Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HTTP Trojan Vundo Activity [RESOLVED]

Started by 2xena , Mar 16 2008 07:51 PM

  • This topic is locked This topic is locked

#1
2xena
Posted 16 March 2008 - 07:51 PM

2xena

    New Member

  • Member
  • Pip
  • 2 posts
Hi there,

I had a warning from my norton that it had blocked an attempt made and identified it as "HTTP Trojan Vundo Activity". I tried running norton to remove it, but it didn't find anything. Then I tried adaware. Again it didn't work.
Then I noticed that everytime I opened the internet I would get pop-ups even with the pop-up blocker on. Then I found that something had changed my security settings to accept all cookies and I tried changing it back several time with no luck. My norton software also was turned off, then wouldn't work properly (no auto protect, shows an error; and the live update would not work).

I have tried several things and ways of getting rid of this thing and I think that I may have suceeded, but I'm not sure. My norton software is still showing an error message for the auto protect. When I ran scans with other various programs, they never found anything much. There were some adware but nothing huge. The only thing that might have been the trojan was something that superantispyware found on the fouth scan that I ran and it said _____ vundo ___. I can't remember the other words, but I thought I had gotten it so I tried reinstalling norton to see if I could get rid of the error message. I still couldn't, so I'm worried that it's still there.

Here are the scan logs:

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:26 PM, on 16/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {06cbb559-1bcb-c2ab-4794-374ac8cd699c} - {c996dc8c-a473-4974-ba2c-bcb1955bbc60} - C:\WINDOWS\system32\tvlytinh.dll (file missing)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O5 "LPT1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BM930c8351] Rundll32.exe "C:\WINDOWS\system32\uxbaqqey.dll",s
O4 - HKLM\..\Run: [903fb0cd] rundll32.exe "C:\WINDOWS\system32\ftiqmyms.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187994689131
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187994680258
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...ersion=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10505 bytes


Superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/16/2008 at 09:02 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 00:49:47

Memory items scanned : 408
Memory threats detected : 0
Registry items scanned : 5227
Registry threats detected : 0
File items scanned : 43818
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Erica\Cookies\[email protected][1].txt
C:\Documents and Settings\Erica\Cookies\[email protected][1].txt
C:\Documents and Settings\Erica\Cookies\erica@atdmt[1].txt


Virtumundobegone


[03/16/2008, 9:31:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Erica\Desktop\VirtumundoBeGone.exe" )
[03/16/2008, 9:32:04] - Detected System Information:
[03/16/2008, 9:32:04] - Windows Version: 5.1.2600, Service Pack 2
[03/16/2008, 9:32:05] - Current Username: Erica (Admin)
[03/16/2008, 9:32:05] - Windows is in NORMAL mode.
[03/16/2008, 9:32:05] - Searching for Browser Helper Objects:
[03/16/2008, 9:32:05] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/16/2008, 9:32:05] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/16/2008, 9:32:05] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/16/2008, 9:32:05] - BHO 4: {c996dc8c-a473-4974-ba2c-bcb1955bbc60} ()
[03/16/2008, 9:32:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/16/2008, 9:32:05] - Checking for HKLM\...\Winlogon\Notify\tvlytinh
[03/16/2008, 9:32:05] - Key not found: HKLM\...\Winlogon\Notify\tvlytinh, continuing.
[03/16/2008, 9:32:05] - Finished Searching Browser Helper Objects
[03/16/2008, 9:32:05] - Finishing up...
[03/16/2008, 9:32:05] - Nothing found! Exiting...


Smitfraudfix

SmitFraudFix v2.303

Scan done at 14:47:52.01, 14/03/2008
Run from C:\Documents and Settings\Erica\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{26F96E3E-BCCE-4B04-9DEE-2AF8C761981C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{26F96E3E-BCCE-4B04-9DEE-2AF8C761981C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{26F96E3E-BCCE-4B04-9DEE-2AF8C761981C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Combofix

