe.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nitbotts.exe.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nkdpkgtu.exe.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pvildlem.exe.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tnbkqgfp.exe.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vtefbxoi.exe.vir Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.





ComboFix Log:

ComboFix 08-06-12.2 - Me 2008-06-15 2:14:55.3 - FAT32x86
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 15:57 . 2008-06-14 15:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 14:02 . 2008-06-14 14:02 <DIR> d-------- C:\Deckard
2008-06-10 15:31 . 2008-06-10 15:31 <DIR> d--hs---- C:\FOUND.000
2008-06-09 19:23 . 2008-06-09 19:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Program Files\AVG
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Documents and Settings\Me\Application Data\AVGTOOLBAR
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-09 19:13 . 2008-06-09 19:13 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 19:13 . 2008-06-09 19:13 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 19:13 . 2008-06-09 19:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-06 14:49 . 2004-10-10 19:30 1,688 --a------ C:\WINDOWS\system32\AUTOEXEC.NT
2008-06-04 17:55 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-04 17:55 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-04 17:55 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-04 17:55 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-04 17:55 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-04 17:55 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-04 17:55 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-04 17:55 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-04 17:55 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-04 17:44 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-05-29 18:42 . 2008-05-29 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\setapicom
2008-05-29 18:42 . 2008-05-29 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AplMsg
2008-05-29 14:48 . 2008-05-29 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 14:48 . 2008-05-29 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 14:31 . 2008-05-29 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dscgen
2008-05-29 14:31 . 2008-05-29 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comwincfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2002-02-16 17:27 764 ----a-w C:\Documents and Settings\Me\MCRNPEN.DAT
2002-02-16 17:27 756 ----a-w C:\Documents and Settings\Me\MCRYPEN.DAT
2002-02-16 17:27 41 ----a-w C:\Documents and Settings\Me\MCRWPEN.DAT
2002-02-16 17:27 23 ----a-w C:\Documents and Settings\Me\MCRPLAY.DAT
2002-02-16 17:27 1,039 ----a-w C:\Documents and Settings\Me\MCROPEN.DAT
2002-01-27 02:38 37,470 ----a-w C:\Program Files\Uninstal.exe
2002-01-10 20:07 0 ----a-w C:\Documents and Settings\Me\MCRREG.DAT
2000-01-08 15:57 139 ----a-w C:\Program Files\VS.VSN
1999-08-15 11:36 281,600 ----a-w C:\Program Files\cncs232.dll
.

((((((((((((((((((((((((((((( [email protected]_18.25.13.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 22:18:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 05:47:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpinstantsupport"="C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" [2003-02-22 12:47 26112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-02-05 12:38 143360]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 19:13 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-11 08:05:59 40960]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 19:13]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 19:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 19:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 19:13]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 15:46:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 02:19:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
Completion time: 2008-06-15 2:22:08
ComboFix-quarantined-files.txt 2008-06-15 06:22:02
ComboFix3.txt 2008-06-14 22:27:58
ComboFix2.txt 2008-06-15 05:59:38

Pre-Run: 2,714,939,392 bytes free
Post-Run: 2,709,426,176 bytes free

119 --- E O F --- 2008-06-04 22:00:12
 

·
Registered
Joined
·
4,582 Posts
Hi,

When I tried to uninstall the delfin media viewer, I got the following error:
"The following file does not exist or is not a valid uninstallation log file.
That's ok. The Delfin folder was already deleted by combofix.

When I tried to uninstall Utorrent, I got this message:
"An error occured while trying to uninstall UTorrent. The program may have already been uninstalled.
WOuld you like to remove it from the add or remove programs list?"
Click yes on that. It was probably uninstalled before.

You ran combofix thrice. I will need to see the previous log.

Please post the contents of C:\Qoobox\Combofix2.txt
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #9 ·
I'm sorry about that. Hopefully that doesn't screw you up. Basically, I was exhausted last night and I forgot to run the Kazaa uninstaller before running combofix (as per your instructions). So after combofix ran, I ran the kazaa uninstaller, and then ran combofix again. I apologize for not paying closer attention. Here is the second log. Unfortunately, I'm about to crash for the night. Thanks again for spending so much time with me on this. Have a good night.




