Mike,
Just a quick note. I had downloaded and installed Anitvir. I then tried to run the VundoFix program. Antivir freaked out and started an endless loop, throwing up text boxes telling me which versions of Vundo it had found, and it kept finding the same versions over and over no matter how I told the program how to handle the file (ignore, quarantine, delete, etc.). So I am holding off installing anything until after the system is clear. Please trust that I am not surfing the net while this process is going on. I WILL install something (probably not Antivir) when we are done. I had been using Clamwin, but I see you're not recommending that.
Here are the log files you've requested.
Deckard's System Scanner v20071014.68Run by HP Authorized Custom on 2008-05-09 09:31:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
64: 2008-05-09 14:31:37 UTC - RP1329 - Deckard's System Scanner Restore Point
63: 2008-05-09 14:04:14 UTC - RP1328 - ComboFix created restore point
62: 2008-05-08 08:30:44 UTC - RP1327 - System Checkpoint
61: 2008-05-07 03:56:13 UTC - RP1326 - Avira AntiVir Personal - 5/6/2008 22:56
60: 2008-05-07 02:43:41 UTC - RP1325 - System Checkpoint
-- First Restore Point --
1: 2008-02-22 18:51:03 UTC - RP1266 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 511 MiB (512 MiB recommended).-- HijackThis (run as HP Authorized Custom.exe) --------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:50 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP Authorized Custom\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP Authorized Custom.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us2.hpwis.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/O2 - BHO: (no name) - {3E3A9A92-577F-56FC-0213-5200BDB0DACF} - C:\WINDOWS\system32\zdeh.dll (file missing)
O2 - BHO: (no name) - {69DA6BCD-2FA4-46D8-8E02-66290755B9BE} - C:\WINDOWS\system32\xxwuu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BF679CE1-EE30-485C-8197-8B2B4D45C6EB} - C:\WINDOWS\system32\cbayv.dll (file missing)
O2 - BHO: (no name) - {FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D} - C:\WINDOWS\system32\yayyv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoft...s/as2stubie.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1176701778251O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
--
End of file - 4005 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080424-130547-915 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://my.netzero.net/s/spbackup-20080424-130547-833 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
backup-20080424-130547-144 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
backup-20080424-130547-539 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
backup-20080424-130547-507 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
backup-20080424-130547-406 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
backup-20080424-130548-438 O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp
backup-20080424-130548-168 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamesp...nch/alaunch.cabbackup-20080424-130548-457 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabbackup-20080507-222552-174 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
-- File Associations -----------------------------------------------------------
.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23.ini - inifile - DefaultIcon - shell32.dll,-151.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,16.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1.txt - txtfile - DefaultIcon - shell32.dll,-152.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,15-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 GBDevice - c:\windows\system32\drivers\gbdevice.sys <Not Verified; Symantec Corporation; Norton GoBack>
R0 GoBack2K - c:\windows\system32\drivers\goback2k.sys <Not Verified; Symantec Corporation; Norton GoBack>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 GBFSHook - c:\windows\system32\drivers\gbfshook.sys <Not Verified; Symantec Corporation; Norton GoBack>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070308.002\symidsco.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>
S4 GBPoll - c:\program files\norton systemworks\norton goback\gbpoll.exe <Not Verified; Symantec Corporation; Norton GoBack>
S4 HP Port Resolver - c:\windows\system32\spool\drivers\w32x86\3\hpbpro.exe <Not Verified; Hewlett-Packard Company; PortResolver Module>
S4 HP Status Server - c:\windows\system32\spool\drivers\w32x86\3\hpboid.exe <Not Verified; Hewlett-Packard Company; HP Status Server>
S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>