ComboFix 08-03-14.2 - Erica 2008-03-14 20:37:01.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.361 [GMT -4:00]
Running from: C:\Documents and Settings\Erica\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-14 20:28 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-14 20:28 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-14 20:28 . 2008-03-14 09:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-14 20:28 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-14 20:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-14 20:28 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-14 20:28 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-14 17:29 . 2008-03-14 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-14 17:28 . 2008-03-14 18:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-14 17:28 . 2008-03-14 17:28 <DIR> d-------- C:\Documents and Settings\Erica\Application Data\SUPERAntiSpyware.com
2008-03-14 16:17 . 2008-03-14 16:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-14 16:17 . 2008-03-14 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-14 15:58 . 2008-03-14 15:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 14:55 . 2008-03-14 14:55 <DIR> d-------- C:\VundoFix Backups
2008-03-14 14:44 . 2008-03-14 20:33 4,092 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-14 13:05 . 2008-03-14 13:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-13 23:32 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-03-13 23:32 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-03-13 23:31 . 2008-03-13 23:31 <DIR> d-------- C:\Program Files\Rogers
2008-03-13 19:02 . 2008-03-13 23:18 1,347,026 ---hs---- C:\WINDOWS\system32\odhxrewg.ini
2008-03-13 16:55 . 2008-03-13 16:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-03-13 16:45 . 2008-03-13 16:45 268 --ah----- C:\sqmdata07.sqm
2008-03-13 16:45 . 2008-03-13 16:45 244 --ah----- C:\sqmnoopt07.sqm
2008-03-13 14:23 . 2008-03-13 14:23 268 --ah----- C:\sqmdata06.sqm
2008-03-13 14:23 . 2008-03-13 14:23 244 --ah----- C:\sqmnoopt06.sqm
2008-03-12 16:46 . 2008-03-12 16:46 268 --ah----- C:\sqmdata05.sqm
2008-03-12 16:46 . 2008-03-12 16:46 244 --ah----- C:\sqmnoopt05.sqm
2008-03-11 21:31 . 2008-03-11 21:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-11 21:30 . 2008-03-11 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-11 21:28 . 2008-03-14 17:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 16:31 . 2008-03-08 16:31 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-03-08 12:23 . 2008-03-08 12:23 <DIR> d-------- C:\WINDOWS\Cake Mania 2
2008-03-07 21:25 . 2008-03-07 21:25 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-07 21:23 . 2008-03-07 21:23 134 --a------ C:\n.bat
2008-03-07 21:22 . 2008-03-07 21:22 <DIR> d-------- C:\WINDOWS\system32\iDlo18
2008-03-07 21:22 . 2008-03-14 11:52 <DIR> d-------- C:\Temp
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-06 21:26 . 2008-03-08 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-06 21:25 . 2008-03-06 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-03-03 13:46 . 2008-03-03 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-01 14:51 . 2008-03-01 14:53 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 14:50 . 2008-03-01 14:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-01 14:50 . 2008-03-01 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-29 16:13 . 2008-02-29 16:13 <DIR> d-------- C:\Documents and Settings\Erica\Application Data\funkitron
2008-02-29 15:53 . 2008-02-29 15:53 15 --a------ C:\WINDOWS\popcinfo.dat
2008-02-29 15:46 . 2008-02-29 16:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 15:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-14 03:42 --------- d-----w C:\Program Files\Symantec
2008-03-14 03:33 --------- d-----w C:\Program Files\Yahoo!
2008-03-14 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-13 23:36 --------- d-----w C:\Documents and Settings\Erica\Application Data\LimeWire
2008-03-10 18:44 --------- d-----w C:\Documents and Settings\Erica\Application Data\U3
2008-03-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-03-06 22:39 --------- d-----w C:\Program Files\iPod
2008-03-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-05 01:07 --------- d-----w C:\Program Files\Java
2008-03-02 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avery
2008-02-27 23:34 113,512 ----a-w C:\Documents and Settings\Erica\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 01:27 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-10-01 17:15 282,634 ----a-w C:\WINDOWS\Fonts\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-14_14.34.14.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-14 21:28:59 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-14 21:28:59 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-03-09 20:51:39 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-15 00:24:47 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 20:51:39 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-15 00:24:47 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16BDC3CE-F54F-4474-A0DF-3A170657F050}]
C:\WINDOWS\system32\ursst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c996dc8c-a473-4974-ba2c-bcb1955bbc60}]
C:\WINDOWS\system32\tvlytinh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51 478968]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-10-12 16:30 5166392]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-10-12 16:30 136504]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 163840 C:\WINDOWS\system32\pctspk.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 21:05 344064]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-08-25 00:28 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 01:32 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 08:31 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 03:11 771704]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00 98304]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 19:54 269104]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2006-06-29 19:42 707376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-06-30 15:05 74752]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 847872]
"BM930c8351"="C:\WINDOWS\system32\uxbaqqey.dll" [ ]
"903fb0cd"="C:\WINDOWS\system32\ftiqmyms.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dell Control Utility.lnk - C:\Program Files\TM1184\ControlUtility\ControlUtility.exe [2007-08-24 18:26:16 262144]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2005-07-05 01:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-06-29 19:54]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 21:58]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-06-29 19:42]

*Newly Created Service* - COMHOST
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 19:30:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 01:33:00 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Erica.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 20:44:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-14 20:48:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 00:48:29
ComboFix2.txt 2008-03-14 20:13:09
ComboFix3.txt 2008-03-14 18:34:33
.
2008-03-12 15:02:29 --- E O F ---


Vundofix


VundoFix V7.0.3

Scan started at 2:55:51 PM 14/03/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

VundoFix V7.0.3

Scan started at 9:07:08 PM 14/03/2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.3

Scan started at 11:29:20 PM 15/03/2008

Listing files found while scanning....