ComboFix 08-06-12.2 - Me 2008-06-15 1:41:35.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT -4:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Me\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Me\Application Data\tvmcwrd.dll
C:\Documents and Settings\Me\Application Data\tvmknwrd.dll
C:\Documents and Settings\Me\Application Data\tvmuknwrd.dll
C:\WINDOWS\BM1b42ff5d.xml
C:\WINDOWS\System32\cd_clint.dll
C:\WINDOWS\system32\eqicnnyl.exe
C:\WINDOWS\system32\ipppurvn.ini
C:\WINDOWS\system32\nitbotts.exe
C:\WINDOWS\system32\nkdpkgtu.exe
C:\WINDOWS\system32\pvildlem.exe
C:\WINDOWS\system32\tnbkqgfp.exe
C:\WINDOWS\system32\vtefbxoi.exe
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\admshcmd
C:\Documents and Settings\All Users\Application Data\admshcmd\enapphlp.dll
C:\Documents and Settings\All Users\Application Data\enutil
C:\Documents and Settings\All Users\Application Data\enutil\appdb.dll
C:\Documents and Settings\All Users\Application Data\lmnqbyjk
C:\Documents and Settings\Me\Application Data\tvmcwrd.dll
C:\Documents and Settings\Me\Application Data\tvmknwrd.dll
C:\Documents and Settings\Me\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Tvm.log
C:\Program Files\Symantec
C:\Program Files\Symantec\LiveUpdate\s32luhl1.dll
C:\Program Files\uqyfkdd
C:\Program Files\uqyfkdd\SrvHlpEn.dll
C:\WINDOWS\BM1b42ff5d.xml
C:\WINDOWS\system32\__c0017490.dat
C:\WINDOWS\system32\__c007328E.dat
C:\WINDOWS\system32\__c00A8DC6.dat
C:\WINDOWS\system32\__c00CD3E9.dat
C:\WINDOWS\system32\__c00D6C4E.dat
C:\WINDOWS\system32\eqicnnyl.exe
C:\WINDOWS\system32\ipppurvn.ini
C:\WINDOWS\system32\nitbotts.exe
C:\WINDOWS\system32\nkdpkgtu.exe
C:\WINDOWS\system32\pvildlem.exe
C:\WINDOWS\system32\tnbkqgfp.exe
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\vtefbxoi.exe
C:\WINDOWS\system32\ZoneAlarmIconUS.ico

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 15:57 . 2008-06-14 15:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 14:02 . 2008-06-14 14:02 <DIR> d-------- C:\Deckard
2008-06-10 15:31 . 2008-06-10 15:31 <DIR> d--hs---- C:\FOUND.000
2008-06-09 19:23 . 2008-06-09 19:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Program Files\AVG
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Documents and Settings\Me\Application Data\AVGTOOLBAR
2008-06-09 19:13 . 2008-06-09 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-09 19:13 . 2008-06-09 19:13 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 19:13 . 2008-06-09 19:13 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 19:13 . 2008-06-09 19:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-06 14:49 . 2004-10-10 19:30 1,688 --a------ C:\WINDOWS\system32\AUTOEXEC.NT
2008-06-04 17:55 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-04 17:55 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-04 17:55 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-04 17:55 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-04 17:55 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-04 17:55 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-04 17:55 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-04 17:55 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-04 17:55 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-04 17:44 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-05-29 18:42 . 2008-05-29 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\setapicom
2008-05-29 18:42 . 2008-05-29 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AplMsg
2008-05-29 14:48 . 2008-05-29 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 14:48 . 2008-05-29 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 14:31 . 2008-05-29 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dscgen
2008-05-29 14:31 . 2008-05-29 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comwincfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2002-02-16 17:27 764 ----a-w C:\Documents and Settings\Me\MCRNPEN.DAT
2002-02-16 17:27 756 ----a-w C:\Documents and Settings\Me\MCRYPEN.DAT
2002-02-16 17:27 41 ----a-w C:\Documents and Settings\Me\MCRWPEN.DAT
2002-02-16 17:27 23 ----a-w C:\Documents and Settings\Me\MCRPLAY.DAT
2002-02-16 17:27 1,039 ----a-w C:\Documents and Settings\Me\MCROPEN.DAT
2002-01-27 02:38 37,470 ----a-w C:\Program Files\Uninstal.exe
2002-01-10 20:07 0 ----a-w C:\Documents and Settings\Me\MCRREG.DAT
2000-01-08 15:57 139 ----a-w C:\Program Files\VS.VSN
1999-08-15 11:36 281,600 ----a-w C:\Program Files\cncs232.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Uninstal.exe -- Unable to find file version info.
MD5: 7b38d17bf2bf81cdd0ad52799457bf13

---- Directory of C:\Documents and Settings\All Users\Application Data\AplMsg: ----

C:\Documents and Settings\All Users\Application Data\AplMsg:\

---- Directory of C:\Documents and Settings\All Users\Application Data\comwincfg ----

2008-05-29 14:31 66048 --a------ C:\Documents and Settings\All Users\Application Data\comwincfg\SrvMntAdm.dll

---- Directory of C:\Documents and Settings\All Users\Application Data\dscgen ----

2008-05-29 14:31 143360 --a------ C:\Documents and Settings\All Users\Application Data\dscgen\procsmartstr.dll

---- Directory of C:\Documents and Settings\All Users\Application Data\setapicom ----

2008-05-29 18:42 143360 --a------ C:\Documents and Settings\All Users\Application Data\setapicom\aplcfg.dll


((((((((((((((((((((((((((((( [email protected]_18.25.13.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 22:18:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 05:47:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpinstantsupport"="C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" [2003-02-22 12:47 26112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-02-05 12:38 143360]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-09 19:13 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-11 08:05:59 40960]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 19:13]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 19:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 19:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 19:13]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 15:46:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 01:48:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-15 1:59:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 05:58:56
ComboFix2.txt 2008-06-14 22:27:58

Pre-Run: 2,714,415,104 bytes free
Post-Run: 2,711,351,296 bytes free

186 --- E O F --- 2008-06-04 22:00:12
 

·
Registered
Joined
·
4,582 Posts
That's ok. Take a rest now. I'll be taking mine in a few minutes.

It's past midnight here. I'll get back to you tomorrow. Goodnight :smile:
 

·
Registered
Joined
·
4,582 Posts
Hi,

No worries. Nothing got screwed up.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
for %%g in (
"C:\WINDOWS\system32\bde3d_refp3.dll"
"C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt"
"C:\Program Files\Windows Media Player\wmplayer.exe.tmp"
) do (
del /a/f/q %%g >nul 2>&1
)

for %%g in (
C:\QooBox\Quarantine\C\WINDOWS\system32\__c0017490.dat.vir 
C:\QooBox\Quarantine\C\WINDOWS\system32\__c007328E.dat.vir 
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00A8DC6.dat.vir 
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00CD3E9.dat.vir 
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00D6C4E.dat.vir 
) do zip Files_for_submission %%g
del %0
Save this as submit.bat Choose to Save type as - All Files

It should look like this:

Double-click on submit.bat to run it. This batchfile will create a Files_for_submission.zip file in the same location where the batchfile was saved.

Please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4 and include a link to this topic in the message.

You may delete the zipped file from your desktop once submitted.
________

I would like you to scan a few files for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\Program Files\Uninstal.exe

Then click submit.

Do the same for these files:

C:\Documents and Settings\All Users\Application Data\comwincfg\SrvMntAdm.dll
C:\Documents and Settings\All Users\Application Data\dscgen\procsmartstr.dll
C:\Documents and Settings\All Users\Application Data\setapicom\aplcfg.dll

Also, please check this folder: C:\Documents and Settings\All Users\Application Data\AplMsg and submit one of the files inside it (preferably an exe) if there are any.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.

On your next reply, please include a
  • Fresh HijackThis log.
  • results of jotti scan.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #12 ·
Hello again - I submitted the info to bleepingcomputer with the link. Here are the jotti results(I wasn't sure how you wanted them posted) and the new hijack log. I have to head out for about 5 or6 hours so I won't be back until tonight. So have a great day. And of course THANKS.

File: Uninstal.exe
Status: OK
MD5: 7b38d17bf2bf81cdd0ad52799457bf13
Packers detected: -

Scan taken on 16 Jun 2008 18:47:08 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



File: SrvMntAdm.dll
Status: INFECTED/MALWARE
MD5: 5b36c0df7099be60a52b9af31929e928
Packers detected: -

Scan taken on 16 Jun 2008 18:35:42 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing



File: procsmartstr.dll
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 828ac7f332cbc7adab26717e8cb4d808
Packers detected: -

Scan taken on 16 Jun 2008 18:40:36 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing





File: aplcfg.dll
Status: INFECTED/MALWARE
MD5: d9154d80b55f36afa8ea402ae8fdfdf6
Packers detected: -


Scan taken on 16 Jun 2008 18:42:37 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing




The only thing in the aplmsg folder was a dll file, so I ran that:

File: CfgStr.dll
Status: INFECTED/MALWARE
MD5: cbe1e68afb4875531637e8ebabea2bd5
Packers detected: -


Scan taken on 16 Jun 2008 18:45:01 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing



HiJack Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:16 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096151892750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138753354218
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6523 bytes
 

·
Registered
Joined
·
4,582 Posts
Hi,

The jotti scan results were not very good. Only 2 detected them and one was based on heuristics.

Please right click these files then click properties. Check if the files have any company information in them.

C:\Documents and Settings\All Users\Application Data\comwincfg\SrvMntAdm.dll
C:\Documents and Settings\All Users\Application Data\dscgen\procsmartstr.dll
C:\Documents and Settings\All Users\Application Data\setapicom\aplcfg.dll
C:\Documents and Settings\All Users\Application Data\AplMsg\CfgStr.dll

If they have, please post back and let me know.

If they don't have any info on themm,

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
for %%g in (
"C:\Documents and Settings\All Users\Application Data\comwincfg\SrvMntAdm.dll"
"C:\Documents and Settings\All Users\Application Data\dscgen\procsmartstr.dll"
"C:\Documents and Settings\All Users\Application Data\setapicom\aplcfg.dll"
"C:\Documents and Settings\All Users\Application Data\AplMsg\CfgStr.dll"
) do zip Files_for_submission %%g
del %0
Save this as submit.bat Choose to Save type as - All Files

It should look like this:

Double-click on submit.bat to run it. This batchfile will create a Files_for_submission.zip file in the same location where the batchfile was saved.

Next, please visit TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, post a link to this thread and upload the requested files.cab archive from your desktop.

You may delete the zipped file from your desktop once submitted.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #14 ·
Hello again - There was no company info on any of the files. I followed your instructions and uploaded them to spykillers. I've got to take off for work now, so I won't be back until later tonight. Thanks again for everything, and have a great day.
 

·
Registered
Joined
·
4,582 Posts
Hi,

Delete all these folders. They're malware.

C:\Documents and Settings\All Users\Application Data\comwincfg
C:\Documents and Settings\All Users\Application Data\dscgen
C:\Documents and Settings\All Users\Application Data\setapicom
C:\Documents and Settings\All Users\Application Data\AplMsg

How is it running now?
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #16 ·
Hello - I'm so sorry it took so long to get back to you. I didn't get home from work until very late last night. Just so you know,today might be a similar situation, so please bear with me. But anyway, I have deleted the files. There seems to be a marked improvement to the overall speed of everything. The system as a whole is definitely close to normal, and the internet has improved, although it is still slightly sluggish. Is there anything left to do?

Also, I just have a couple of general questions for you Angelfire777 - First, it seems as though my sister has a lot of unneeded programs running at startup(quicktime, musicmatch, etc.). Is there anyway you can tell me how to permanently stop some of these programs from loading at startup? It seems from everything that I have read that this might be slowing her computer down quite a bit.

And secondly - Do you have any general recommendations to prevent this from happening again? Currently I have AVG 8.0 Free running on her computer? Is that enough, or would you recommend a different program, or buying a program? I also have Spybot and Adaware on the computer, with the plan to give her instructions to run them every couple of weeks. Does that sound about right, or would you suggest other programs/procedures? Also, I am thinking of switching her from IE to Firefox? Do you have an opinion on that?

I am sorry to bombard you with all of these questions, but I want to make sure that I ask them before we part ways. I really can't thank you enough for all you have done for me.
 

·
Registered
Joined
·
4,582 Posts
No need to apologize thurman. There's nothing left to do.

The sluggishness is probably due to the computer having only 256MB RAM. And your pc's processor isn't that great too. With only celeron, your computer performs functions a bit slower compared to dual cores or pentiums. Right now, I suggest that you upgrade your RAM to at least 512MB. XP already takes half of what you have right now so there's only a little left for other activities.

Yes, click start > run > type in msconfig

Go to the startup tab and uncheck those entries of programs that you don't want running at startup. That should speed up loading time.

AVG8 is ok but I recommend Kaspersky AV, Nod32, or Antivir premium. All of those are paid ones. Spybot and adaware are not very useful anymore. They are lagging already and they weren't as good as before. I suggest MBAM: http://www.malwarebytes.org/mbam.php No need to have a paid version. Just use it for regular scanning. And yes, firefox is a lot better than IE (security and overall experience).


Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» Comodo
» Kerio

MVPS Hosts File
~You can download it from here
~I highly recommend this hosts file. You can learn more about this here

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

Install WinPatrol
~You can download it from here
~You can get some information about how WinPatrol works here

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!

Note: Please reply to this thread one last time so I could close it. If you have any questions, fire away.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #18 ·
Hello Angelfire777 - I'm so sorry that it took me so long to get back to you. I unfortunately had a family emergency that took me away from everything for a couple of days. Sorry about that. I have followed your instructions, and it appears that we are malware free. The computer is still pretty sluggish, but I think that is just a result of the RAM situation as you said. I just have one last question - I now have AVG, SpywareBlaster, Comodo firewall, and Winpatrol running. Are they going to conflict with each other or am I good? I know that you are not supposed to have more than one AV program on your computer, and I just wanted to make sure that having all of these programs running at the same time is okay....If it is okay, you can close this thread.

Again, I can't thank you enough for all of your help. The fact that people are out there like you that share their time and expertise with the rest of us just blows my mind. You've got a lot of good karma coming your way from Buffalo, NY. I sincerely wish you nothing but the best in the future.
 

·
Registered
Joined
·
4,582 Posts
Those programs are all ok to have on your computer. They all work by layers and they have different functions and tasks to perform. :smile:

You're welcome. Glad to be of assistance :grin:
 
1 - 19 of 19 Posts
Status
Not open for further replies.
Top