S4 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 ScsiAccess - c:\windows\system32\scsiaccess.exe
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2008-04-09 and 2008-05-09 -----------------------------
2008-05-09 09:31:11 0 d-------- C:\WINDOWS\LastGood
2008-05-09 09:03:31 68096 --a------ C:\WINDOWS\zip.exe
2008-05-09 09:03:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-09 09:03:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-09 09:03:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-09 09:03:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-09 09:03:31 98816 --a------ C:\WINDOWS\sed.exe
2008-05-09 09:03:31 80412 --a------ C:\WINDOWS\grep.exe
2008-05-09 09:03:31 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-08 10:23:32 2112 --a------ C:\WINDOWS\system32\twgcerkw.exe
2008-05-07 10:23:47 2112 --a------ C:\WINDOWS\system32\xtwoikoj.exe
2008-05-07 00:48:41 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-06 23:30:29 0 d-------- C:\VundoFix Backups
2008-05-06 23:28:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-06 23:27:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-06 23:15:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-06 21:31:29 2112 --a------ C:\WINDOWS\system32\atajycku.exe
2008-04-29 12:52:46 0 d-------- C:\Program Files\Panda Security
-- Find3M Report ---------------------------------------------------------------
2008-03-28 15:33:12 0 d-------- C:\Program Files\ACW
2008-03-26 12:18:22 0 d-------- C:\Program Files\Trend Micro
2008-03-25 08:00:32 0 --a------ C:\WINDOWS\mrofinu.exe
2008-03-25 07:53:18 0 --a------ C:\WINDOWS\system32\yayyv.dll
2008-03-24 13:41:38 2556 --a------ C:\WINDOWS\unins000.dat
2008-03-24 13:40:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-23 21:01:16 0 d-------- C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]
C:\WINDOWS\system32\zdeh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]
C:\WINDOWS\system32\xxwuu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]
C:\WINDOWS\system32\ddaba.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]
C:\WINDOWS\system32\cbayv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]
03/25/2008 07:53 AM 0 --a------ C:\WINDOWS\system32\yayyv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 11:53 AM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"NoViewOnDrive"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk.disabled
backup=C:\WINDOWS\pss\Norton GoBack.lnk.disabledCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP Authorized Custom^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\HP Authorized Custom\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\33681378]
rundll32.exe "C:\WINDOWS\system32\qlegqoxu.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bvflew]
"C:\Documents and Settings\HP Authorized Custom\Application Data\??stem\n?tepad.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upne]
"C:\WINDOWS\system32\TSKS~1\services.exe" -vt ndrv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"ScsiAccess"=2 (0x2)
"QBFCService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"gusvc"=3 (0x3)
"GBPoll"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD06"=C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
"BluetoothAuthenticationAgent"=rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MMTray"=
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
-- End of Deckard's System Scanner: finished at 2008-05-09 09:38:27 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel Celeron processor
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 510.43 MiB / 230.52 MiB
Pagefile Memory (total/avail): 672.69 MiB / 463.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.45 MiB
A: is Removable (No Media)
C: is Fixed (FAT32) - 37.26 GiB total, 12.81 GiB free.
E: is Removable (No Media)
M: is CDROM (No Media)
N: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - WDC WD400BB-23FRA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.27 GiB - C:
\\.\PHYSICALDRIVE1 - HP Photosmart 8100 USB Device
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP Authorized Custom\Application Data
BLASTER=A220 I5 D1 T4 P330
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SECOND
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP Authorized Custom
LOGONSERVER=\\SECOND
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\COMMAND;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HPAUTH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HPAUTH~1\LOCALS~1\Temp
USERDOMAIN=SECOND
USERNAME=HP Authorized Custom
USERPROFILE=C:\Documents and Settings\HP Authorized Custom
winbootdir=C:\WINDOWS
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
HP Authorized Custom
(admin)Administrator
(admin)-- Add/Remove Programs ---------------------------------------------------------
--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT
--> C:\Program Files\Installshield Installation Information\{08082022-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082022-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\CreateCD\UNINST.ISU"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\mrun32.isu
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7C06F60-C1A0-4D8C-85BA-15A18B93AA13}\setup.exe" -l0x9 -uninst -f"C:\Program Files\Scholastic's Clifford\Clifford Musical Memory Games\Uninst.isu" -c"C:\Program Files\Scholastic's Clifford\Clifford Musical Memory Games\_UnInstall.dll"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adaptec DirectCD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\DirectCD\DCDUnins.isu" -cC:\PROGRA~1\ADAPTEC\DIRECTCD\Dcduhlp.dll
Adaptec Easy CD Creator 4 --> "C:\Program Files\Common Files\Adaptec\ECDCUNIN\SETUP.EXE" +s -l0009 -fECDC.INS
Adaptec UDF Reader --> C:\WINDOWS\SYSTEM32\udfrunin.exe
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\98\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\98\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\Install.log
aspi --> MsiExec.exe /I{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GTK+ 2.6.9 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6\uninstaller.exe"
HP Image Zone 4.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Java 2 Runtime Environment, SE v1.4.1_07 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA532E73-1BB7-11D8-9D6A-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_370000_11f1ac\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LeadTool --> MsiExec.exe /I{050ED764-D5FD-4D33-8FCD-AC48250C0798}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NoDNS --> C:\Program Files\\NoDNS\\UnInstall.exe
Norton GoBack Personal Edition (Symantec Corporation) --> C:\Program Files\Norton SystemWorks\Norton GoBack\Setup.exe /u
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
One-touch Multimedia Keyboard --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Netropa\One-touch Multimedia Keyboard\Uninst.isu" -c"C:\Program Files\Netropa\One-touch Multimedia Keyboard\uninst.dll"
OpenOffice.org 2.0 --> MsiExec.exe /I{76BB7B2D-748F-4AE9-89C3-78C051833EA1}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PCDADDIN --> MsiExec.exe /I{65D85050-5610-4A91-A3B1-D5C744291AD4}
PCDHELP --> MsiExec.exe /I{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PCDrdsho --> MsiExec.exe /I{C42C10A8-F2F4-4846-B772-ABD1912A2E85}
Photosmart 320,370,7400,8100,8400 Series --> C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe -datfile hphscr01.dat
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
RABCO --> "C:\Program Files\RABCO\un_RABCOSetup_16230.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{ABE068DF-8DC4-4947-ABFC-DD2B40850225}
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
The GIMP 2.2.8 --> "C:\Program Files\GIMP-2.0\unins000.exe"
USB MassStorage CardReader --> C:\Program Files\Kodak\040a_5005\Remove.exe
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Messenger 5.0 --> MsiExec.exe /I{4A432C6C-1E20-4266-95D1-5782349C6C62}
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll
-- Application Event Log -------------------------------------------------------
Event Record #/Type331 / Error
Event Submitted/Written: 05/08/2008 09:22:57 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type325 / Warning
Event Submitted/Written: 05/07/2008 01:12:05 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.AGC:\WINDOWS\SYSTEM32\byxvs.dll
Event Record #/Type324 / Warning
Event Submitted/Written: 05/07/2008 01:12:04 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINDOWS\SYSTEM32\epljjsfr.dll
Event Record #/Type323 / Warning
Event Submitted/Written: 05/07/2008 01:12:04 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINDOWS\SYSTEM32\epljjsfr.dll
Event Record #/Type322 / Warning
Event Submitted/Written: 05/07/2008 01:12:04 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINDOWS\SYSTEM32\shbpxvah.dll
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type8903 / Error
Event Submitted/Written: 05/09/2008 09:09:44 AM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{305F24F5-9D38-42FD-A9FA-371179EA9030}.
The backup browser is stopping.
Event Record #/Type8902 / Warning
Event Submitted/Written: 05/09/2008 09:07:43 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\DECAF-80LUKSINH on the network \Device\NetBT_Tcpip_{305F24F5-9D38-42FD-A9FA-371179EA9030}.
The data is the error code.
Event Record #/Type8864 / Warning
Event Submitted/Written: 05/08/2008 02:22:48 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0018F8082A65. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type8844 / Error
Event Submitted/Written: 05/07/2008 10:22:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
Event Record #/Type8843 / Error
Event Submitted/Written: 05/07/2008 03:29:39 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
eeCtrl
Fips
IPSec
MRxSmb
NetBIOS
NetBT
P3
RasAcd
Rdbss
SCDEmu
Tcpip
-- End of Deckard's System Scanner: finished at 2008-05-09 09:38:27 ------------
ComboFix 08-05-07.1 - HP Authorized Custom 2008-05-09 9:05:01.1 - FAT32x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.260 [GMT -5:00]
Running from: C:\Documents and Settings\HP Authorized Custom\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\HP Authorized Custom\Application Data\STEM~1
C:\Program Files\CPV
C:\Program Files\CPV\CPV7.dll
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\outerinfo
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\abadd.ini
C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\aefdjvqb.ini
C:\WINDOWS\system32\akxlyykf.ini
C:\WINDOWS\system32\anerdmfn.dll
C:\WINDOWS\system32\bglgeqwm.ini
C:\WINDOWS\system32\bklyunaf.dll
C:\WINDOWS\system32\bqvjdfea.dll
C:\WINDOWS\system32\byxvs.dll
C:\WINDOWS\system32\cjxnvgxw.dll
C:\WINDOWS\system32\efbvmrvt.dll
C:\WINDOWS\system32\enidtidq.ini
C:\WINDOWS\system32\epljjsfr.dll
C:\WINDOWS\system32\fcnkdcif.ini
C:\WINDOWS\system32\flfetpfe.ini
C:\WINDOWS\system32\gbhnepvp.ini
C:\WINDOWS\system32\gdetkqvj.ini
C:\WINDOWS\system32\grerfthg.dll
C:\WINDOWS\system32\hknmtbji.ini
C:\WINDOWS\system32\jsbmklxx.ini
C:\WINDOWS\system32\kphilsdy.dll
C:\WINDOWS\system32\kpkyptlm.dll
C:\WINDOWS\system32\kstrsqvb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqobktpm.ini
C:\WINDOWS\system32\mtxcxpjt.ini
C:\WINDOWS\system32\nxxyhnia.dll
C:\WINDOWS\system32\ohfnpcdv.dll
C:\WINDOWS\system32\ohlqldln.dll
C:\WINDOWS\system32\ohqjarpj.dll
C:\WINDOWS\system32\oxkmwdax.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plvsdbfj.dll
C:\WINDOWS\system32\qditdine.dll
C:\WINDOWS\system32\qtkeeifo.dll
C:\WINDOWS\system32\redetstb.ini
C:\WINDOWS\SYSTEM32\svxyb.ini
C:\WINDOWS\SYSTEM32\svxyb.ini2
C:\WINDOWS\system32\tpedhnqu.ini
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\tsks~1\T?sks\
C:\WINDOWS\system32\tuvuust.dll
C:\WINDOWS\system32\twdnagfr.dll
C:\WINDOWS\system32\twwnmguy.ini
C:\WINDOWS\system32\unoofxxd.dll
C:\WINDOWS\system32\utfurhtm.dll
C:\WINDOWS\SYSTEM32\uuwxx.ini
C:\WINDOWS\SYSTEM32\uuwxx.ini2
C:\WINDOWS\system32\vmaovypb.ini
C:\WINDOWS\SYSTEM32\vyabc.ini
C:\WINDOWS\SYSTEM32\vyabc.ini2
C:\WINDOWS\SYSTEM32\vyyay.ini
C:\WINDOWS\SYSTEM32\vyyay.ini2
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\wonahbgj.dll
C:\WINDOWS\system32\wvscnklb.ini
C:\WINDOWS\system32\wytuoqly.dll
C:\WINDOWS\system32\xfqpnpbf.dll
C:\WINDOWS\system32\xrbqtyxn.dll
C:\WINDOWS\system32\yyvhsept.ini
C:\WINDOWS\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-08 10:23 . 2008-05-08 10:23 2,112 --a------ C:\WINDOWS\SYSTEM32\twgcerkw.exe
2008-05-07 22:32 . 2008-05-07 22:32 <DIR> d-------- C:\_OTMoveIt
2008-05-07 10:23 . 2008-05-07 10:23 2,112 --a------ C:\WINDOWS\SYSTEM32\xtwoikoj.exe
2008-05-07 01:04 . 2008-05-07 10:21 414 ---hs---- C:\WINDOWS\SYSTEM32\havxpbhs.ini
2008-05-07 00:48 . 2008-05-07 00:48 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-05-06 23:30 . 2008-05-06 23:30 <DIR> d-------- C:\VundoFix Backups
2008-05-06 23:28 . 2008-05-06 23:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-06 23:15 . 2008-05-06 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-06 21:31 . 2008-05-06 21:31 2,112 --a------ C:\WINDOWS\SYSTEM32\atajycku.exe
2008-04-29 12:52 . 2008-04-29 12:52 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 16:12 . 2008-04-22 16:12 714 ---hs---- C:\WINDOWS\SYSTEM32\tgxpoyku.ini
2008-04-20 16:08 . 2008-04-21 16:09 594 ---hs---- C:\WINDOWS\SYSTEM32\lxwilimj.ini
2008-04-19 15:17 . 2008-04-20 16:06 474 ---hs---- C:\WINDOWS\SYSTEM32\onudjrdy.ini
2008-04-19 15:15 . 2008-05-09 08:55 109,778 --a------ C:\WINDOWS\BM305b20e4.xml
2008-04-13 10:17 . 2008-04-19 15:14 1,486 ---hs---- C:\WINDOWS\SYSTEM32\bviwkmwj.ini
2008-04-12 10:11 . 2008-04-13 10:11 1,306 ---hs---- C:\WINDOWS\SYSTEM32\iylhjwwv.ini
2008-04-10 20:40 . 2008-04-12 10:05 894 ---hs---- C:\WINDOWS\SYSTEM32\xarnrwed.ini
2008-04-09 14:56 . 2008-04-10 20:34 714 ---hs---- C:\WINDOWS\SYSTEM32\hbwtkarw.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 20:33 --------- d-----w C:\Program Files\ACW
2008-03-26 17:18 --------- d-----w C:\Program Files\Trend Micro
2008-03-26 04:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 18:40 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-24 02:01 --------- d-----w C:\Documents and Settings\HP Authorized Custom\Application Data\HouseCall 6.6
2007-08-15 18:43 38,152 ----a-w C:\Documents and Settings\HP Authorized Custom\Application Data\GDIPFONTCACHEV1.DAT
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2006-03-14 15:04 128 ----a-w C:\Documents and Settings\HP Authorized Custom\Application Data\fusioncache.dat
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
2000-11-01 20:51 271 --sh--w C:\Program Files\desktop.ini
2000-11-01 20:51 23,357 ---h--w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E3A9A92-577F-56FC-0213-5200BDB0DACF}]
C:\WINDOWS\system32\zdeh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69DA6BCD-2FA4-46D8-8E02-66290755B9BE}]
C:\WINDOWS\system32\xxwuu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22}]
C:\WINDOWS\system32\ddaba.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF679CE1-EE30-485C-8197-8B2B4D45C6EB}]
C:\WINDOWS\system32\cbayv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D}]
2008-03-25 07:53 0 --a------ C:\WINDOWS\system32\yayyv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 11:53 68856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 11:53 68856]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk.disabled
backup=C:\WINDOWS\pss\Norton GoBack.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HP Authorized Custom^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\HP Authorized Custom\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\33681378]
C:\WINDOWS\system32\qlegqoxu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bvflew]
C:\Documents and Settings\HP Authorized Custom\Application Data\??stem\n?tepad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
C:\Program Files\ClamWin\bin\ClamTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-11-06 03:27 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-27 11:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2003-03-31 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upne]
C:\WINDOWS\system32\TSKS~1\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"ScsiAccess"=2 (0x2)
"QBFCService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"gusvc"=3 (0x3)
"GBPoll"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD06"=C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
"BluetoothAuthenticationAgent"=rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MMTray"=
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 01:04]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-09 09:16:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
.
**************************************************************************
.
Completion time: 2008-05-09 9:21:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 14:20:36
Pre-Run: 13,322,387,456 bytes free
Post-Run: 13,494,681,600 bytes free
257 --- E O F --- 2008-03-31 08:08:03
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:12:23 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us2.hpwis.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/O2 - BHO: (no name) - {3E3A9A92-577F-56FC-0213-5200BDB0DACF} - C:\WINDOWS\system32\zdeh.dll (file missing)
O2 - BHO: (no name) - {69DA6BCD-2FA4-46D8-8E02-66290755B9BE} - C:\WINDOWS\system32\xxwuu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A8F5B9B3-76B8-4A2D-8480-9100F1AB3F22} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BF679CE1-EE30-485C-8197-8B2B4D45C6EB} - C:\WINDOWS\system32\cbayv.dll (file missing)
O2 - BHO: (no name) - {FF4063B4-BCAD-4A7B-B8B9-74B2376FAF9D} - C:\WINDOWS\system32\yayyv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menu