No infected files were found.



Deckards System Scanner

Deckard's System Scanner v20071014.68
Run by Erica on 2008-03-14 16:04:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).


-- HijackThis (run as Erica.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:15 PM, on 14/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Erica\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Erica.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O5 "LPT1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187994689131
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187994680258
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...ersion=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9823 bytes

-- Files created between 2008-02-14 and 2008-03-14 -----------------------------

2008-03-14 15:58:47 0 d-------- C:\Program Files\Trend Micro
2008-03-14 14:55:51 0 d-------- C:\VundoFix Backups
2008-03-14 14:44:54 3812 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-14 14:20:24 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-14 14:20:24 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-14 14:20:24 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-14 14:20:24 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-14 13:05:16 0 d-------- C:\Program Files\Enigma Software Group
2008-03-13 23:32:49 86016 --a------ C:\WINDOWS\system32\YPcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>
2008-03-13 23:32:49 131072 --a------ C:\WINDOWS\system32\ypclsp.dll <Not Verified; Yahoo! Inc.; Yahoo! YPCLSP>
2008-03-13 23:31:14 0 d-------- C:\Program Files\Rogers
2008-03-13 23:14:29 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-13 19:14:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-03-13 16:55:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-03-13 16:47:07 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-13 16:47:07 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-13 16:47:07 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-13 16:47:07 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-03-13 16:47:07 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-13 16:47:07 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-13 16:47:07 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-03-13 16:47:07 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-13 16:47:07 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-03-13 16:47:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-13 16:47:07 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-13 16:47:07 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-13 16:47:07 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-13 16:47:06 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-13 16:46:56 0 d--hs---- C:\WINDOWS\CSC
2008-03-11 21:31:00 0 d-------- C:\Program Files\Lavasoft
2008-03-11 21:30:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-11 21:28:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 16:31:03 4096 --a------ C:\WINDOWS\d3dx.dat
2008-03-08 12:23:53 0 d-------- C:\WINDOWS\Cake Mania 2
2008-03-07 21:25:48 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-03-07 21:23:06 134 --a------ C:\n.bat
2008-03-07 21:22:32 0 d-------- C:\WINDOWS\system32\iDlo18
2008-03-07 21:22:31 0 d-------- C:\Temp
2008-03-06 21:26:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-06 21:25:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-03-03 13:46:48 0 d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-01 14:51:46 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 14:50:58 0 d-------- C:\Program Files\Windows Live
2008-03-01 14:50:06 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-29 16:13:56 0 d-------- C:\Documents and Settings\Erica\Application Data\funkitron
2008-02-29 15:53:17 15 --a------ C:\WINDOWS\popcinfo.dat
2008-02-29 15:46:27 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-03-14 11:38:55 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-13 23:42:07 0 d-------- C:\Program Files\Symantec
2008-03-13 23:33:03 0 d-------- C:\Program Files\Yahoo!
2008-03-13 19:36:40 0 d-------- C:\Documents and Settings\Erica\Application Data\LimeWire
2008-03-11 21:28:21 0 d-------- C:\Program Files\Common Files
2008-03-10 14:44:48 0 d-------- C:\Documents and Settings\Erica\Application Data\U3
2008-03-06 18:39:51 0 d-------- C:\Program Files\iTunes
2008-03-06 18:39:25 0 d-------- C:\Program Files\iPod
2008-03-06 18:37:01 0 d-------- C:\Program Files\QuickTime
2008-03-04 21:07:45 0 d-------- C:\Program Files\Java
2008-03-01 22:41:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-27 19:34:17 113512 --a------ C:\Documents and Settings\Erica\Application Data\GDIPFONTCACHEV1.DAT
2008-01-25 21:27:10 0 d-------- C:\Program Files\MSXML 4.0
2008-01-21 22:20:55 0 d-------- C:\Documents and Settings\Erica\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [18/07/2002 04:58 PM C:\WINDOWS\system32\pctspk.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 02:13 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/11/2005 09:05 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [25/08/2007 12:28 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50 AM]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [05/07/2005 01:32 AM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [27/06/2005 08:31 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 01:59 AM]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [14/01/2007 03:11 AM]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [07/03/2005 11:00 PM]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [29/06/2006 07:54 PM]
"VX1000"="C:\WINDOWS\vVX1000.exe" [29/06/2006 07:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11 AM]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [30/06/2002 03:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/02/2008 12:13 AM]
"iTunesHelper
  • 0

Advertisements

#2
2xena
Posted 07 April 2008 - 03:28 PM

2xena

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi guys...sorry but I've had to completely wipe my computer....thanks for your time and again I'm sorry
  • 0

#3
Rorschach112
Posted 08 April 2008 - 08:44 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP